Skip to content
Home » Oracle Cloud Infrastructure Architect Associate Tips

Oracle Cloud Infrastructure Architect Associate Tips

knowledge points and thinking

Introduction

There are the tips or check points for preparing the OCI Architect Test (1Z0-1072-21) , it is free before 28 February 2022, and this is one of the reasons I took this test, the other reason is that OCI offered generous compute instances, and it is more than enough to build a proper k8s cluster.

Cloud Basic

  • Each availability domain contains three fault domains for high availability.
    • A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain contains three fault domains for high availability.
  • Oracle Cloud Infrastructure is hosted in regions and availability domains. A region is a localized geographic area

IAM

  • group/user does not belong to compartment, but policy belong to a compartment
    • policy example in the lab Allow group ocilabs-group to manage all-resources in compartment ocilabs policy is to manage authZ user/group to a compartment
  • Dynamic groups allow you to group Oracle Cloud Infrastructure compute instances as “principal” actors (similar to user groups). (similar to AWS Role 5 39 IAM Role + EC2)
    • for making API calls agains other OCI services without user credentials
      • create dynamic group and add a policy
  • use cost tracking tags or compartments for budget set
  • Oracle IAM does not have roles
  • auth token
    • user can generate up to two auth tokens
    • auth token can be used to authenticate third party APIs

Network and VCN

  • a VCN is a software defined network
    • VCN is not cross region, but could be cross AD
    • each subnet can have one or more security list associated with it
    • default security list allow ssh but not ping(only ping from same VCN)
  • A VCN covers one or more IPv4 CIDR blocks of your choice. The allowable VCN size range is /16 to /30.
  • DRG Dynamic Routing gateway
    • VCN, IPSec VPN, RPC (remote peering connection) can be attached to DRG
  • Network Visualiser
    • Regional Network Topology
      • FastConnect/VPN
      • Interconnectivity of VCNs
  • A load balancer requires
    • a listener
    • a security list if open on port
    • a backend set with at lease one backend server
  • local VCN peering
    • can be in different tenancies, but in same region
    • can use a single DRG for local peering
  • site to site vpn
    • site to site ipSec connection
    • encrypts
  • ipSec vpn use internet, fastconnect does not, similar to AWS Direct Connect

Compute

  • Auto scaling has two types
    • Metric Based
    • Schedule Based
  • one autoscaling config can have one or more autoscaling policy
    • Instance pool is required for auto scaling
    • each instance pool can have only one autoscaling config
  • Preemptible instances cannot be started/stopped/rebooted, this is not like AWs Spot instances (actually AWS Spot instances cannot either before 2021, 5 26 EC2)

Block Storage

  • When you attach a block volume to a VM instance, you have two options for attachment type, iSCSI or paravirtualized
    • iSCSI, A TCP/IP-based standard used for communication between a volume and attached instance. work for bare metal and old images
    • Paravirtualized
  • Attach a volume to multiple instances
    • max is 8,
    • read or r/w, but not mix
  • Volume clone
    • max 10 if volume is detached
    • not cross AD, but can be cross region
    • create one clone if volume is attached
    • You can only create a clone for a volume within the same region, availability domain and tenant.
  • default back up policy
    • silver weekly/monthly incremental
    • gold, daily/weekly/monthly incremental
    • bronze, monthly incremental
  • for streaming, log processing with throughput-intensive workloads
  • boot volume and block volume can be grouped in the same volume group
  • when terminate the instance, can preserve boot volumes
  • For boot volume two performance level
    • balanced
    • high performance

Object Storage

  • 3 storage tied
    • standard
    • infrequent, access not often, but available immediately when need
    • archive
  • It is compartment based too
  • bucket replication requires in a different destination region
  • archive storage, minimum retention period is 90 days, the default time to download an object after restore is 24 hours
  • Version control and Replication set are both at Bucket level
  • PAR, pre authenticated requests, for set up the object url expire time, it is required, but can be unlimited
  • bucket private cannot have public objects vise versa
  • Retention rules can also protect your data from accidental or malicious update, overwrite, or deletion. Retention rules can be locked to prevent rule modification and data deletion or modification even by administrators.

File Storage

  • accessed over network
  • files in a hierarchy of named directories
  • all major OS/hypervisors are supported
  • it use NFSv3 as file system
  • one can have 10,000 snapshots
  • storage options in OCI
    • object storage
    • archive
    • file storage
    • local storage (non-Volatile Memory Express (NVMe))
  • File Storage can be used for concurrently accessible storage
  • in file system clone
    • compartment, tags, names etc are not clones
    • but all snapshot would be cloned

OCI Database

  • ATP Autonomous Transaction Processing
    • missing index are detected and created
    • data stored in rows
    • can scale up/down OCPU and storage
  • Autonomous Data Warehouse
    • data stored in columnar format
  • For provisioning Autonomous DB Instance
    • DB name
    • Workload Type
    • Number of CPUs
  • 3 DB Systems are available in COI
    • VM DB System
    • Exadata DB System
    • Bare metal DB System
  • To create a db system requires (minimum requires)
    • public key
    • VCN with default security list
  • For Autonomous DB, perform action
    • Scale up/down CPU
    • increase storage
  • DB System is similar to AWS RDS 7 65 RDS, backups and multi AZ & read replica
  • Automous DB (Transactional, JSON, Warehouse) are similar to AWS Aurora, Aws Dynamo, and AWS Redshift
  • ADB have 5 pre-configured db service, high, medium, low, tp, and TPUrgent
  • HeatWave OCI MySQL (like AWS Aurora)

Security

  • Oracle Cloud Infrastructure Vault is a managed service that lets you centrally manage the encryption keys that protect your data and the secret credentials that you use to securely access resources.
    • AES, RSA, ECDSA
  • master encryption security key
    • stored in a server
    • can be exported friom a server
    • cruptographic can operated on clients
  • A security zone is associated with a compartment and a security zone recipe (with policies).
    • and existing resources can be moved to a security zone
    • Security Zones let you be confident that your resources in Oracle Cloud An association between a compartment and a security zone recipe. Resource operations in a security zone are validated against all policies in the recipe.
  • WAF can protect any internet facing endpoint, providing consistent rule enforcement
    • it works on application layer (layer 7) of (OSI model)
  • across a customer’s applications.
  • For infrastructure protections
    • WAF
    • Security list
    • DDoS protection
  • Cloud guard
    Image of high-level system flow in Cloud Guard

Observability and Logging

  • Logging Analytics for aggregate, search and monitor logs, can have log signature to group logs too
  • loggins service
    • single pane of glass for all logs in a tenancy
    • cannot be used for central log management
    • analyse critical diagnostice information
    • 3 types of logs used for logging service
      • service logs (includes api gateways, event and object storage, Emitted by OCI native services, such as API Gateway, Events, Function etc)
      • audit logs, from OCI audit service
      • custom logs, from custom application
  • monitoring for cpu usage, disk read etc of an instance
    • dimension
    • namespace
    • metadata

Practice Exam Tips

  • FastConnect (between your own network to VCN) uses BGP protocol
  • a two-node Oracle RAC DB system requires Oracle DB Edition with Extreme Performance
  • Application LB,
    • support http and https
    • perform content based routing, not IP/port based
  • network load balance work on layer 4 of (OSI model), based on IP/port
  • Exadata Cloud@Customer allow data residency in customer
  • 4 layers of access control by File Storage service
    • NFS export options
    • NFS v.3 unix security
    • network security
    • OCI policy
  • one compartment can have resources from multiple region,. but not share a single resource

Leave a Reply