1z0-1124-25 Questions and Answers

Objective: Improve OCI-AWS data transfer performance.

Option A: Region distance affects latency—valid.

Option B: Dedicated interconnect boosts bandwidth and stability—valid.

Option C: Compute pricing doesn’t influence inter-cloud bandwidth—invalid.

Option D: WAN optimization can enhance transfer efficiency—valid.

Conclusion: Option C is not a design consideration for performance.

Oracle notes:

"To optimize OCI-AWS connectivity, consider region proximity, dedicated interconnects, or WAN optimization. Compute pricing is unrelated to network performance."This excludes Option C. Reference:Hybrid Cloud Networking - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/hybridcloud.htm).

Requirements: Low latency, high bandwidth for multicloud production.

Option A: Dedicated peering via third-party provider offers high performance—optimal.

Option B: IPSec VPNs over public internet have variable latency and limited bandwidth—least optimal.

Option C: FastConnect peering with partners ensures dedicated performance—optimal.

Option D: OCI-Azure Interconnect is fast, but VPN to AWS adds latency—less optimal than A or C but better than B.

Conclusion: Option B is the least optimal due to performance constraints.

Oracle notes:

"IPSec VPNs over public internet provide security but lack the bandwidth and latency consistency of dedicated connections like FastConnect for production workloads.”This supports Option B as least optimal. Reference:Multicloud Connectivity Options - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/multicloud.htm#options).

Objective:Efficiently propagate on-premises route updates to multiple VCNs.

DRG Capabilities:Supports route distribution to attached VCNs.

Analyze Options:

A:Manual updates are inefficient and error-prone; unsuitable.

B:Centralized DRG with route distribution automates propagation; efficient.

C:Multiple DRGs add complexity and manual effort; inefficient.

D:Service Gateway is for OCI services, not route updates; incorrect.

Conclusion:Centralized DRG with route distribution is the most efficient method.

Route distribution in a DRG simplifies multi-region routing. The Oracle Networking Professional study guide notes, "Using a centralized DRG with route distribution enabled allows routes learned from on-premises networks to be automatically propagated to all attached VCNs, reducing management overhead" (OCI Networking Documentation, Section: DRG Route Distribution). This leverages OCI’s automation capabilities.

Requirements: Private, low-latency cross-region VCN connectivity.

Option A: RPCs with route table updates enable private, direct peering via DRG—correct.

Option B: IPSec VPN adds latency over internet—incorrect.

Option C: Service Gateways are for OCI services—incorrect.

Option D: NAT Gateways use public IPs, not private—incorrect.

Conclusion: Option A is necessary.

Oracle states:

"Use Remote Peering Connections (RPCs) with DRG to connect VCNs across regions privately. Update route tables for CIDR routing."This supports Option A. Reference:Remote VCN Peering - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/remoteVCNpeering.htm).

Problem:Instances lack IPv6 addresses despite VCN IPv6 configuration.

OCI IPv6 Behavior:IPv6 requires subnet enablement and OS support via SLAAC.

Evaluate Options:

A:Incorrect. OCI doesn’t auto-assign IPv6 without OS configuration.

B:Correct. SLAAC must be enabled on the instance OS for auto-assignment.

C:Incorrect. IPv6 works in both public and private subnets.

D:Incorrect. IPv4 and IPv6 assignments are independent.

Conclusion:Enabling SLAAC on the OS ensures automatic IPv6 assignment.

IPv6 in OCI relies on SLAAC for automatic address assignment. The Oracle Networking Professional study guide states, "To enable IPv6 on instances, the VCN and subnet must have IPv6 CIDR blocks, and the instance OS must support SLAAC to automatically configure IPv6 addresses" (OCI Networking Documentation, Section: IPv6 Configuration). Without SLAAC, instances default to IPv4 only.

Requirements: HA and redundancy for on-premises-to-OCI connectivity.

Option A: Single FastConnect lacks redundancy—incorrect.

Option B: Single VPN over internet has no redundancy and poor performance—incorrect.

Option C: Dual FastConnect with diverse paths ensures HA and redundancy via separate routes—correct.

Option D: Internet Gateway with public IPs isn’t dedicated or redundant—incorrect.

Conclusion: Option C is the recommended approach.

Oracle advises:

"For high availability, use dual FastConnect connections with diverse paths to eliminate single points of failure in hybrid connectivity."This supports Option C. Reference:FastConnect High Availability - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#ha).

Goal: Efficient, cost-optimized data transfer minimizing egress charges.

Option A: Public internet incurs high egress costs—incorrect.

Option B: Hub-and-spoke doubles egress/ingress charges—less efficient.

Option C: Third-party platform at peering points reduces egress by leveraging direct connections—correct.

Option D: Storage Gateway is for hybrid, not multicloud efficiency—incorrect.

Conclusion: Option C is the most efficient strategy.

Oracle states:

"A third-party integration platform at peering points minimizes egress charges by using direct interconnects for multicloud data transfers.”This validates Option C. Reference:Multicloud Cost Optimization - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/multicloud.htm#costoptimization).

Requirements:Private, encrypted connectivity to on-premises, no public internet.

Gateway Options:

Service Gateway:For OCI services, not on-premises.

Internet Gateway:Public internet access, unsuitable.

DRG with FastConnect:Private on-premises connectivity.

NAT Gateway:Outbound internet, not private to on-premises.

Evaluate Options:

A:Limited to OCI services; incorrect.

B:Uses public internet; violates policy.

C:FastConnect via DRG ensures private, encrypted link; correct.

D:Public IPs contradict requirement; incorrect.

Conclusion:DRG with FastConnect is the most appropriate.

FastConnect provides private connectivity via DRG. The Oracle Networking Professional study guide states, "A Dynamic Routing Gateway with FastConnect establishes a dedicated, private connection to on-premises networks, ensuring data encryption and isolation from the public internet" (OCI Networking Documentation, Section: FastConnect). This meets security and privacy needs.

Objective: Identify essential info for CPE to establish a Site-to-Site VPN with OCI.

Option A: Region and availability domain are for OCI resource placement, not CPE config—incorrect.

Option B: The DRG’s public IP is the VPN endpoint, and the IKE pre-shared key authenticates the tunnel—essential and correct.

Option C: OCID and compartment ID are for OCI management, not CPE setup—incorrect.

Option D: Subnet CIDRs are for routing, configured later, not for tunnel establishment—incorrect.

Conclusion: Option B provides the critical VPN connection details.

Oracle documentation states:

"To configure your CPE for Site-to-Site VPN, you need the public IP address of the DRG (VPN headend) and the IKE pre-shared key from the OCI console."This confirms Option B. Reference:Setting Up IPSec VPN - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/settingupIPSec.htm).

Objective: Identify the service for Load Balancer traffic logs.

Option A: Flow Logs capture VCN traffic, not specific to Load Balancer—incorrect.

Option B: Service Logs are generic, not Load Balancer-specific—incorrect.

Option C: Load Balancer Logs provide detailed client and health check data—correct.

Option D: Audit Logs track API actions, not traffic—incorrect.

Conclusion: Load Balancer Logs are the best fit.

Oracle states:

"Load Balancer Logs offer detailed insights into client connections and backend health checks for Network Load Balancers.”This validates Option C. Reference:Load Balancer Logging - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managinglogs.htm).

Requirements: App tier only initiates to DB; web tier to app tier only.

Option A: NSGs with forced routing through app tier adds complexity and latency—less effective.

Option B: Single NSG lacks subnet-level isolation—incorrect.

Option C: Separate security lists per subnet with ingress/egress rules enforce isolation; route tables ensure proper VCN routing—correct and effective.

Option D: Security lists are good, but routing web-to-DB via app tier is unnecessary—incorrect.

Conclusion: Option C achieves isolation efficiently.

Oracle states:

"Use separate security lists per subnet with ingress/egress rules to isolate tiers. Route tables manage intra-VCN traffic without forced hops."This supports Option C. Reference:Security Lists Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/securitylists.htm).

Goal: Private, secure, least-privilege access to Object Storage across subnets.

Option A: Internet Gateway uses public access, violating privacy—incorrect.

Option B: NAT Gateway is for internet, not OCI services—incorrect.

Option C: Service Gateway provides private access; IAM policies enforce least privilege; route tables manage traffic—correct.

Option D: Private Endpoints per bucket/subnet are inefficient and unscalable—incorrect.

Conclusion: Option C is efficient and secure.

Oracle states:

"A Service Gateway enables private access to Object Storage. Use IAM policies for least-privilege access and route tables for traffic control."This supports Option C. Reference:Service Gateway Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/servicegateway.htm).

Objective: Correlate Flow Logs and Service Logs for troubleshooting.

Option A: Log Groups organize logs but don’t analyze correlations—incorrect.

Option B: Log Analytics enables querying and visualizing logs from multiple sources, ideal for correlation—correct.

Option C: Log Streams collect logs but don’t correlate—incorrect.

Option D: Log Export moves logs, not analyzes them—incorrect.

Conclusion: Log Analytics is the best feature.

Oracle documentation confirms:

"Log Analytics allows you to correlate and analyze logs from Flow Logs and Service Logs, providing insights for troubleshooting."This validates Option B. Reference:Log Analytics Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Logging/Concepts/loganalytics.htm).

Requirements:App tier (public) needs internet; DB tier (private) must not.

Components:

Internet Gateway:Full internet access for public subnets.

NAT Gateway:Outbound-only internet for private subnets.

Service Gateway:Private OCI service access.

Evaluate Options:

A:Reversed roles; public subnet doesn’t need Service Gateway; incorrect.

B:NAT for public is unnecessary with Internet Gateway; inefficient.

C:NAT for public is wrong; Service Gateway doesn’t block DB internet; incorrect.

D:Internet Gateway for app, NAT for DB if needed, aligns with policy; correct.

Conclusion:Option D is most secure and efficient.

Subnet roles dictate gateway use. The Oracle Networking Professional study guide states, "Public subnets use an Internet Gateway for full internet access, while private subnets can use a NAT Gateway for outbound-only access, ensuring no direct internet exposure" (OCI Networking Documentation, Section: VCN Gateways). Option D balances security and functionality.

Objective: Allow VCN-A to access on-premises (192.168.1.0/24) via VPN, isolate VCN-B using DRG route tables effectively and securely.

Option A: Single route table for both VCNs with NSGs on VCN-B to block traffic. This works but relies on NSGs, which are secondary to routing. Routing-level isolation is more secure and efficient.

Option B: Single route table for VCN-A with the VPN route, default table (no VPN route) for VCN-B. This isolates VCN-B effectively at the routing level, but managing one table across all attachments can complicate scaling.

Option C: Two route tables, both with VPN routes, then blocking VCN-B with security lists. This is inefficient—routes are advertised unnecessarily, relying on security lists instead of routing isolation.

Option D: Two route tables—DRG-RT-A with VPN route for VCN-A, DRG-RT-B with no VPN route for VCN-B. This ensures VCN-B has no path to on-premises at the DRG level, providing the strongest isolation.

Conclusion: Option D is the most effective and secure, leveraging routing for isolation rather than secondary security controls.

Oracle documentation states:

"DRG route tables control traffic between VCN attachments and external connections (e.g., VPN). Associate a unique route table with each attachment to enforce specific routing policies."

"To isolate a VCN, ensure its DRG route table contains no routes to the destination."Option D aligns with this approach. Reference:Dynamic Routing Gateway Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm).

Requirement: IAM permission to accept cross-tenancy LPG peering.

Option A: “Manage” allows creating and accepting peering—correct.

Option B: “Use” permits using existing LPGs, not accepting requests—incorrect.

Option C: “Inspect” is read-only, insufficient—incorrect.

Option D: “Read” on virtual-network-family doesn’t cover LPG management—incorrect.

Conclusion: Option A is required.

Oracle states:

"To accept a cross-tenancy peering request, the target tenancy needs ‘manage local-peering-gateways’ permission."This confirms Option A. Reference:Local VCN Peering - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/localVCNpeering.htm).

Requirement: Provide VLAN config info for FastConnect setup.

Option A: CIDR blocks are for routing, not VLAN setup—incorrect.

Option B: VLAN ID defines the circuit, BGP ASN and peering IPs establish routing—essential and correct.

Option C: MTU is a performance setting, not required for VLAN config—incorrect.

Option D: OCID and compartment ID are for OCI management, not provider setup—incorrect.

Conclusion: Option B provides the necessary VLAN configuration details.

Oracle states:

"For FastConnect, provide the provider with a VLAN ID, your BGP ASN, and BGP peering IPs to configure the virtual circuit."This confirms Option B. Reference:FastConnect Configuration - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#providerconfig).

Requirements:End-to-end encryption, no public internet for Object Storage access.

Options Analysis:

Service Gateway:Private access to Object Storage.

NAT Gateway:Public internet access; unsuitable.

Private Endpoint:Alternative private access, but newer feature.

HTTPS:Ensures in-transit encryption.

Evaluate Options:

A:Encryption at rest doesn’t cover transit; incomplete.

B:NAT uses public internet; violates policy; incorrect.

C:Service Gateway with HTTPS ensures full encryption and privacy; correct.

D:Private Endpoint with HTTPS is valid but less common than Service Gateway; slightly less optimal historically.

Conclusion:Service Gateway with HTTPS is most secure and compliant.

Service Gateway is standard for private Object Storage access. The Oracle Networking Professional study guide states, "A Service Gateway with HTTPS API calls ensures end-to-end encrypted traffic to Object Storage without public internet traversal" (OCI Networking Documentation, Section: Service Gateway). This meets security mandates effectively.

Transitive Routing Goal:Traffic from a VCN to an on-premises network via DRG.

DRG Role:Acts as a virtual router connecting VCNs and on-premises networks.

Routing Options:

Static Routes:Manually defined, less scalable for dynamic environments.

Dynamic Routing (BGP):Automatically exchanges routes, ideal for hybrid setups.

Evaluate Options:

A:Static routes work but require manual updates; less efficient.

B:BGP dynamically propagates routes, ensuring correct routing; best fit.

C:LPG is for intra-region peering, not on-premises connectivity; incorrect.

D:Service Gateway is for OCI services, not on-premises; incorrect.

Conclusion:BGP ensures scalable, accurate routing through the DRG.

The DRG supports transitive routing with dynamic protocols like BGP. The Oracle Networking Professional study guide states, "For transitive routing between VCNs and on-premises networks via a DRG, configuring BGP on the DRG and CPE enables automatic route propagation, ensuring traffic is correctly routed" (OCI Networking Documentation, Section: Dynamic Routing Gateway). BGP is preferred over static routes for hybrid cloud scenarios.

Requirements: Secure, reliable, low-latency, bidirectional access with redundancy.

Option A: VPN via DRG is secure but lacks low latency and redundancy—insufficient.

Option B: FastConnect via DRG offers low latency and security but no redundancy—partial fit.

Option C: Public endpoints are insecure and high-latency—incorrect.

Option D: FastConnect for primary low-latency access, VPN as backup for redundancy—correct and most appropriate.

Conclusion: Option D meets all criteria.

Oracle states:

"FastConnect with DRG provides secure, low-latency hybrid connectivity. Add a Site-to-Site VPN for redundancy to ensure reliability."This supports Option D. Reference:Hybrid Cloud Connectivity - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/hybridcloud.htm).

Goal: Restrict subnet traffic to a specific on-premises IP range via FastConnect.

Option A: Internet Gateway is for public access, not FastConnect—incorrect.

Option B: Default security list applies broadly, lacking granularity; NSGs are more effective—less optimal.

Option C: Custom route table with DRG ensures FastConnect routing; NSGs provide precise, instance-level traffic restriction—correct.

Option D: LPG is for same-region VCN peering, not on-premises—incorrect.

Conclusion: Option C is the most effective method.

Oracle notes:

"Use a custom route table with a DRG route rule for FastConnect traffic. NSGs offer granular control to restrict traffic to specific IP ranges."This supports Option C. Reference:FastConnect and NSG Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm & docs.oracle.com/en-us/iaas/Content/Network/Concepts/NSGs.htm).

Problem: App tier can’t reach DB tier despite open security lists.

Option A: Flow Logs show traffic details but require analysis, slowing diagnosis—less efficient.

Option B: Connection Diagnostics tests connectivity (e.g., ping, traceroute) between resources, quickly pinpointing failures—correct.

Option C: Network Firewall controls traffic, not diagnoses—incorrect.

Option D: Bastion is for access, not troubleshooting—incorrect.

Conclusion: Connection Diagnostics is the best tool for quick isolation.

Oracle states:

"Connection Diagnostics provides rapid testing of network connectivity between OCI resources, ideal for isolating issues like tier-to-tier failures.”This validates Option B. Reference:Network Troubleshooting - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/troubleshooting.htm#connectiondiagnostics).

Goal: Balance security and performance with encryption in a VCN.

Option A: TLS only to the load balancer leaves internal traffic unencrypted, risking exposure—insufficient security.

Option B: mTLS everywhere maximizes security but adds significant overhead (e.g., certificate management), impacting performance—overkill.

Option C: NSGs/Security Lists control access but don’t encrypt traffic—lacks protection for sensitive data.

Option D: TLS between OKE and Compute secures app-tier communication. Oracle Database Vault ensures ADB traffic is encrypted efficiently, leveraging built-in features—balanced approach.

Conclusion: Option D optimizes security and performance.

Oracle states:

"Use TLS for application traffic between tiers. Autonomous Database with Database Vaultprovides encryption in transit and at rest, minimizing overhead."This supports Option D. Reference:Security in OCI Networking - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/securityoverview.htm).

Objective: Block all outbound internet traffic from a private subnet, ensuring compliance despite misconfigurations.

Option A: ALLOW to 0.0.0.0/0 permits all traffic, contradicting the requirement.

Option B: DROP to NAT Gateway IP only blocks traffic to the NAT Gateway, not all internet traffic (e.g., misconfigured routes bypassing NAT).

Option C: REJECT to 0.0.0.0/0 blocks all outbound traffic to any IP, sending an ICMP unreachable message. This ensures no internet access, even if misconfigured, and aids troubleshooting.

Option D: ALLOW to Service Gateway permits OCI service access, not internet blocking.

Conclusion: Option C is the most comprehensive and compliant solution.

Oracle’s Network Firewall guide states:

"Use REJECT with a destination of 0.0.0.0/0 to block all outbound traffic and notify the source, ideal for strict egress control."This matches Option C’s purpose. Reference:Network Firewall Policies - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/NetworkFirewall/Tasks/managingpolicies.htm).

Requirement:Transitive routing across regions and to on-premises, privately.

Components:

LPG:Intra-region VCN peering; limited scope.

DRG:Cross-region and on-premises routing via private backbone.

Service Gateway:OCI service access; not transitive.

Internet Gateway:Public internet; not private.

Evaluate Options:

A:Region-specific; incorrect.

B:Supports multi-region and on-premises; correct.

C:Service-focused; incorrect.

D:Public; incorrect.

Conclusion:DRG is the key component.

DRG enables complex routing scenarios. The Oracle Networking Professional study guide notes, "The Dynamic Routing Gateway (DRG) facilitates transitive routing between VCNs in different regions and on-premises networks over OCI’s private backbone" (OCI Networking Documentation, Section: Dynamic Routing Gateway). This meets both requirements efficiently.

Concern:IPSec overhead reduces effective MTU.

MTU Impact:Must avoid fragmentation, which degrades performance.

Evaluate Factors:

A:Bandwidth doesn’t dictate MTU; incorrect.

B:Smallest MTU in path (path MTU) prevents fragmentation; most critical.

C:Ethernet MTU is a factor but not the limiting one; incomplete.

D:DRG fragmentation settings are secondary to path MTU; incorrect.

Conclusion:Path MTU is the key determinant to avoid fragmentation.

IPSec reduces MTU due to headers. The Oracle Networking Professional study guide explains, "When configuring IPSec over FastConnect, the most important factor is the smallest MTU supported along the entire path to prevent fragmentation and ensure efficient traffic flow" (OCI Networking Documentation, Section: IPSec over FastConnect). Path MTU discovery is critical.

Requirements: High bandwidth, low latency, leveraging direct fiber connectivity.

Option A: Site-to-Site VPN uses the public internet, lacking consistency and bandwidth—incorrect.

Option B: Internet Gateway is for public access, not dedicated connections—incorrect.

Option C: FastConnect Colocation uses direct fiber at Oracle locations, ensuring high bandwidth and minimal latency—correct.

Option D: DRG with remote peering is for VCN-to-VCN connectivity, not optimized for on-premises fiber—incorrect (DRG is part of FastConnect but not the service itself).

Conclusion: FastConnect Colocation is the most suitable.

Oracle states:

"FastConnect Colocation with Oracle leverages direct fiber connections at Oracle facilities, providing consistent, high-bandwidth, and low-latency access to OCI."This supports Option C. Reference:FastConnect Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#colocation).

Requirement Analysis: The solution needs a private, high-bandwidth, low-latency connection (provided by FastConnect) with encryption for data confidentiality.

Option A (IPSec VPN): IPSec encrypts traffic at Layer 3 over public or private networks. While feasible over FastConnect, it’s redundant since FastConnect is already private, adding unnecessary overhead and complexity.

Option B (OCI Vault): Vault manages encryption keys and secrets but doesn’t encrypt traffic itself—only supports application-level encryption, not link-level—incorrect.

Option C (MACsec): MACsec (Media Access Control Security) provides Layer 2 encryption for Ethernet traffic, ideal for securing FastConnect’s dedicated link directly between devices, ensuring confidentiality without higher-layer overhead—correct.

Option D (OCI Bastion): Bastion secures remote access to VCN resources, not link encryption—incorrect.

Conclusion: MACsec enhances FastConnect with efficient, link-level encryption, meeting all requirements.

Oracle documentation states:

"MACsec provides Layer 2 encryption for FastConnect, securing Ethernet traffic between on-premises and OCI infrastructure. It’s ideal for ensuring confidentiality over dedicated connections."This supports Option C as the best additional product. Reference:FastConnect Security Options - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#security).

Goal: End-to-end encryption (client-to-LB and LB-to-backend).

Option A: HTTP backend set leaves LB-to-backend unencrypted—incorrect.

Option B: HTTPS listener and backend set with certificates ensures full encryption—correct and mandatory.

Option C: Backend-only certificates lack LB termination—incorrect.

Option D: TCP proxy bypasses LB encryption—incorrect.

Conclusion: Option B is mandatory for end-to-end encryption.

Oracle states:

"For end-to-end encryption, configure the HTTPS listener with an SSL certificate and set the backend protocol to HTTPS, requiring certificates on backend instances."This validates Option B. Reference:Load Balancer SSL - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managingssl.htm).

Context: Zero Trust requires strict access control.

Option A: IAM policies are still required—incorrect.

Option B: Private endpoints limit access to specific service instances, aligning with Zero Trust—correct.

Option C: Ports are controlled by NSGs/security lists—incorrect.

Option D: Private endpoints are for private access, not internet—incorrect.

Conclusion: Option B enhances security.

Oracle states:

"Private endpoints restrict access to specific OCI service instances, enhancing Zero Trust by limiting exposure compared to Service Gateways."This supports Option B. Reference:Private Endpoints - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/privateendpoints.htm).

Requirement Analysis:The solution must ensure private access to Object Storage without public internet traversal, while being cost-effective.

Evaluate OCI Components:

Internet Gateway:Provides public internet access, unsuitable for private connectivity.

NAT Gateway:Allows outbound internet access from private subnets, but traffic still exits OCI.

Service Gateway:Enables private access to OCI services like Object Storage within the same region.

DRG with FastConnect:Used for on-premises connectivity, not intra-OCI service access.

Option Assessment:

A:Uses public internet, violating the security policy.

B:HTTPS encrypts data, but traffic traverses the internet via NAT, violating the policy.

C:Service Gateway keeps traffic within OCI’s private network, meeting security and cost goals.

D:Overly complex and costly, with public endpoints contradicting the requirement.

Conclusion:Service Gateway with regional Object Storage endpoints ensures private, secure, and cost-effective access.

The Service Gateway is designed for private access to OCI services like Object Storage, avoiding the public internet. The Oracle Networking Professional study guide states, "A Service Gateway allows instances in a private subnet to access supported OCI services without an Internet Gateway or NAT Gateway, ensuring traffic remains within the Oracle network" (OCI Networking Documentation, Section: Service Gateway). Using the Oracle Services Network service CIDR label for the region ensures compatibility with Object Storage endpoints, optimizing cost and security.