Q: 4
Your company utilizes a hybrid cloud architecture, connecting its on-premises network to an OCI VCN
using a FastConnect private peering connection. You need to ensure that instances within a specific
subnet in the VCN can only communicate with resources in a designated IP address range within the
on-premises network. What is the MOST effective way to achieve this specific network isolation?
Options
Discussion
C . B is tempting but default security lists lack the fine-grained control NSGs have for subnet-level isolation.
Would modifying just the default security list in B meet Oracle best practices for subnet isolation here? Exam guide details would help.
Probably C. B’s tempting but default security list is less granular, reports on similar exams point to NSGs + custom route as best fit here.
I don't think it's C, I'd pick B since the default security list can restrict ranges too. Trap might be NSGs here.
C makes sense since custom route tables plus NSGs let you scope access down to the exact IP range for the specific subnet, which is what they want. Pretty sure that's how OCI best practices recommend it. Used similar logic in lab practice, but open to corrections if I missed anything.
B is wrong, C. Only custom route tables plus NSGs give you that specific subnet-to-IP control, not default security lists or gateways.
Its C. Official guide and Oracle labs both push using NSGs with custom route tables for granular subnet restrictions like this.
C , saw similar in an exam report and it was all about NSGs plus custom route table for that subnet. That way you isolate just what you need, pretty sure that's what Oracle wants here. Disagree?
Bit of a catch here: if the question was about restricting traffic from every subnet, B would probably fit better. But since it's about just one subnet needing isolation, C covers that case most precisely. Pretty sure C is what Oracle expects for this scenario.
C or B? Practice test says C but official docs are a must check for OCI network isolation.
Be respectful. No spam.
