OCI Architect Professional 1Z0-997

The Oracle Cloud Infrastructure (OCI) 2019 Architect Professional exam (1Z0-997) is designed for individuals who possess strong enterprise knowledge in architecting using Oracle Cloud Infrastructure services. This certification validates advanced concepts of OCI services to control infrastructure, such as but not limited to: High Availability and Disaster Recovery, Data Migration, Network Connectivity, Monitoring, Data Retention, Storage and Databases. This certification is available to all professionals that were previously passed the OCI Architect Associate Exam.

Please review the following blogs that you may find helpful if you have not completed the Associate Architect Exam –

Job of a professional Oracle Cloud Infrastructure Cloud Architect

  1. Design a cloud solution using architectural principles based on customer requirements.
  2. Has a strong understanding of cloud computing concepts
  3. Design and deploy, highly available, fault-tolerant, and reliable applications on OCI
  4. Translates on-premises operations to a typical cloud-based infrastructure.
  5. Works with enterprise level architecture day to day

Oracle Cloud Infrastructure Cloud Architect Certification Details

  • Certification Name: 1Z0-997 – Oracle Cloud Infrastructure 2019 Architect Professional
  • Number of Questions: 50
  • Exam Duration: 120 minutes
  • Exam Cost: $245 (25% discount on this list price if you are OPN (Oracle Partner Network) and have the OPN number with you while registering for the exam)
  • Passing Score: 70%

Exam Topics – This has been compiled using exam-prep guide and exam study guide for Oracle cloud infrastructure professional exam.

High Level ObjectiveObjective DetailsConcepts That are tested
Plan and design solutions in Oracle
Cloud Infrastructure (OCI)
• Plan and design solutions to meet business and technical requirements.
• Create architecture patterns including N-tier applications, microservices, and serverless architectures.
• Design scalable and elastic solutions for high availability and disaster recovery.
This section tests your ability to create basic and complex architectures using multiple services like IAM, Compute, Storage, Load Balancer, Kubernetes and Functions. Also concepts of DR and HA will be applied on this section
Implement and operate solutions
in OCI
• Implement solutions to meet business and technical requirements.
• Operate and troubleshoot solutions on OCI.
This section will evaluate your skills on how to choose the best set of services to deploy new applications on OCI using the core infrastructure services. Also, you need to understand how to troubleshoot the services on event of a problem.
Design, implement, and operate databases in OCI• Evaluate and implement databases.
• Operate and troubleshoot databases.
This section will evaluate how to design architectures that include databases options like ADW, ATP and DB system on OCI
Design for hybrid cloud
• Design and implement hybrid network architectures to meet high availability, bandwidth, and latency requirements.
• Evaluate multi-cloud solution architectures.
You need to understand how to deploy applications using multi cloud environments using services like VCN and FastConnect and other networking services.  
Migrate on-premises workloads to
Design strategy for migrating on-premises
workloads to OCI.
• Implement and troubleshoot database
This section will cover migration strategies from on-premises to OCI. You need to be familiar with services like Storage Gateway, Data Transfer Appliance, Object Storage, file storage  and Database migration using RMAN and data pump.
Design for Security and
• Design, implement, and operate solutions for security and governance.
• Design, implement, and operate solutions to meet compliance requirements.
This topic will apply concepts used under the Governance and Administration section covering IAM, KMS, Policies and Quotas etc.

As we delve deeper into technical aspect of the exam, I want to be clear that if you have already gone through the free courses offered by Oracle then most of the information may appear to be repeated.

However, I have tried to put a document most of the information from the professional exam perspective. Also, as you understand the different OCI services please make an effort to determine –

  1. The scope of the service as it is provisioned/launched – region/zone/global.
  2. The operating ability of the service as if it is moved to a different compartment and the effect of the IAM policy attached to the service or IAM policies attached to users operating the service.
  3. Review information contained in links attached to the documentation below.

Plan, design, implement, operate & Migrate On-premises workloads solutions in Oracle Cloud Infrastructure (OCI)

   Networking and Compute

  • Configuring Compute Quotas – Compute Quota allow administrators:

Most newer OS versions support para-virtualization launch mode as they provide maximum performance. All older OS versions can be launched using emulation mode that provides fully emulated NIC, block boot and legacy BIOS boot.

  • VCN Route Tables & Route Rules – OCI VCN uses virtual route tables to send traffic out of the VCN (for example, to the internet, to your on-premises network, or to a peered VCN). A route rule specifies a destination CIDR block and the target (the next hop) for any traffic that matches that CIDR. Here are the allowed types of targets for a route rule:
Route RuleDetails
Dynamic routing gateway (DRG)For subnets that need private access to networks connected to your VCN Connect your on-premises network connected with an IPSec VPN or FastConnect, Connect to another VCN via a peered VCN in another region.
Internet gatewayFor public subnets that need direct access to the internet.
NAT gatewayFor subnets with instances that do not have public IP addresses but need outbound access to the internet.
Service gatewayFor subnets that need private access to Oracle services such as Object Storage.
Local peering gateway (LPG)For subnets that need private access to a peered VCN in the same region.
Private IPFor subnets that need to route traffic to an instance in the VCN. For more information, see Using a Private IP as a Route Target. Also see Advanced Scenarios: Transit Routing.

Please see IAM policies for networking.

   Storage Options

   OCI Account Management

Design, implement, and operate databases in OCI

Migrate on-premises workloads to OCI

Design for Security and Compliance

Additional Useful Services

I added the last section above because the Oracle training for professional architect did not review the usage and applicability of these services, however, there were questions around them in the exam. I have added my notes below from the exam perspective –

  • Most of the questions in the professional exam are around the basis concepts so it is imperative you have reviewed these links and understood them.
  • As usual while answering any questions, you always need to look for special catch phrases or words that contain latency, performance, cost, high availability, redundancy, maximum availability modes for no data-loss etc.
  • While connecting from Oracle VCN to managed service like object storage and ensuring that the traffic does not traverse the public internet – the only service that can be used is service gateway. Please review the service gateway service gateway supported Oracle cloud services in OCI network.
  • While establishing console connection, please remember that three tasks are required before you can connect –
    • Add or reset the SSH key for the opc user
    • Edit the system configuration file at the linux boot menu to enable access to the console.
  • Deep dive into NVMe performance differences while using a particular RAID configuration. A protected RAID array is the most recommended way to protect against an NVMe device failure.  RAID 10 Stripes data across multiple mirrored pairs. As long as one disk in each mirrored pair is functional, data can be retrieved.
  • WAF Access control rules can be used to block specific IP addresses from making unauthorized application requests.
  • Review available connection options from OCI to other cloud providers like Microsoft Azure.
  • Managing Compartments and moving resources between compartments is one of the most important features that had few questions related to them. During movement of compartments, some of IAM policies attached to the resources are not automatically updated. This is the reason to validate the IAM policies after compartments movement from one parent to another.
  • OCI File storage service (FSS/NFS) provides export option feature to control access to your file system.
  • VCN peering is a widely used feature considering that the VCNs are regional and you use local VCN peering for within region pairing or remote VCN peering for across region VCN connections.
  • You may encounter compartment quotas limitations defined by quota policies during auto scaling actions. This may lead to system failures.
  • Review that there are three ways to connect to ADW –
    • Connecting to (ADW) from Public Internet
    • Connecting to ADW (via NAT or Service Gateway) from a server running on a private subnet in OCI (in the same tenancy)
    • Connecting to ADW (via internet Gateway) from a server running on a public subnet in OCI (in the same tenancy)
  • You may encounter some questions to be not as detailed about compartment moves. So, you may see a question about moving compute instance across compartment. However, it may not be clear if the instance is moved to a compartment defined in the same region in the same VCN or across a compartment in another region. So, please do not overthink the scenario (Which I did). An instance with public and private IP that is moved to a different compartment will continue to have its original public and private IP addresses. The instance VNIC also continues to be associated with the original VCN.
  • Autonomous Database is an Oracle Managed and Secure environment. A physical database can’t simply be migrated to autonomous because:
    • Database must be converted to PDB, upgraded to 19c, and encrypted
    • Any changes to Oracle shipped privileges, stored procedures or views must be removed
    • All legacy structures and unsupported features must be removed (e.g. legacy LOBs)
  • GoldenGate replication can be used to keep database online during migration.
  • Oracle also recently introduced instance principals that now eliminates the need to configure user credentials on the services running on their compute instances, or rotate those credentials. Instances themselves are a new principal type in IAM.
  • A Dynamic group is a special type of group that contains resources (such as compute instances) that match rules that you define (thus the membership can change dynamically as matching resources are created or deleted). These instances act as “principal” actors and can make API calls to services according to policies that you write for the dynamic group.
  • STEERING POLICIES is A framework to define the traffic management behavior for your zones. Steering policies contain rules that help to intelligently serve DNS answers.
    • FAILOVER – Failover policies allow you to prioritize the order in which you want answers served in a policy (for example, Primary and Secondary). Oracle Cloud Infrastructure Health Checks are used to determine the health of answers in the policy. If the Primary Answer is determined to be unhealthy, DNS traffic will automatically be steered to the Secondary Answer.
    • LOAD_BALANCE – Load Balancer policies allow distribution of traffic across multiple endpoints. Endpoints can be assigned equal weights to distribute traffic evenly across the endpoints or custom weights may be assigned for ratio load balancing. Oracle Cloud Infrastructure Health Checks are leveraged to determine the health of the endpoint. DNS traffic will be automatically distributed to the other endpoints, if an endpoint is determined to be unhealthy.
    • ROUTE_BY_GEO – Geolocation-based steering policies distribute DNS traffic to different endpoints based on the location of the end user. Customers can define geographic regions composed of originating continent, countries or states/provinces (North America) and define a separate endpoint or set of endpoints for each region.
    • ROUTE_BY_ASN – ASN-based steering policies enable you to steer DNS traffic based on Autonomous System Numbers (ASN). DNS queries originating from a specific ASN or set of ASNs can be steered to a specified endpoint.
    • ROUTE_BY_IP – IP Prefix-based steering policies enable customers to steer DNS traffic based on the IP Prefix of the originating query.
  • OCI also provides an option to resize an instance using change shape feature in the OCI console.
  • Autonomous transaction processing – serverless database option is not available for Oracle enterprise business suite.

I want to add a few tips from my experience during the exam –

  • I noticed most of the answers are in the question, so if you are not completely confident, select what you think is right, mark the question to come back for review and then revisit it as soon as you are reviewing your exam.
  • You will notice as you traverse through rest of the tests, some of the questions that follow latter may also have answer to what you could not answer earlier.


Product Documentation

Course Learning Resources


Instructor Led Course

OCI Learning Subscription

If you are interested in other cloud certifications and how to prepare for them, check out our website.

More from same author:

Have questions? Participate in OCI discussions on our Forums. Click here.

AUTHOR: Mukesh Sharma is a multi and hybrid cloud enthusiast with a bias for building robust hybrid cloud systems around mainframes for financial services organizations. You can reach him on LinkedIn