Transitive Routing Goal: Traffic from a VCN to an on-premises network via DRG.

DRG Role: Acts as a virtual router connecting VCNs and on-premises networks.

Routing Options:

Static Routes: Manually defined, less scalable for dynamic environments.

Dynamic Routing (BGP): Automatically exchanges routes, ideal for hybrid setups.

Evaluate Options:

A: Static routes work but require manual updates; less efficient.

B: BGP dynamically propagates routes, ensuring correct routing; best fit.

C: LPG is for intra-region peering, not on-premises connectivity; incorrect.

D: Service Gateway is for OCI services, not on-premises; incorrect.

Conclusion: BGP ensures scalable, accurate routing through the DRG.

The DRG supports transitive routing with dynamic protocols like BGP. The Oracle Networking Professional study guide states, "For transitive routing between VCNs and on-premises networks via a DRG, configuring BGP on the DRG and CPE enables automatic route propagation, ensuring traffic is correctly routed" (OCI Networking Documentation, Section: Dynamic Routing Gateway). BGP is preferred over static routes for hybrid cloud scenarios.

Problem: Private subnet instances can’t access Object Storage via Service Gateway.

Setup Check: Route rules point to Service Gateway; NSGs allow traffic.

Evaluate Causes:

A: Incorrect CIDR labels block Object Storage access; likely.

B: Internet Gateway irrelevant for Service Gateway; incorrect.

C: NSGs confirmed open, security lists secondary; less likely.

D: NAT Gateway not used here; incorrect.

Conclusion: Misconfigured Service Gateway CIDR is the most likely issue.

Service Gateway requires specific CIDR labels. The Oracle Networking Professional study guide states, "For private subnets to access Object Storage via a Service Gateway, the gateway must be configured with the correct regional Oracle Services CIDR label" (OCI Networking Documentation, Section: Service Gateway Configuration). Misconfiguration prevents access despite proper routing.

Requirements : Low latency, high bandwidth for multicloud production.

Option A : Dedicated peering via third-party provider offers high performance—optimal.

Option B : IPSec VPNs over public internet have variable latency and limited bandwidth—least optimal.

Option C : FastConnect peering with partners ensures dedicated performance—optimal.

Option D : OCI-Azure Interconnect is fast, but VPN to AWS adds latency—less optimal than A or C but better than B.

Conclusion : Option B is the least optimal due to performance constraints.

Oracle notes:

"IPSec VPNs over public internet provide security but lack the bandwidth and latency consistency of dedicated connections like FastConnect for production workloads.” This supports Option B as least optimal. Reference: Multicloud Connectivity Options - Oracle Help Center (docs.oracle.com/en-us/iaas/Content/Network/Concepts/multicloud.htm#options).

Requirement Analysis : The solution needs a private, high-bandwidth, low-latency connection (provided by FastConnect) with encryption for data confidentiality.

Option A (IPSec VPN) : IPSec encrypts traffic at Layer 3 over public or private networks. While feasible over FastConnect, it’s redundant since FastConnect is already private, adding unnecessary overhead and complexity.

Option B (OCI Vault) : Vault manages encryption keys and secrets but doesn’t encrypt traffic itself—only supports application-level encryption, not link-level—incorrect.

Option C (MACsec) : MACsec (Media Access Control Security) provides Layer 2 encryption for Ethernet traffic, ideal for securing FastConnect’s dedicated link directly between devices, ensuring confidentiality without higher-layer overhead—correct.

Option D (OCI Bastion) : Bastion secures remote access to VCN resources, not link encryption—incorrect.

Conclusion : MACsec enhances FastConnect with efficient, link-level encryption, meeting all requirements.

Oracle documentation states:

"MACsec provides Layer 2 encryption for FastConnect, securing Ethernet traffic between on-premises and OCI infrastructure. It’s ideal for ensuring confidentiality over dedicated connections." This supports Option C as the best additional product. Reference: FastConnect Security Options - Oracle Help Center (docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#security).

Goal: Prefer FastConnect routes over public internet in OCI.

BGP Attributes:

Local Preference: Higher value prefers a path within an AS.

AS Path: Shorter path preferred, but manipulated on sender side.

Prefix Length: More specific wins, but not controllable here.

MED: Influences inbound traffic, not OCI preference.

Evaluate Options:

A: Higher Local Preference ensures FastConnect priority; correct.

B: AS Path is set by on-premises, not OCI; incorrect.

C: Prefix specificity is on-premises controlled; incorrect.

D: MED affects on-premises, not OCI; incorrect.

Conclusion: Local Preference is the right attribute.

Local Preference controls route preference in BGP. The Oracle Networking Professional study guide states, "To prioritize FastConnect routes in OCI, increase the Local Preference for routes learned via the FastConnect virtual circuit over other paths" (OCI Networking Documentation, Section: BGP Configuration). This ensures OCI prefers the private path.

Requirements: Secure, scalable authentication for Cloud Shell scripting.

Methods:

API Keys: Manual, less secure if stored.

Instance Principals: Credential-less, dynamic.

Terraform with Vault: Secure but complex for scripting.

Evaluate Options:

A: API keys in script are insecure; not scalable.

B: Persistent storage risks exposure; less secure.

C: Instance Principals use IAM, no credentials; best fit.

D: Overkill for simple scripting, better for IaC; less suited.

Conclusion: Instance Principals offer security and scalability.

Instance Principals simplify automation. The Oracle Networking Professional study guide states, "Instance Principals allow Cloud Shell to authenticate via dynamic groups without storing credentials, ideal for secure, scalable scripting" (OCI Networking Documentation, Section: Authentication in Cloud Shell). This avoids key management issues.

Requirements: End-to-end encryption, no public internet for Object Storage access.

Options Analysis:

Service Gateway: Private access to Object Storage.

NAT Gateway: Public internet access; unsuitable.

Private Endpoint: Alternative private access, but newer feature.

HTTPS: Ensures in-transit encryption.

Evaluate Options:

A: Encryption at rest doesn’t cover transit; incomplete.

B: NAT uses public internet; violates policy; incorrect.

C: Service Gateway with HTTPS ensures full encryption and privacy; correct.

D: Private Endpoint with HTTPS is valid but less common than Service Gateway; slightly less optimal historically.

Conclusion: Service Gateway with HTTPS is most secure and compliant.

Service Gateway is standard for private Object Storage access. The Oracle Networking Professional study guide states, "A Service Gateway with HTTPS API calls ensures end-to-end encrypted traffic to Object Storage without public internet traversal" (OCI Networking Documentation, Section: Service Gateway). This meets security mandates effectively.

Problem: DNSSEC validation fails post-setup.

DNSSEC Chain: Requires DS record in parent zone for trust.

Evaluate Causes:

A: Low TTL affects caching, not validation; unlikely.

B: Missing DS in parent zone breaks chain; most likely.

C: Resolver config is client-side, not affecting external tools; incorrect.

D: OCI uses standard algorithms; highly unlikely.

Conclusion: Registrar delay in publishing DS is the primary cause.

DNSSEC relies on the parent zone. The Oracle Networking Professional study guide explains, "DNSSEC validation fails if the registrar hasn’t published the DS record in the parent zone, as this breaks the chain of trust" (OCI Networking Documentation, Section: DNSSEC Troubleshooting). This is a common post-enablement issue.

Needs : Secure, reliable hybrid multicloud access.

Option A : Multiple VPNs are secure but complex and less reliable over internet—less optimal.

Option B : Public internet with app security is insecure—incorrect.

Option C : FastConnect to OCI provides a private base; SD-WAN extends securely to AWS/Azure with encryption and HA—correct.

Option D : FastConnect to OCI with VPNs to others risks OCI as a single point of failure—less reliable.

Conclusion : Option C is the most secure and reliable.

Oracle advises:

"For hybrid multicloud, use FastConnect for primary connectivity and SD-WAN to extend securely to other clouds with encryption and policy control." This supports Option C. Reference: Multicloud Best Practices - Oracle Help Center (docs.oracle.com/en-us/iaas/Content/Network/Concepts/multicloud.htm#bestpractices).

Goal: Stable endpoint for MySQL DB with HA failover support.

Endpoint Options:

Public IP: Exposed, changes on failover; unsuitable.

DNS with Floating IP: Persistent across failovers; ideal.

Private IP: Tied to primary, fails on switch; incorrect.

Service Gateway: For OCI services, not MySQL DB; incorrect.

Evaluate Options:

A: Public exposure, no HA; incorrect.

B: Floating private IP with DNS ensures continuity; correct.

C: Static IP breaks on failover; incorrect.

D: Misaligned purpose; incorrect.

Conclusion: DNS with floating IP is most suitable.

MySQL DB in OCI uses floating IPs for HA. The Oracle Networking Professional study guide explains, "A DNS hostname resolving to the floating private IP of the active MySQL Database Service instance ensures seamless connectivity during failover events" (OCI Networking Documentation, Section: MySQL Database Service HA). This provides predictability and stability.