oracle 1z0-1067-21 practice test
Oracle Cloud Infrastructure 2021 Cloud Operations Associate Exam
Question 1
An insurance company has contracted you to help automate their application business continuity
plan. They have the application running in eu-frankfurt-1 as the primary site and uk-london-1 as a
disaster recovery site. Normally they have a DNS A record associated with the IP address of the
primary endpoint in eu-frankfurt-1. In the event of a disaster, they use OCI DNS Zone Management to
update the A record and replace it with the IP address of the endpoint in uk-londond-1.
How can you automate the failover process? (Choose the best answer.)
- A. Didn’t include anything in user_data.
- A. Create a Health Check that evaluates both regional endpoints. Create a Traffic Management Steering policy with Failover type and associate it with the Health Check.
- B. Wrote a custom script which tried to install GPU drivers.
- B. Create a Traffic Management Steering policy with Load Balancer type and add both eu-frankfurt-1 and uk- london-1 endpoints. Attach the Traffic Management Steering policy to the A record.
- C. Ran a cloudbase-init script instead of cloud-init.
- C. Provision a Load Balancer in Frankfurt and associate it with the A record in DNS. Create a backend set with backend servers from both eu-frankfurt-1 and uk-london-1 regions.
- D. Specified a #directive on the first line of your script.
- D. Create a Traffic Management Steering policy and attach it to a backend servers from both eu- frankfurt-1 and uk-london-1 regions.
Answer:
A
Question 2
Your team implemented a SaaS application that requires a whole system deployment for each new
customer. The infrastructure provisioning is already automated via Terraform, and now you have
been asked to develop an Ansible playbook to centralize configuration file management and
deployment.
What is the most effective way to ensure your playbooks are utilizing up-to-date and accurate
inventory? (Choose the best answer.)
- A. You need to configure the boot loader to use ttyS0 as a console terminal on the VM.
- A. Export an inventory list from the Oracle Cloud Infrastructure Web console.
- B. You need to terminate the running instance and recreate it by providing the SSH key file.
- B. Export an inventory list using Terraform apply command.
- C. You need to reboot the instance from the console, boot into the bash shell in maintenance mode, and add SSH keys for the opc user.
- C. Implement a Command Line Interface script to list all the resources and run it within Ansible to generate a dynamic inventory list.
- D. You need to modify the serial console connection string to include the identity file flag, –i to specify the SSH key to use.
- D. Download the dynamic inventory script provided by Oracle Cloud Infrastructure and include it in the playbook invocation command.
Answer:
D
Explanation:
https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/ansibleinventoryscript.htm
Question 3
You are working as a Cloud Operations Administrator for your company. They have different Oracle
Cloud Infrastructure (OCI) tenancies for development and production workloads. Each tenancy has
resources in two regions uk-london-1 and eu-frankfurt-1. You are asked to manage all resources
and to automate all the tasks using OCI Command Line Interface (CLI).
Which is the most efficient method to manage multiple environments using OCI CLI? (Choose the
best answer.)
- A. Create a network security group, add a stateful rule to allow ingress access on port 443 and associate it to the public subnet that hosts the company website.
- A. Use OCI CLI profiles to create multiple sets of credentials in your config file, and reference the appropriate profile at runtime.
- B. In default security list, add a stateful rule to allow ingress access on port 443.
- B. Create environment variables for the sets of credentials that align to each combination of tenancy, region, and environment.
- C. Create a new security list with a stateful rule to allow ingress access on port 443 and associate it to the public subnet.
- C. Run oci setup config to create new credentials for each environment every time you want to access the environment.
- D. Create a network security group, add a stateful rule to allow ingress access on port 443 and associate it to the instance that hosts the company website.
- D. Use different bash terminals for each environment.
Answer:
A
Question 4
Security Testing Policy describes when and how you may conduct certain types of security testing of
Oracle Cloud Services, including vulnerability and penetration tests, as well as tests involving data
scraping tools.
What does Oracle allow as part of this testing? (Choose the best answer.)
- A. Group G2 can now manage instance-families in compartment Project_B and compartment Team_X
- A. Customers are allowed to use their own testing and monitoring tools.
- B. Group G1 can now manage instance-families in compartment Project_A, compartment Project_B and compartment Team_X
- B. Customers can simulate DoS attack scenarios as long as its restricted to the customers own environment.
- C. Group G1 can now manage instance-families in compartment Project_A but not in compartment Team_x
- C. Customers can validate that their network resources are isolated from other customer resources.
- D. Group G2 can now manage instance-families in compartment Project_A but not in compartment Team_x
- D. Customers are allowed to test Oracle Cloud Infrastructure (OCI) hardware related to resources in their tenancy.
- E. Group G2 can now manage instance-families in compartment Project_B, compartment Project_A and compartment Team_X
Answer:
A
Explanation:
Using your own monitoring and testing tools, you may conduct penetration and vulnerability tests of
your acquired single-tenant Oracle Infrastructure as a Service (IaaS) offerings
Reference:
https://docs.oracle.com/en-us/iaas/Content/Security/Concepts/security_testing-
policy.htm
Question 5
You have a 750 MIB file in an Oracle Cloud Infrastructure (OCI) Object Storage bucket. You want to
download the file in multiple parts to speed up the download using the OCI CLI. You also want to
configure each part size to be 128 MIB.
Which is the correct OCI CLI command for this operation? (Choose the best answer.)
- A. Select group as the type of target for your budget.
- A. oci os object get –ns my–namespace –bn my–bucket ––name my–large–object –– multipart– download–threshold 750 ––parallel–download–count 128
- B. Select Tenancy as the type of target for your budget.
- B. oci os object download –ns my–namespace –bn my–bucket ––name my–large–object –– multipart–download–threshold 750 ––parallel–download–count 128
- C. Select user as the type of target for your budget.
- C. oci os object download –ns my–namespace –bn my–bucket ––name my–large–object –– resume– put ––multipart–download–threshold 500 ––part–size 128
- D. Select Cost-Tracking Tags as the type of target for your budget.
- D. oci os object get –ns my–namespace –bn my–bucket ––name my–large–object –– multipart– download–threshold 500 ––part–size 128
- E. Select Compartment as the type of target for your budget.
Answer:
D
Explanation:
https://docs.public.oneportal.content.oci.oraclecloud.com/en-
us/iaas/Content/API/SDKDocs/cliusing.htm
https://docs.oracle.com/en-us/iaas/tools/oci-cli/2.6.15/oci_cli_docs/cmdref/os/object/get.html
Reference:
https://docs.oracle.com/en-us/iaas/Content/API/SDKDocs/cliusing.htm
Question 6
Recently, your e-commerce web application has been receiving significantly more traffic than usual.
Users are reporting they often encounter a 503 Service Error when trying to access your site.
Sometimes the site is very slow.
You check your instance pool configuration to confirm that the maximum number of instances is
configured to allow 20 compute instances. Currently, 14 compute instances have been provisioned by
the instance pool.
You also confirm that current CPU utilization across all hosts exceeds the scale-out threshold you set
in your auto-scaling policy. However, the instance pool is not provisioning any new instances.
What can you check to determine why the application is NOT functioning properly? (Choose the best
answer.)
- A. Decrease the prefix length of AS for the FastConnect you want to use as PASSIVE connection.
- A. Verify that the new offer feature code did not introduce any performance bugs.
- B. Enable BGP on the FastConnect that you want as the ACTIVE connection.
- B. Verify that the database is accessible.
- C. Use AS PATH prepending with your routes.
- C. Verify that the compute resource quota has not been exceeded.
- D. Adjust one of the connections to have a higher ASN.
- D. Verify that the Quality Assurance team is not currently performing load-testing against production.
Answer:
C
Question 7
What is a key benefit of using Oracle Cloud Infrastructures Resource Manager for your Terraform
provisioning and management activities? (Choose the best answer.)
- A. If OCI Notifications service does not receive an acknowledgement from a subscription endpoint, the service drops the message. Confirm that the subscriber is always online to receive messages to help debug the issue.
- A. You can use Resource Manager to apply patches to all existing Oracle Linux interfaces in a specified compartment.
- B. If OCI Notifications service does not receive an acknowledgement from a subscription endpoint, check the NumberOfNotificationFailed metric through the OCI Monitoring service for failed messages. Copy these messages to an OCI Object Storage bucket. Make sure the subscriber has the required credentials to access this bucket to help debug the issue.
- B. Resource Manager has administrative privileges by design. Even if your IAM user does not have access, you can leverage Resource Manager to provision new resources to any compartment in the Tenancy.
- C. If OCI Notifications service does not receive an acknowledgement from a subscription endpoint, the service tries to redeliver messages for up to one day. Make sure that the subscriber is online at least once a day to help debug the issue.
- C. You can use Resource Manager to identify and maintain an inventory of all Compute and Database instances across your tenancy.
- D. If OCI Notifications service does not receive an acknowledgement from a subscription endpoint, the service tries to redeliver messages for up to two hours. Configure an alarm on the NumberOfNotificationFailed metric through the OCI Monitoring service to help debug the issue.
- D. Resource Manager manages to Terraform state file for your infrastructure and locks the file so that only one job at a time can run on a given stack.
Answer:
D
Explanation:
https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Concepts/resourcemanager.htm
A Terraform configuration codifies your infrastructure in declarative configuration files. Resource
Manager allows you to share and manage infrastructure configurations and state files across multiple
teams and platforms. This infrastructure management can't be done with local Terraform
installations and Oracle Terraform modules alone. For more information about the Oracle Cloud
Infrastructure Terraform provider, see Terraform Provider.
Reference:
https://docs.oracle.com/en-us/iaas/Content/ResourceManager/Concepts/
samplecomputeinstance.htm
Question 8
Which technique does NOT help you get the optimal performance out of the Oracle Cloud
Infrastructure (OCI) File Storage service? (Choose the best answer.)
- A. Load Balancing policy
- A. Limit access to the same Availability Domain (AD) as the File Storage service where possible.
- B. Geolocation steering
- B. Serialize operations to the file system to access consecutive blocks as much as possible.
- C. ASN steering policy
- C. Right size compute instances from where file system is accessed based on their network capacity.
- D. IP Prefix steering
- D. Increase concurrency by using multiple threads, multiple clients, and multiple mount targets.
Answer:
D
Explanation:
"File Storage performance increases with parallelism. Increase concurrency by using multiple
threads, multiple clients, and multiple mount targets."
Reference:
https://www.oracle.com/a/ocom/docs/cloud/file-storage-performance-guide.pdf
(6)
Question 9
A subscriber of an Oracle Cloud Infrastructure (OCI) Notifications service topic complained about not
receiving messages from the service.
Which option can help you debug this issue? (Choose the best answer.)
- A. terraform plan –target=oci_database_db_system.db_system
- A. If OCI Notifications service does not receive an acknowledgement from a subscription endpoint, the service drops the message. Confirm that the subscriber is always online to receive messages to help debug the issue.
- B. terraform apply –auto-approve
- B. If OCI Notifications service does not receive an acknowledgement from a subscription endpoint, check the NumberOfNotificationFailed metric through the OCI Monitoring service for failed messages. Copy these messages to an OCI Object Storage bucket. Make sure the subscriber has the required credentials to access this bucket to help debug the issue.
- C. terraform refresh –target=oci_database_db_system.db_system
- C. If OCI Notifications service does not receive an acknowledgement from a subscription endpoint, the service tries to redeliver messages for up to one day. Make sure that the subscriber is online at least once a day to help debug the issue.
- D. terraform apply –target=oci_database_db_system.db_system
- D. If OCI Notifications service does not receive an acknowledgement from a subscription endpoint, the service tries to redeliver messages for up to two hours. Configure an alarm on the NumberOfNotificationFailed metric through the OCI Monitoring service to help debug the issue.
Answer:
D
Explanation:
https://www.oracle.com/devops/notifications/faq/
When a subscribers endpoint doesnt acknowledge receipt of a message, the service retries
delivery and currently retains the message up to two hours from the time the message is published
to a topic. The service tries to deliver messages within the retention window.
Question 10
You are asked to implement the disaster recovery (DR) and business continuity requirements for
Oracle Cloud Infrastructure (OCI) Block Volumes. Two OCI regions being used: a primary/source
region and a DR/ destination region. The requirements are:
There should be a copy of data in the destination region to use if a region-wide disaster occurs in the
source region
Minimize costs
Which design will help you meet these requirements? (Choose the best answer.)
- A. oci os object delete –ns vision –bn app–data ––prefix /temp
- A. Clone block volumes. Use Object Storage lifecycle management to automatically move clone objects to Archive Storage. Copy Archive Storage buckets from source region to destination at regular intervals.
- B. oci os object bulk-delete –ns vision –bn app–data ––prefix /temp ––force
- B. Clone block volumes. Copy block volume clones from source region to destination region at regular intervals.
- C. oci objectstorage bulk–delete –ns vision –bn app–data ––prefix /temp ––force
- C. Back up block volumes. Copy block volume backups from source region to destination region at regular intervals.
- D. oci os object delete app-data in vision where prefix = /temp
- D. Back up block volumes. Use Object Storage lifecycle management to automatically move backup objects to Archive Storage. Copy Archive Storage buckets from source region to destination at regular intervals.
Answer:
C
Explanation:
https://docs.oracle.com/en-us/iaas/Content/Block/Tasks/copyingvolumebackupcrossregion.htm
Question 11
You set up a bastion host in your VCN to only allow your IP address (140.19.2.140) to establish SSH
connections to your Compute Instances that are deployed in a private subnet. The Compute
Instances have an attached Network Security Group with a Source Type: Network Security Group
(NSG), Source NSG: NSG-050504. To secure the bastion host, you added the following ingress rules to
its Network Security Group:
However, after checking the bastion host logs, you discovered that there are IP addresses other than
your own that can access your bastion host.
What is the root cause of this issue? (Choose the best answer.)
- A. An ALARM with a name unique across the tenancy, a SUBSCRIPTION, and a METRIC with the measurement of interest.
- A. The Security List allows access to all IP address which overrides the Network Security Group ingress rules.
- B. A TOPIC with a name unique across the tenancy, a SUBSCRIPTION, and a MESSAGE where content is published.
- B. All compute instances associated with NSG-050504 are also able to connect to the bastion host.
- C. A TOPIC with a name unique across the compartment, a SUBSCRIPTION, and a MESSAGE where content is published.
- C. The port 22 provides unrestricted access to 140.19.2.140 and to other IP address.
- D. An ALARM with a name unique across the compartment, a SUBSCRIPTION, and a METRIC with the measurement of interest.
- D. A netmask of /32 allows all IP address in the 140.19.2.0 network, other than your IP 140.19.2.140
Answer:
B
Question 12
You have a group pf developers who launch multiple VM.Standard2.2 compute instances every day
into the compartment Dev. As a result, your OCI tenancy quickly hit the service limit for this shape.
Other groups can no longer create new instances using VM.Standard2.2 shape.
Because of this, your company has issued a new mandate that the Dev compartment must include a
quota to allow for use of only 20 VM.Standard2.2 shapes per Availability Domain. Your solution
should not affect any other compartment in the tenancy.
Which quota statement should be used to implement this new requirement? (Choose the best
answer.)
- A. Client-side encryption is managed by the customer.
- A. set compute quota vm-standard2–2count to 10 in compartment dev where request.region = us- phoenix–1
- B. Data needs to be decrypted on the client side before retrieving it.
- B. set compute quota vm-standard2–2–count to 20 in compartment dev
- C. OCI Vault Management is used by default to provide data security.
- C. zero compute quotas in tenancy set compute quota vmstandard22count to 20 in compartment dev
- D. All traffic to and from Object Storage service is encrypted using TLS.
- D. zero compute quotas in tenancy set compute quota vmstandard22count to 20 in tenancy dev
- E. A VPN connection to OCI is required to ensure secure data transfer to an object storage bucket.
Answer:
B
Explanation:
https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcequotas.htm#two
Question 13
Your deployment platform within Oracle Cloud Infrastructure (OCI) leverages a compute instance
with multiple block volumes attached. There are multiple teams that use the same compute instance
and have access to these block volumes. You want to ensure that no one accidentally deletes any of
these block volumes. You have started to construct the following IAM policy but need to determine
which permissions should be used.
allow group DeploymentUsers to manage volume-family where ANY
{ request.permission != <???>, request.permission != <???>, request.permission !=
<???> }
Which permissions can you use in place of <???> in this policy? (Choose the best answer.)
- A. OS Management Service agent (osms) must be installed on the instances.
- A. VOLUME_DELETE, VOLUME_ATTACHMENT_DELETE, VOLUME_BACKUP_DELETE
- B. Audit logs for the instances should be enabled.
- B. VOLUME_ERASE, VOLUME_ATTACHMENT_ERASE, VOLUME_BACKUP_ERASE
- C. Service gateway should be setup to allow instances to send metrics to monitoring service.
- C. ERASE_VOLUME, ERASE_VOLUME_ATTACHMENT, ERASE_VOLUME_BACKUP
- D. Monitoring for the instances should not be enabled.
- D. DELETE_VOLUME, DELETE_VOLUME_ATTACHMENT, DELETE_VOLUME_BACKUP
Answer:
A
Explanation:
https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policyadvancedfeatures.htm
Question 14
You have been asked to investigate a potential security risk on your companys Oracle Cloud
Infrastructure (OCI) tenancy. You decide to start by looking through the audit logs for suspicious
activity.
How can you retrieve the audit logs using the OCI Command Line Interface (CLI)? (Choose the best
answer.)
- A. –t
- A. oci audit event list –-end-time $end-time –-compartment-id $compartment-id
- B. – –image-id
- B. oci audit event list –-start-time $start-time –-compartment-id $compartment-id
- C. – –shape “”
- C. oci audit event list -start-time $start-time -end-time $end-time - compartment-id $compartment-id
- D. –c
- D. oci audit event list –-start-time $start-time –-end-time $end–time –-tenancy-id $tenancy–id
- E. – –subnet-id
Answer:
C
Explanation:
https://docs.oracle.com/en-us/iaas/tools/oci-cli/2.9.7/oci_cli_docs/cmdref/audit/event/list.html
Question 15
Multiple teams are sharing a tenancy in Oracle Cloud Infrastructure (OCI). You are asked to figure out
an appropriate method to manage OCI costs.
Which is NOT a valid technique to accurately attribute costs to resources used by each team?
(Choose the best answer.)
- A. Network Security Group
- A. Create a Cost-Tracking tag. Apply this tag to all resources with team information. Use the OCI cost analysis tools to filter costs by tags.
- B. Data Safe
- B. Create separate compartment for each team. Use the OCI cost analysis tools to filter costs by compartment.
- C. Web Application Framework (WAF)
- C. Create an Identity and Access Management (IAM) group for each team. Create an OCI budget for each group to track spending.
- D. Vault
- D. Define and use tags for resources used by each team. Analyze usage data from the OCI Usage Report which has detailed information about resources and tags.
Answer:
C
Explanation:
Budgets are set on cost-tracking tags or on compartments not by user groups