Last Attempt 1z0-1124-25 Questions

Objective: Allow VCN-A to access on-premises (192.168.1.0/24) via VPN, isolate VCN-B using DRG route tables effectively and securely.

Option A: Single route table for both VCNs with NSGs on VCN-B to block traffic. This works but relies on NSGs, which are secondary to routing. Routing-level isolation is more secure and efficient.

Option B: Single route table for VCN-A with the VPN route, default table (no VPN route) for VCN-B. This isolates VCN-B effectively at the routing level, but managing one table across all attachments can complicate scaling.

Option C: Two route tables, both with VPN routes, then blocking VCN-B with security lists. This is inefficient—routes are advertised unnecessarily, relying on security lists instead of routing isolation.

Option D: Two route tables—DRG-RT-A with VPN route for VCN-A, DRG-RT-B with no VPN route for VCN-B. This ensures VCN-B has no path to on-premises at the DRG level, providing the strongest isolation.

Conclusion: Option D is the most effective and secure, leveraging routing for isolation rather than secondary security controls.

Oracle documentation states:

"DRG route tables control traffic between VCN attachments and external connections (e.g., VPN). Associate a unique route table with each attachment to enforce specific routing policies."

"To isolate a VCN, ensure its DRG route table contains no routes to the destination."Option D aligns with this approach. Reference:Dynamic Routing Gateway Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm).

Problem Context: BGP session is established, but no routes are exchanged, and basic config (ASNs, IPs) is correct.

Option A Analysis: Misconfigured keepalive timers would cause the session to drop intermittently. Since the session is confirmed as established, this is unlikely. Keepalives affect session stability, not route exchange.

Option B Analysis: A mismatch in BGP authentication keys (e.g., MD5 passwords) would prevent the session from establishing. Given the session is up, this is not the issue.

Option C Analysis: BGP prefix lists or route maps filter advertised routes. If either the on-premises router or OCI applies a filter (intentionally or misconfigured), it could block route advertisements despite an established session. This is a common issue in BGP setups and aligns with the symptoms.

Option D Analysis: MTU mismatches could cause packet loss or fragmentation, but BGP uses TCP (small packets), and session establishment indicates MTU isn’t the primary issue. Route exchange failures are more likely due to filtering than MTU.

Conclusion: Option C is the most likely cause, as filtering directly prevents route exchange without affecting session status.

From Oracle’s FastConnect documentation:

"Once a BGP session is established, routes are exchanged based on the prefixes advertised by each side. Route maps, prefix lists, or filters on either the CPE or OCI side can restrict which routes are advertised or accepted."

"If no routes appear in the routing table despite an active session, verify that no filters are blocking advertisements."This supports Option C as the most likely cause. Reference:FastConnect Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm).

Objective: Identify a VPN disadvantage for large dataset migration.

Option A: VPNs can be secure with IPSec; not inherently less secure—incorrect.

Option B: VPNs are automatable with IaC (e.g., Terraform)—incorrect.

Option C: Public internet limits VPN throughput due to bandwidth and latency variability—correct disadvantage.

Option D: VPNs are compatible with OCI services—incorrect.

Conclusion: Option C is the key disadvantage.

Oracle notes:

"Public internet-based VPNs face throughput limitations due to bandwidth and latency variability, impacting large data migrations.”This supports Option C. Reference:VPN Limitations - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/settingupIPSec.htm#limitations).

Goal: Apply least privilege for Cloud Shell to run diagnostics (ping, traceroute, nc) within a VCN.

Option A: Read permission on all virtual-network-family resources is too broad, granting unnecessary access beyond diagnostics—violates least privilege.

Option B: Instance Principals use temporary credentials tied to the Cloud Shell instance, enhancing security. A dynamic group with “read” and “use” permissions on NSGs and VNICs allows inspecting configurations and running diagnostics (e.g., via VNICs), meeting the exact need—correct.

Option C: Inspect permission only provides metadata access, insufficient for running diagnostics (e.g., no “use” for traffic)—incorrect.

Option D: Use permission on virtual-network-family at tenancy level is overly permissive, granting access to all network resources—violates least privilege.

Conclusion: Option B is the most restrictive and secure, aligning with least privilege.

Oracle states:

"Instance Principals allow services like Cloud Shell to authenticate without static credentials. Policies with ‘read’ and ‘use’ on specific resources (e.g., network-security-groups, vnics) enable diagnostics while adhering to least privilege."This supports Option B. Reference:Instance Principals - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Identity/Tasks/instanceprincipals.htm).