1z0-1104-25 Oracle Cloud Infrastructure 2025 Security Professional Questions and Answers

To create a public subnet named IAD-SP-PBT-PUBSNET-01 within the VCN IAD-SP-PBT-VCN-01 using a CIDR block of 10.0.1.0/24 and configure it to use the Internet Gateway, follow these steps based on the Oracle Cloud Infrastructure (OCI) Networking documentation.

Step-by-Step Solution for Task 4: Create a Public Subnet

Log in to the OCI Console:

Use your OCI credentials to log in to the OCI Console (https://console.us-ashburn-1.oraclecloud.com ).

Ensure you have access to the assigned compartment.

Navigate to Virtual Cloud Networks:

From the OCI Console, click the navigation menu (hamburger icon) on the top left.

UnderNetworking, selectVirtual Cloud Networks.

Select the VCN:

Locate and click on the VCN named IAD-SP-PBT-VCN-01 created in Task 3.

UnderResources, selectSubnets.

Create a New Subnet:

Click theCreate Subnetbutton.

Configure the Subnet Details:

Name:Enter IAD-SP-PBT-PUBSNET-01.

Compartment:Ensure it is set to the assigned compartment.

Subnet Type:SelectPublic Subnet.

CIDR Block:Enter 10.0.1.0/24.

Route Table:Select the default route table associated with the VCN (ensure it includes a route to the Internet Gateway with destination 0.0.0.0/0).

Subnet Access:SelectPublic Subnetand ensure the Internet Gateway is associated.

DHCP Options:Leave as default or customize if required.

Security List:Use the default security list or create a new one with appropriate ingress/egress rules (e.g., allow TCP port 22 for SSH and all egress traffic).

Associate the Internet Gateway:

Verify that the subnet is configured to route traffic through the Internet Gateway. This is automatically handled if you selected the public subnet option and the VCN’s route table is correctly set (as configured in Task 3).

If needed, edit the route table for the subnet to ensure a rule exists:

Destination CIDR Block:0.0.0.0/0

Target Type:Internet Gateway

Target:Select the Internet Gateway associated with IAD-SP-PBT-VCN-01.

Create the Subnet:

ClickCreateto provision the subnet.

Once created, the subnet will be listed under the VCN’s subnets.

Verify the Configuration:

Go to the subnet details page for IAD-SP-PBT-PUBSNET-01.

Confirm the CIDR block is 10.0.1.0/24 and that it is a public subnet with Internet Gateway access.

Notes

Ensure the CIDR block 10.0.1.0/24 does not overlap with existing subnets in the VCN (10.0.0.0/16, including 10.0.10.0/24 from Task 3).

The Internet Gateway association relies on the route table configuration from Task 3. If it’s missing, update the route table as described in Step 6.

To create and configure a Virtual Cloud Network (VCN) named IAD-SP-PBT-VCN-01 with an Internet Gateway and appropriate route rules for external connectivity, follow these steps based on the Oracle Cloud Infrastructure (OCI) Networking documentation.

Step-by-Step Solution for Task 3: Create and Configure a VCN and Private Subnet

Log in to the OCI Console:

Use your OCI credentials to log in to the OCI Console (https://console.us-ashburn-1.oraclecloud.com ).

Ensure you have access to the assigned compartment.

Navigate to Virtual Cloud Networks:

From the OCI Console, click the navigation menu (hamburger icon) on the top left.

UnderNetworking, selectVirtual Cloud Networks.

Create a New VCN:

ClickStart VCN Wizardand selectCreate VCN with Internet Connectivity.

VCN Name:Enter IAD-SP-PBT-VCN-01.

Compartment:Select the assigned compartment.

VCN CIDR Block:Enter 10.0.0.0/16 (matches the diagram's VCN CIDR).

Public Subnet CIDR Block:Enter 10.0.10.0/24 (matches the diagram's public subnet).

Accept the default settingsfor the public subnet and Internet Gateway creation.

ClickCreateto provision the VCN, Internet Gateway, and public subnet.

Verify the Internet Gateway:

After creation, go to the VCN details page for IAD-SP-PBT-VCN-01.

UnderResources, selectInternet Gateways.

Ensure the Internet Gateway is attached and enabled.

Configure Route Rules:

In the VCN details page, underResources, selectRoute Tables.

Select the default route table associated with the public subnet (10.0.10.0/24).

ClickAdd Route Rules.

Target Type:SelectInternet Gateway.

Destination CIDR Block:Enter 0.0.0.0/0.

Target Internet Gateway:Select the Internet Gateway created with the VCN.

ClickAdd Route Ruleto save.

Update Security List (if needed):

UnderResources, selectSecurity Lists.

Edit the default security list for the public subnet.

Add an ingress rule:

Source CIDR:0.0.0.0/0

IP Protocol:TCP

Source Port Range:All

Destination Port Range:22 (for SSH) or as required by your application.

Add an egress rule:

Destination CIDR:0.0.0.0/0

IP Protocol:All

Save the changes.

Note the VCN OCID:

Return to the VCN details page for IAD-SP-PBT-VCN-01.

Copy theOCIDdisplayed (e.g., ocid1.vcn.oc1..).

OCID of the Created VCN

Enter the OCID of the created VCN (IAD-SP-PBT-VCN-01) into the text box. The exact OCID will be available after Step 3 (e.g., ocid1.vcn.oc1..).

Task 7: Verify the OCI Certificate with Load Balancer

Step 1: Obtain the Public IP of the Load Balancer

Log in to the OCI Console.

Navigate toNetworking>Load Balancers.

Click on PBT-CERT-LB-01.

Note thePublic IP Addressfrom the load balancer details page.

Step 2: Verify HTTPS Connection Using Cloud Shell

Open the OCI Cloud Shell from the top-right corner of the OCI Console.

Run the following command, replacing with the public IP you noted:

curl -k https://

Expected output: You should see the text "You are visiting Web Server 1" if the connection is successful. The -k flag ignores certificate validation errors (common during initial testing with self-signed or newly issued certificates).

If you encounter an error, ensure the load balancer is active, the listener is configured correctly, and the backend server (PBT-CERT-VM-01) is reachable.

Step 3: Verify in a Web Browser

Open a web browser.

Enter the following URL, replacing with the public IP you noted:

https://

If prompted with a certificate warning (e.g., due to a self-signed certificate or untrusted CA), accept the risk and proceed (click "Advanced" and "Proceed" or similar, depending on your browser).

Verify that the web page displays the text "You are visiting Web Server 1" from the index.html file created on PBT-CERT-VM-01.

Step 4: Troubleshoot (if needed)

If the text is not displayed:

Check the load balancer health status underBackend Sets>Healthin the OCI Console.

Ensure the security list PBT-CERT-LB-SL-01 allows port 443 and the compute instance security list allows port 80.

Verify the Apache service is running on PBT-CERT-VM-01 by SSHing in and running sudo systemctl status httpd.

To create a Custom Security Zone Recipe named IAD-SP-PBT-CSP-01 that allows the provisioning of compute instances in a public subnet, we will follow the steps outlined in the Oracle Cloud Infrastructure (OCI) Security Zones documentation. These steps are based on verified procedures from the OCI Security Zone Guide and related resources.

Step-by-Step Solution for Task 1: Create a Custom Security Zone Recipe

Log in to the OCI Console:

Use your OCI credentials to log in to the OCI Console (https://console.us-ashburn-1.oraclecloud.com ).

Ensure you have access to the assigned compartment provided in the tenancy.

Navigate to Security Zones:

From the OCI Console, go to the navigation menu (hamburger icon) on the top left.

UnderGovernance and Administration, selectSecurity Zones.

Create a New Security Zone Recipe:

In the Security Zones dashboard, click on theRecipestab.

Click theCreate Recipebutton.

Configure the Recipe Details:

Name:Enter IAD-SP-PBT-CSP-01.

Description:(Optional) Add a description, e.g., "Custom recipe to allow compute instances in public subnet."

Leave theCompartmentas the assigned compartment provided.

Define the Security Zone Policy:

In the policy editor, start with a base policy. Since the Maximum Security Zone recipe restricts public subnet usage, you need to customize it.

Add the following policy statement to allow compute instances in a public subnet:

Allow service compute to use virtual-network-family in compartment where ALL {

target.resource.type = 'Instance',

target.vcn.cidr_block = '10.0.0.0/16',

target.subnet.cidr_block = '10.0.10.0/24'

}

Replace with the name of your assigned compartment.

This policy allows the Compute service to provision instances in the public subnet (10.0.10.0/24) within the VCN (10.0.0.0/16).

Adjust Restrictions:

Ensure the recipe does not inherit the Maximum Security Zone recipe's default restrictions that block public subnet usage. Explicitly allow the public subnet by including the subnet CIDR block (10.0.10.0/24) in the policy.

Remove or modify any conflicting default rules that prohibit public subnet usage (e.g., rules blocking internet access or public IP assignment).

Save the Recipe:

ClickCreateto save the custom security zone recipe.

Once created, note theOCIDof the recipe from the recipe details page. The OCID will be a unique identifier starting with ocid1.securityzonerecipe.

Verify the Recipe:

Go to theRecipestab and locate IAD-SP-PBT-CSP-01.

Ensure the policy reflects the allowance for compute instances in the public subnet by reviewing the policy statement.

OCID of the Created Custom Security Zone Recipe

The exact OCID will be generated upon creation (e.g., ocid1.securityzonerecipe.oc1..unique_string). Please enter the OCID displayed in the OCI Console after completing Step 7.

Notes

Ensure IAM policies are correctly configured to grant you permissions to create and manage security zone recipes in the compartment.

The policy assumes the public subnet CIDR (10.0.10.0/24) matches the diagram. Adjust if the actual subnet CIDR differs.

Test the recipe by associating it with a security zone and attempting to launch a compute instance to confirm compliance.

Task 6: Create Load Balancer and Attach Certificate

Step 1: Create the Load Balancer

Log in to the OCI Console.

Navigate toNetworking>Load Balancers.

ClickCreate Load Balancer.

Enter the following details:

Name: PBT-CERT-LB-01

Compartment: Select your assigned compartment.

Load Balancer Type: SelectPublic.

Virtual Cloud Network: Select PBT-CERT-VCN-01.

Subnet: Select LB-Subnet-PBT-CERT-SNET-02.

Shape: Choose a shape (e.g., 10 Mbps, adjust based on needs).

ClickNext.

Leave backend sets and listeners as default for now (we’ll configure the listener next).

ClickCreate Load Balancerand wait for it to be provisioned.

Step 2: Create a Listener

Once the load balancer is created, go to theLoad Balancerspage and click on PBT-CERT-LB-01.

UnderResources, clickListeners.

ClickCreate Listener.

Enter the following details:

Name: PBT-CERT-LB_LTSN_01

Protocol: SelectHTTPS.

Port: Enter 443.

Certificate: ClickAdd Certificate, then select the PBT-CERT-01 certificate (e.g., PBT-CERT-0199008677labuser01) created in Task 5.

Leave other settings (e.g., SSL handling) as default unless specified.

ClickCreate.

Step 3: Configure the Backend Set

In the PBT-CERT-LB-01 details page, underResources, clickBackend Sets.

ClickCreate Backend Set(if not already created).

Enter basic details (e.g., name like PBT-CERT-BS-01).

Add a backend server:

IP Address: Use the private IP of PBT-CERT-VM-01 (find this in the instance details underCompute>Instances).

Port: 80 (HTTP, as configured on the web server).

Protocol: HTTP.

ClickCreate.

Step 4: Attach the Security List to the Subnet

Navigate toNetworking>Virtual Cloud Networks.

Select PBT-CERT-VCN-01 and clickSubnets.

Click on LB-Subnet-PBT-CERT-SNET-02.

UnderSecurity Lists, ensure PBT-CERT-LB-SL-01 is attached. If not:

ClickEdit.

Remove the default security list and add PBT-CERT-LB-SL-01.

ClickSave Changes.

Step 5: Verify the Configuration

Ensure the load balancer health status is OK (check underBackend Sets>Health).

Test by accessing https:// in a browser (replace with the public IP from the load balancer details).