Goal: Lowest latency, highest bandwidth for AWS-to-OCI migration.

Option A: IPSec VPN over public internet has variable latency and limited bandwidth—incorrect.

Option B: Third-party cloud exchange with Direct Connect and FastConnect offers a private,

dedicated link, minimizing latency and maximizing bandwidth—correct.

Option C: Storage Gateway over internet is slow and not dedicated—incorrect.

Option D: Transit Gateway with VPN uses public internet, lacking performance—incorrect.

Conclusion: Option B provides the best performance.

Oracle documentation notes:

"A third-party cloud exchange provider can interconnect AWS Direct Connect and OCI FastConnect,

delivering a private, high-bandwidth, low-latency connection."

This validates Option B. Reference: Multicloud Connectivity - Oracle Help Center

(docs.oracle.com/en-us/iaas/Content/Network/Concepts/multicloud.htm).

Requirements: App tier only initiates to DB; web tier to app tier only.

Option A: NSGs with forced routing through app tier adds complexity and latency—less effective.

Option B: Single NSG lacks subnet-level isolation—incorrect.

Option C: Separate security lists per subnet with ingress/egress rules enforce isolation; route tables

ensure proper VCN routing—correct and effective.

Option D: Security lists are good, but routing web-to-DB via app tier is unnecessary—incorrect.

Conclusion: Option C achieves isolation efficiently.

Oracle states:

"Use separate security lists per subnet with ingress/egress rules to isolate tiers. Route tables manage

intra-VCN traffic without forced hops."

This supports Option C. Reference: Security Lists Overview - Oracle Help Center (docs.oracle.com/en-

us/iaas/Content/Network/Concepts/securitylists.htm).

Analyze Connectivity Successes: Instance A can ping its subnet gateway (10.0.1.1), indicating that

local subnet routing and security rules are functioning for IPv4. It can also ping Instance B’s IPv6

address (fc00:1:2::20), confirming that IPv6 routing and security rules between subnets are

operational.

Identify the Failure: Instance A cannot ping Instance B’s IPv4 address (10.0.2.20). Since security lists

and NSGs allow all traffic, the issue is unlikely to be a security configuration problem.

Examine Routing for Instance A: The route table for Instance A’s subnet (10.0.1.0/24) has a rule

directing traffic to 10.0.2.0/24 via the VCN Local Peering Gateway (LPG). In OCI, LPGs are used for

intra-region VCN peering, but here, both instances are in the same VCN, so this rule is likely a

misconfiguration or irrelevant unless peering is involved. However, the successful IPv6 ping suggests

basic connectivity exists.

Check Return Path from Instance B: For a ping to succeed, Instance B must send ICMP replies back to

Instance A (10.0.1.10). Instance B’s subnet (10.0.2.0/24) needs a route table entry to send traffic to

10.0.1.0/24. Without this, replies are dropped, causing the IPv4 ping to fail. The IPv6 success

indicates that IPv6 routing is correctly configured both ways, possibly via SLAAC or default routes.

Evaluate Options:

A: Incorrect. IPv6 is enabled, as Instance A pings Instance B’s IPv6 address.

B: Correct. Missing route for 10.0.1.0/24 in Instance B’s subnet prevents IPv4 replies.

C: Incorrect. Security lists and NSGs can filter IPv6 traffic in OCI.

D: Incorrect. Ping supports IPv6, as evidenced by the successful IPv6 ping.

The most probable cause is a missing route in Instance B’s subnet route table. In OCI, each subnet

has its own route table, and for instances in different subnets within the same VCN to communicate,

both subnets must have appropriate routes. The successful IPv6 ping suggests that IPv6 routing is

intact (likely due to default behavior or SLAAC), but IPv4 requires explicit routing. Per the Oracle

Networking Professional study guide, "Route tables must be configured to direct traffic to the

appropriate next hop for inter-subnet communication within a VCN" (OCI Networking

Documentation, Section: Virtual Cloud Networks).

Reference: Oracle Cloud Infrastructure Documentation - Networking Overview, Route Tables.

Goal: Restrict subnet traffic to a specific on-premises IP range via FastConnect.

Option A: Internet Gateway is for public access, not FastConnect—incorrect.

Option B: Default security list applies broadly, lacking granularity; NSGs are more effective—less

optimal.

Option C: Custom route table with DRG ensures FastConnect routing; NSGs provide precise, instance-

level traffic restriction—correct.

Option D: LPG is for same-region VCN peering, not on-premises—incorrect.

Conclusion: Option C is the most effective method.

Oracle notes:

"Use a custom route table with a DRG route rule for FastConnect traffic. NSGs offer granular control

to restrict traffic to specific IP ranges."

This supports Option C. Reference: FastConnect and NSG Overview - Oracle Help Center

(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm & docs.oracle.com/en-

us/iaas/Content/Network/Concepts/NSGs.htm).

Requirements: Low latency, high bandwidth for multicloud production.

Option A: Dedicated peering via third-party provider offers high performance—optimal.

Option B: IPSec VPNs over public internet have variable latency and limited bandwidth—least

optimal.

Option C: FastConnect peering with partners ensures dedicated performance—optimal.

Option D: OCI-Azure Interconnect is fast, but VPN to AWS adds latency—less optimal than A or C but

better than B.

Conclusion: Option B is the least optimal due to performance constraints.

Oracle notes:

"IPSec VPNs over public internet provide security but lack the bandwidth and latency consistency of

dedicated connections like FastConnect for production workloads.”

This supports Option B as least optimal. Reference: Multicloud Connectivity Options - Oracle Help

Center (docs.oracle.com/en-us/iaas/Content/Network/Concepts/multicloud.htm#options).

Goal: Inspect NSG rules for a VNIC from Cloud Shell.

Command Flow:

Get instance → Extract VNIC → List NSGs → Get NSG details.

Evaluate Options:

A: Direct NSG fetch lacks VNIC linkage; incomplete.

B: Full pipeline from instance to NSG details; precise and correct.

C: Grep is too basic, misses structure; incorrect.

D: Awk parsing is fragile, less reliable than jq; less optimal.

Conclusion: Option B provides the most robust inspection.

CLI with jq ensures accurate NSG retrieval. The Oracle Networking Professional study guide notes,

"To troubleshoot NSG rules, use the OCI CLI to fetch instance VNIC details and associated NSG

configurations, piping through jq for structured output" (OCI Networking Documentation, Section:

CLI Troubleshooting). Option B follows this methodology.

Reference: Oracle Cloud Infrastructure Documentation - OCI CLI.

Requirements: Secure, scalable authentication for Cloud Shell scripting.

Methods:

API Keys: Manual, less secure if stored.

Instance Principals: Credential-less, dynamic.

Terraform with Vault: Secure but complex for scripting.

Evaluate Options:

A: API keys in script are insecure; not scalable.

B: Persistent storage risks exposure; less secure.

C: Instance Principals use IAM, no credentials; best fit.

D: Overkill for simple scripting, better for IaC; less suited.

Conclusion: Instance Principals offer security and scalability.

Instance Principals simplify automation. The Oracle Networking Professional study guide states,

"Instance Principals allow Cloud Shell to authenticate via dynamic groups without storing credentials,

ideal for secure, scalable scripting" (OCI Networking Documentation, Section: Authentication in

Cloud Shell). This avoids key management issues.

Reference: Oracle Cloud Infrastructure Documentation - Instance Principals.

Context: Inter-tenancy VCN peering connects VCNs across different OCI tenancies using Remote

Peering Connections (RPCs).

Option A: Authentication of the root user is handled by IAM policies, not the peer ID, which is a

technical identifier—incorrect.

Option B: The peer ID is the OCID of the RPC created by the requesting tenancy. It uniquely identifies

the RPC, allowing the accepting tenancy to target and establish the peering—correct.

Option C: CIDR blocks are part of VCN configuration and shared separately, not via the peer ID—

incorrect.

Option D: Security rules are defined by NSGs or security lists, not the peer ID—incorrect.

Conclusion: The peer ID’s purpose is to identify the requesting tenancy’s RPC, making Option B the

correct answer.

From Oracle’s documentation:

"For inter-tenancy peering, the requesting tenancy provides the OCID of its Remote Peering

Connection (RPC), known as the peer ID, to the accepting tenancy. The accepting tenancy uses this ID

to establish the peering."

This confirms Option B. Reference: Remote VCN Peering Across Tenancies - Oracle Help Center

(docs.oracle.com/en-us/iaas/Content/Network/Tasks/remoteVCNpeering.htm#cross-tenancy).

Requirement: OCI-AWS traffic must stay in the US for sovereignty compliance.

Option A: A FastConnect partner guaranteeing US-only transit ensures compliance via a private,

controlled path—correct.

Option B: DRG and VGW with VPN don’t guarantee US-only routing over public internet—incorrect.

Option C: Generic VPN can’t control internet paths despite US gateways—incorrect.

Option D: Public internet with DNS restrictions doesn’t enforce routing—incorrect.

Conclusion: Option A is the most critical consideration.

Oracle states:

"Choose a FastConnect partner that can guarantee geographic routing constraints, such as US-only

transit, to meet data sovereignty requirements."

This supports Option A. Reference: FastConnect Compliance - Oracle Help Center

(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#compliance).

Goal: Automate DNSSEC health monitoring with alerts.

Option A: Vulnerability Scanning is for compute instances, not DNSSEC—incorrect.

Option B: Monitoring Service tracks metrics and logs, supports custom DNSSEC metrics, and provides

alarms—correct.

Option C: Audit Service logs API calls, not DNSSEC health—incorrect.

Option D: Logging Analytics analyzes logs but lacks direct alerting—less effective than Monitoring.

Conclusion: Option B is the most effective for automated monitoring and alerts.

Oracle documentation notes:

"OCI Monitoring Service allows you to monitor metrics and logs, including DNSSEC-related data, and

set alarms for proactive notifications."

This supports Option B. Reference: Monitoring Overview - Oracle Help Center (docs.oracle.com/en-

us/iaas/Content/Monitoring/Concepts/monitoringoverview.htm).