Way to OCI Architect Associate (1Z0-932)

When I cleared my Oracle Cloud Architect Associate certification, I received a lot of questions on how to prepare for this exam and what’s the way to successfully achieve this certification. So I thought of compiling some of the information which helped me during my exam preparation.

Since Oracle Cloud Infrastructure is rapidly evolving, there are chances that this information or notes will become outdated soon but as of January 2019, the following information is valid. I am listing down few stages which you should try to follow sequentially.

Stage 1: To start with, please get the overview of Oracle Cloud Infrastructure from Oracle University Learning subscription:

https://learn.oracle.com/pls/web_prod-plq-dad/dl4_pages.getpage?page=ols_userportal

In this link, select “Oracle Cloud Infrastructure Services” learning subscription, followed by selecting “Become a Cloud Administrator for OCI” learning path.

Stage 2: Now that you have a surface level understanding of all OCI resources, try to get a 1 month free trial of Oracle Cloud Subscription on https://cloud.oracle.com and try to work on VCN, SubNets, Load Balancer, DNS, Autonomous Database etc.

If for some reason, you can not get this subscription, check on https://ocitraining.qloudable.com/

Stage 3: Now to get more understanding at each level of Networking, Database, IAM or DNS level, go through these OCI fundamentals training level 100 courses provided by Oracle:

https://www.youtube.com/playlist?list=PLKCk3OyNwIzvn8dpgrIKNdBOHT7AoMZlw

•  OCI Level 100 – Getting Started
•  OCI Level 100 – Identity and Access Management
•  OCI Level 100 – Virtual Cloud Network
•  OCI Level 100 – Connectivity
•  OCI Level 100 – Compute
•  OCI Level 100 – Block Volume
•  OCI Level 100 – File Storage
•  OCI Level 100 – Object Storage
•  OCI Level 100 – Load Balancer
•  OCI Level 100 – Database
•  OCI Level 100 – Autonomous Database
•  OCI Level 100 – DNS

Stage 4: Now go through these FAQs to get some in-depth understanding on your concepts of OCI resources:

https://cloud.oracle.com/load-balancing/faq

https://cloud.oracle.com/database/faq

https://cloud.oracle.com/edge/dns/faq

https://cloud.oracle.com/storage/object-storage/faq

https://cloud.oracle.com/storage/block-volume/faq

https://cloud.oracle.com/compute/faq

https://cloud.oracle.com/cloud-security/identity/faq

Stage 5: I would highly recommend to follow this study guide to review your study contents before the Exam:

https://learn.oracle.com/education/pdf/Oracle_Cloud_Infrastructure_study_guide.pdf

Stage 6: Now at this stage you are ready for the exam, so attempt this Practice Exam:

https://oukc.oracle.com/static12/opn/login/?t=checkusercookies|r=-1|c=2164389233

If you score more then 85% in this exam, you are good to go for certification; otherwise go back to stage 4.

Optional: There is a good course in Udemy which can also be referred to get more confidence before the Exam, At the end of course you also get some questions for practice:

https://www.udemy.com/oracle-cloud-infrastructure-associate-arch-part-ii-1z0-932/

Some Important Notes…

Here are some of my notes which I prepared during my studies for this certification. Over time, this information will become obsolete, so please be cognizant of that and update your copy as per the latest OCI Training Material: https://my.oracle.com/site/cloudsol/public/IaaS/Training/index.html

IAM

IAM is included with your cloud subscription. No additional charge. Its a global resource.

IAM can be consumed via: IAM Console, REST, CLI, SDK

IAM affects — Compute, Block volume, VNC etc.

Compartment

Logical container used to organize and isolate cloud resources; each resource is in exactly one compartment.

Compartments are global and logical; distinct from physical “containers” like Regions and Availability Domains.

Resources can be connected/shared across compartments.

Compartment cannot be deleted (you can rename).

Principals:

Three types of Principals — root users, IAM users and Instance Principals.

IAM Users/Groups

User has no permissions until placed in one (or more) groups.

Group having at least one policy with permission to tenancy or a compartment.

Same users can be member of multiple groups.

Instance Principals

Instance Principals can make API calls against other OCI services without storing credentials in a configuration file.

Instance Principals are implemented in OCI with ‘Dynamic Groups’.

Membership in the dynamic group is determined by a set of matching rules. When you set up a dynamic group, you also define the rules for membership in the group.

Resources that match the rule criteria are members of the dynamic group.

Dynamic Groups also need Policies to access OCI resources.

Authentication

Two ways IAM service authenticates a Principal:

1) Username/Password

2) API Signing key

The API Signing Key is required when using the API in conjunction with the SDK.

The key is an RSA key pair in the PEM format (minimum 2048 bits required).

In the interfaces, you can copy and paste the PEM public key.

Authorization

Authorization in IAM service done by defining specific privileges in policies and associating them with principles.

allow group <group_name> to <verb> <resource-type> in tenancy <tenancy_name>

allow group <group_name> to <verb> <resource-type> in compartment <compartment_name> [where <conditions>]

e.g. Allow group ProjectA_Admins to manage all-resources in compartment ProjectA_compartment

verb (choices-4):

• inspect (read w/o user-specified metadata)
• read (w- user specific metadata)
• use (use it, not create or delete)
• manage (all)

resource-type (choices-6) :

• all-resources
• database-family
• instance-family
• object-family
• virtual-network-family
• volume-family

DYNAMIC ROUTING GATEWAY (DRG)

A virtual edge router attached to your VCN.

1. Necessary for private peering.
2. The DRG is a single point of entry for private traffic coming in to your VCN,
3. Whether it’s over FastConnect (precedence) or an IPSec VPN.
4. After creating the DRG, you must attach it to your VCN and add a route for the DRG in the VCN’s route table to enable traffic flow.

FAST Connect

Easy way to create a dedicated, private connection between your data center and Oracle Cloud Infrastructure.

Use cases:-

1. private peering :- Hybrid Cloud
2. public peering :- To access public services in OCI without using the internet.
3. For example, Object Storage, the OCI Console and APIs, or public load balancers in your VCN.

Service Models:

1. Colocation with Oracle: Physical connection between Customer and Oracle
2. Provider: Megaport, Equinix, Verizon SCI, etc.

if you’re using FastConnect through an Oracle provider. A Border Gateway Protocol (BGP) session is established from your edge

If you’re colocating with Oracle, you must ask Oracle to increase your account limits for cross-connects. By default, these limits are initially set to 0, and a request to create one of these resources will fail.

Connectivity:

Physical: Cloud connectivity services from any of Oracle’s FastConnect partners. (BGP session either with this Partner’s devices or directly with Oracle’s FastConnect devices.)

• Direct to Oracle: Datacenter Colocation (BGP routing protocol)
• Direct to Oracle: Dedicated Circuits from a 3rd Party Network Carrier (BGP routing protocol)

Logical Connection: Private Virtual Circuit

• private virtual circuit, which is a single, logical connection between customer edge and OCI by way of your DRG.
• Logical Connection: Public Virtual Circuit
• To access public services in OCI without using the internet. For example, Object Storage, the OCI Console and APIs, or public load balancers in your VCN.

NOTE: Notice that the DRG is not involved with the public virtual circuit.

FastConnect Redundancy:

Oracle provides Circuit, Provider, and Data Center (DC) redundancy.

Provider:

Redundant circuits provisioned into 2 different “Fast Connect” locations by the same provider (Circuit and DC redundant).

Redundant circuits provisioned into 2 different “Fast Connect” locations by different provider (Circuit, Provider, and DC redundant).

Colocation with Oracle:

Move your equipment’s to existing Oracle cloud DC’s.

2 physical connections in the co-location to our equipment (Circuit redundant but not DC redundant).

2 physical connections in the co-location to our equipment plus a partner provided connection to a second “Fast Connect” location within the region (Circuit redundant and DC redundant).

Dynamic Group

Grant privileges to Instance principles.

Create Dynamic Group with all instance in compartment OR instance with OCID.

Add Policy:

Allow <dynamic group> to inspect bucket in compartment <comp_id>

Allow <dynamic group> to read objects in compartment <comp_id>

BLOCK Volumes

1. IOPS performance is better with iSCSI attachments compared to paravirtualized attachments
2. To change the access type (RW, RO) for a block volume, you need to detach the volume and specify the new access type when you re-attach the volume.
3. The access type for boot volumes is always read/write.
4. Volumes are only accessible to instances in the same availability domain.You cannot move a volume between availability domains or regions.
5. Block Volume volumes can be created in sizes ranging from 50 GB to 32 TB in 1 GB increments. By default, Block Volume volumes are 1 TB.

Max Volumes per instance: 32

Volume Group:

This capability is only available using the command line interface (CLI) or REST APIs.

You can add up to 10 volumes in a volume group. This is the default limit and can be increased up to 64 volumes with a limit increase request for your tenancy.

When you delete a volume group backup, all the volume backups in the group are deleted.

When resizing a volume, ensure that the source volume is no larger than 512 GB and only resize the volume up to 16 TB.

Load Balancer

Request -> Listener -> Load Balancer -> Backend Servers (OCID)

Load Balancer resources :- 1 IP, 16 Backend Sets, 512 backend servers/set, 16 Listeners

Protocol: http, tcp and websocket

SSL Offloading: SSL termination, End to end SSL, SSL tunneling

Single Instance Load balancer for HTTP and TCP

Shapes (Bandwidth)

1. –100 Mbps
2. –400 Mbps
3. –8000 Mbps

LB Policy

1. –Round Robin
2. –Least Connection
3. –IP Hash

DNS

The Oracle Cloud Infrastructure DNS service is limited to 1000 zones per account and 25,000 records per zone.

end user -> recursive DNS -> primary/ secondary DNS

Private Pool allows enterprises to host their domain names and DNS zones under a dedicated IP pool to segregate from those of other customers in order to reduce the risk of external issues affecting their websites. (If multiple customers are in the same pool and one customer’s Zones come under a DDoS attack, the other customers in the pool may have their DNS performance impacted until the DDoS is resolved).

Vanity Nameserver allows enterprises to rename OCI Nameservers with their own branding

– By default all OCI customers will be hosted on the OCI name servers. Using standard tools, users can determine that the customer’s assets are hosted by OCI DNS.

• Default naming: ns1.pxx.dns.oraclecloud.net
• Vanity naming: ns1.pxx.vanityname.net

Common types of records supported by OCI DNS

• A (Address Record)
• AAAA (IPv6 Address Record)
• CNAME (Canonical Name record)
• MX (Mail Exchange Record)
• TXT (Text Record)
• PTR (Pointer Record)
• SOA (Start of Authority Record) :- Start of Authority record (SOA) defines a zone
• SRV (Service Locator)
• NS (Name Server Record) :- The parent zone of a child zone must contain NS records that refer DNS queries to the name servers responsible for the child zone

Supports to ALIAS record type — helps to map record (same as CNAME — not available to external resources)

ALIAS record also help by not having to map a record to a specific IP Address

MAX 25K resources records per zone.

You can do the following with Oracle-DNS:

• Create and manage zones
• Create and manage records
• Import or upload zone files
• Save and Publish changes
• View all Zones and Records
• Reporting

Primary and Secondary DNS available — always on

Recursive Server talks to Primary or Secondary

All domains information will be managed with in the primary DNS Server.

Can Oracle DNS become secondary DNS? YES! Can be deployed as a primary or secondary server.

DNS— Max 1000 Zones per Tenant

When you change DNS server — wait 72 hrs before validating.

Benefits:

• DNS Network operating for over 10+ years, leveraged by thousands of customers, large and small, Enterprise, Business and Web properties
• Support for OCI, other Cloud provider endpoints (AWS, Azure) and private assets, including Cloud, CDNs and Data Centers
• Consistently lowest query latency performance
• Industry leading propagation time to ensure fast response to DNS changes
• Support for both Primary and Secondary DNS services, unlike solutions from many Cloud Providers
• Industry’s most accurate geolocation data set, created specifically for steering internet traffic
• DDoS protection built-in
• Most standards-compliant DNS platform

VCN

DRG–> Customer Premise equipment-> Add IPSec endpoints connect to 2 or more OCI end points on different ADs.

IPsec tunnels connect Dynamic Routing Gateway (DRG) and Customer Premises Equipment (CPE) that are created and attached to the VCN.

By default, three IPsec tunnels, one per Availability Domain are created on Oracle Cloud Infrastructure.

Local VCN Peering

Local VCN peering is the process of connecting two VCNs in the same region and tenancy so that their resources can communicate

using private IP addresses without routing the traffic over the internet or through your on-premises network.

-A local peering gateway (LPG) on each VCN in the peering relationship.

IPSec VPN Redundancy Models (Multiple CPE)-

Configuration of two CPEs to create a highly available (HA) deployment in your on-premises network, with three tunnels with each CPE device

IP Security (IPSec = Internet Protocol Security)

Helps to connect on-premise to cloud — IPSec or FastConnect are the options

Can be Configured 2 Different modes:

Transport Mode: IPSec only encrypts and/or authenticates the actual payload of the packet, and the header information remains intact.

Tunnel Model: IPSec encrypts and/or authenticates the entire packet. After the encryption, the packet is then encapsulated to form a new IP packet that has different header information. Oracle supports Tunnel mode.

IP Sec VPN requires….

• DRG
• CPE Object
• IPSec Connection (connection b/w DRG and CPE)
• Static routes

Database

Currently, Oracle Database Cloud Service supports Oracle Database versions 11.2.0.4, 12.1.0.2, 12.2.0.1, and 18.1.0.0.

If you have Active Data Guard, Database In-Memory, or Multitenant, you need to use Enterprise Edition – Extreme Performance.

OCI Database service platform is little-endian format.

Database Migration:

1. Data Pump Export/Import – Irrespective of any Endianness or char set
2. Data Pump transpotable tablespace – Endiness and database character sets should be compatible
3. RMAN Cross-Platform Transportable Tablespace Backup Sets :- Char set should be compatible
4. RMAN Transportable Tablespace with Data Pump – – Endiness and database character sets should be compatible
5. RMAN CONVERT Transportable Tablespace with Data Pump – database character sets should be compatible
6. Data Pump Full Transportable :- database release version > 11.2.0.3, and the database character sets compatible (11g to 12c migration)
7. Remote Cloning a PDB :- DB12c or later
8. Remote cloning non-CDB :- DB12c or later and char set should be same

Exadata

Configuration Settings                                                                                                                                 DATA DiskGroup             RECO DiskGroup              SPARSE DiskGroup

Database backups on

Exadata storage: No, Sparse disk group: No            80 %                                   20 %                                                 0 %

Database backups on

Exadata storage: Yes, Sparse disk group: No            40 %                                 60 %                                                 0 %

Database backups on

Exadata storage: No, Sparse disk group: Yes            60 %                                  20 %                                                 20 %

Database backups on

Exadata storage: Yes, Sparse disk group: Yes      35 %                                 50 %                                                 15 %

Autonomous DB

Service:

high:

The High database service provides the highest level of resources to each SQL statement resulting in the highest performance, but supports the fewest number of concurrent SQL statements. Any SQL statement in this service can use all the CPU and IO resources in your database.

The number of concurrent SQL statements that can be run in this service is 3, this number is independent of the number of CPUs in your database.

medium:

The Medium database service provides a lower level of resources to each SQL statement potentially resulting a lower level of performance, but supports more concurrent SQL statements. Any SQL statement in this service can use multiple CPU and IO resources in your database.

The number of concurrent SQL statements that can be run in this service depends on the number of CPUs in your database and scales linearly with the number of CPUs.

low:

The Low database service provides the least level of resources to each SQL statement, but supports the most number of concurrent SQL statements.

Any SQL statement in this service can use a single CPU and multiple IO resources in your database.

The number of concurrent SQL statements that can be run in this service can be up to 100 times the number of CPUs.

Autonomous Data Warehouse databases come with a predefined database role named DWROLE. This role provides the common privileges for the data warehouse developer.

The default retention period for performance data is eight days. So, the CPU utilization, running statements, and average SQL response time charts show data for the last eight days by default.

Some random points…

• Data Guard option is only on “BM” DB
• Exadata can be scale up and down, can be added extra SSH keys
• The main migration tool for migrating to ADB is Data Pump.
• Object storage service: standard tier and archive tier
• Compartment of the Bucket can be changed
• We can make bucket private or public
• The format of the tenancy URL is https://swiftobjectstorage.region.oraclecloud.com/v1/object_storage_namespace.
• Object Storage URL :- https://objectstorage.us-ashburn-1.oraclecloud.com/n/<namespace>/b/<Bucketname>/o/<object name>

Hope these notes help you to achieve your goal of OCI Certification.

All the Best !!!