Review By: Mukesh Sharma
Time taken to Prepare
Detailed Review Of Preparation
The Oracle Cloud Infrastructure (OCI) 2019 Architect Professional exam (1Z0-997) is designed for individuals who possess strong enterprise knowledge in architecting using Oracle Cloud Infrastructure services. This certification validates advanced concepts of OCI services to control infrastructure, such as but not limited to: High Availability and Disaster Recovery, Data Migration, Network Connectivity, Monitoring, Data Retention, Storage and Databases. This certification is available to all professionals that were previously passed the OCI Architect Associate Exam.
Job of a professional Oracle Cloud Infrastructure Cloud Architect
• Design a cloud solution using architectural principles based on customer requirements.
• Has a strong understanding of cloud computing concepts
• Design and deploy, highly available, fault-tolerant, and reliable applications on OCI
• Translates on-premises operations to a typical cloud-based infrastructure.
• Works with enterprise level architecture day to day
· Certification Name: 1Z0-997 - Oracle Cloud Infrastructure 2019 Architect Professional
· Target Audience: Professionals responsible for architecting Oracle Cloud Infrastructure services
· Platform: Available on Oracle University and delivered via Pearson VUE
· Exam Duration: 120 minutes
· Exam Cost: $245 (25% discount on this list price if you are OPN (Oracle Partner Network) and have the OPN number with you while registering for the exam)
· Passing Score: 70%
Course Learning Resources
Instructor Led Course
OCI Learning Subscription
High Level Objective
Concepts That are tested
Plan and design solutions in Oracle
• Plan and design solutions to meet business and technical requirements.
This section tests your ability to create basic and complex architectures using multiple services like IAM, Compute, Storage, Load Balancer, Kubernetes and Functions. Also concepts of DR and HA will be applied on this section
Implement and operate solutions
• Implement solutions to meet business and technical requirements.
This section will evaluate your skills on how to choose the best set of services to deploy new applications on OCI using the core infrastructure services. Also, you need to understand how to troubleshoot the services on event of a problem.
Design, implement, and operate databases in OCI
• Evaluate and implement databases.
Design for hybrid cloud
• Design and implement hybrid network architectures to meet high availability, bandwidth, and latency requirements.
Migrate on-premises workloads to
Design strategy for migrating on-premises
This section will cover migration strategies from on-premises to OCI. You need to be familiar with services like Storage Gateway, Data Transfer Appliance, Object Storage, file storage and Database migration using RMAN and data pump.
Design for Security and
• Design, implement, and operate solutions for security and governance.
As we delve deeper into technical aspect of the exam, I want to be clear that if you have already gone through the free courses offered by Oracle then most of the information may appear to be repeated. However, I have tried to put document most of the information from the professional exam perspective. Also, as you understand the different OCI services please make an effort to determine –
1. The scope of the service as it is provisioned/launched – region/zone/global.
2. The operating ability of the service as if it is moved to a different compartment and the effect of the IAM policy attached to the service or IAM policies attached to users operating the service.
3. Review information contained in links attached to the documentation below.
Please review following blogs that you may find helpful if you have not completed the associate architect exam –
Plan, design, implement, operate & Migrate On-premises workloads solutions in Oracle Cloud Infrastructure (OCI)
Networking and Compute
· Configuring Compute Quotas
Compute Quota allow administrators -
a) To allocate resources to compartments using the OCI console. The allocation is controlled by set, unset, zero commands. The IAM policy references help manage the quotas.
b) To control how resources are managed using policies in OCI.
c) Effective cost management by controlling allocation of resources
Check resource quota & policies for more information.
· Instance Pools - Instance pools allow users to provision and create multiple Compute instances based off the same configuration, within the same region.
· Instance Configurations – are used when we want to create one or more instances in an instance pool.
· Compute Instance autoscaling configurations - With autoscaling you can adjust the number of Compute VM instances in an instance pool based on performance metrics such as CPU utilization. This helps you provide consistent performance for your end users during periods of high demand, and helps you reduce your costs during periods of low demand.
· Instance console connections – enables you to remotely troubleshoot malfunctioning instances.
· Custom VM Images in OCI
o Image Import Modes
Most newer OS versions support para-virtualization launch mode as they provide maximum performance. All older OS versions can be launched using emulation mode that provides fully emulated NIC, block boot and legacy BIOS boot.
· VCN Route Tables & Route Rules - OCI VCN uses virtual route tables to send traffic out of the VCN (for example, to the internet, to your on-premises network, or to a peered VCN). A route rule specifies a destination CIDR block and the target (the next hop) for any traffic that matches that CIDR. Here are the allowed types of targets for a route rule:
For subnets that need private access to networks connected to your VCN
· Connect to another VCN via a peered VCN in another region.
For public subnets that need direct access to the internet.
For subnets with instances that do not have public IP addresses but need outbound access to the internet.
For subnets that need private access to Oracle services such as Object Storage.
For subnets that need private access to a peered VCN in the same region.
· OCI Load Balancing – It is imperative to understand load balancing concepts, public & private load balancers and policy types (Round Robin , Least Connections, IP Hash) supported by the load balancing service.
· OCI DNS & Traffic Management
· Advance Networking Scenarios.
Please see IAM policies for networking.
· Local NVMe SSD devices – These devices act like instance store volumes attached to compute instances in your VCN.
· Block Volume Storage - The OCI Block Volume service allows to dynamically provision and manage block storage volumes. We can create, attach, connect, and move volumes, as well as change volume performance, as needed, to meet our storage, performance, and application requirements.
· File Storage - OCI File Storage service provides a durable, scalable, secure, enterprise-grade network file system.
· Object Storage - OCI offers two distinct storage class tiers to address the need for both performant, frequently accessed "hot" - Object - storage, and less frequently accessed "cold" -Archive - storage. Storage tiers help you maximize performance where appropriate and minimize costs where possible.
OCI Account Management
Design, implement, and operate databases in OCI
· Autonomous database concepts – Autonomous databases are fully managed, preconfigured database environment with two workload types available, Autonomous Transaction Processing and Autonomous Data Warehouse.
o Using Autonomous data warehouse
o Using Autonomous transaction processing database
o Security & Authentication in Autonomous transaction processing database
o Autonomous database complete overview & best practices
o Using Oracle DB CLI
o Incorporating high availability with Oracle Data Guard for bare metal & VM DB Systems
o Incorporating high availability with Oracle Exadata DB Systems
o Recovering Oracle Exadata DB Systems from object storage
o Database Migration Options to Oracle Cloud
Migrate on-premises workloads to OCI
Design for Security and Compliance
· Using Oracle Data Safe - Oracle Data Safe is a fully-integrated Cloud service focused on the security of your data. It provides a complete and integrated set of features for protecting sensitive and regulated data in Oracle Cloud databases.
· Using OCI Identify & Access Management
· Using OCI Key Management
· OCI Web Application Firewall
Additional Useful Services
· Using Oracle Golden Gate - to replicate, filter, and transform data from one database to another database.
I added the last section above because the Oracle training for professional architect did not review the usage and applicability of these services, however, there were questions around them in the exam. I have added my notes below from the exam perspective –
· Most of the questions in the professional exam are around the basis concepts so it is imperative you have reviewed these links and understood them.
· As usual while answering any questions, you always need to look for special catch phrases or words that contain latency, performance, cost, high availability, redundancy, maximum availability modes for no data-loss etc.
· While connecting from Oracle VCN to managed service like object storage and ensuring that the traffic does not traverse the public internet – the only service that can be used is service gateway. Please review the service gateway service gateway supported Oracle cloud services in OCI network.
· While establishing console connection, please remember that three tasks are required before you can connect –
o Reboot the instance from the OCI console.
o Add or reset the SSH key for the opc user
o Edit the system configuration file at the linux boot menu to enable access to the console.
· Deep dive into NVMe performance differences while using a particular RAID configuration. A protected RAID array is the most recommended way to protect against an NVMe device failure. RAID 10 Stripes data across multiple mirrored pairs. As long as one disk in each mirrored pair is functional, data can be retrieved.
· WAF Access control rules can be used to block specific IP addresses from making unauthorized application requests.
· Review available connection options from OCI to other cloud providers like Microsoft Azure.
· Managing Compartments and moving resources between compartments is one of the most important features that had few questions related to them. During movement of compartments, some of IAM policies attached to the resources are not automatically updated. This is the reason to validate the IAM policies after compartments movement from one parent to another.
· OCI File storage service (FSS/NFS) provides export option feature to control access to your file system.
· You may encounter compartment quotas limitations defined by quota policies during auto scaling actions. This may lead to system failures.
· Review that there are three ways to connect to ADW -
o Connecting to (ADW) from Public Internet
o Connecting to ADW (via NAT or Service Gateway) from a server running on a private subnet in OCI (in the same tenancy)
o Connecting to ADW (via internet Gateway) from a server running on a public subnet in OCI (in the same tenancy)
· You may encounter some questions to be not as detailed about compartment moves. So, you may see a question about moving compute instance across compartment. However, it may not be clear if the instance is moved to a compartment defined in the same region in the same VCN or across a compartment in another region. So, please do not overthink the scenario (Which I did). An instance with public and private IP that is moved to a different compartment will continue to have its original public and private IP addresses. The instance VNIC also continues to be associated with the original VCN.
· Autonomous Database is an Oracle Managed and Secure environment. A physical database can’t simply be migrated to autonomous because:
o Database must be converted to PDB, upgraded to 19c, and encrypted
o Any changes to Oracle shipped privileges, stored procedures or views must be removed
o All legacy structures and unsupported features must be removed (e.g. legacy LOBs)
· GoldenGate replication can be used to keep database online during migration.
· Oracle also recently introduced instance principals that now eliminates the need to configure user credentials on the services running on their compute instances, or rotate those credentials. Instances themselves are a new principal type in IAM.
· A Dynamic group is a special type of group that contains resources (such as compute instances) that match rules that you define (thus the membership can change dynamically as matching resources are created or deleted). These instances act as "principal" actors and can make API calls to services according to policies that you write for the dynamic group.
· STEERING POLICIES is A framework to define the traffic management behavior for your zones. Steering policies contain rules that help to intelligently serve DNS answers.
o FAILOVER - Failover policies allow you to prioritize the order in which you want answers served in a policy (for example, Primary and Secondary). Oracle Cloud Infrastructure Health Checks are used to determine the health of answers in the policy. If the Primary Answer is determined to be unhealthy, DNS traffic will automatically be steered to the Secondary Answer.
o LOAD_BALANCE - Load Balancer policies allow distribution of traffic across multiple endpoints. Endpoints can be assigned equal weights to distribute traffic evenly across the endpoints or custom weights may be assigned for ratio load balancing. Oracle Cloud Infrastructure Health Checks are leveraged to determine the health of the endpoint. DNS traffic will be automatically distributed to the other endpoints, if an endpoint is determined to be unhealthy.
o ROUTE_BY_GEO - Geolocation-based steering policies distribute DNS traffic to different endpoints based on the location of the end user. Customers can define geographic regions composed of originating continent, countries or states/provinces (North America) and define a separate endpoint or set of endpoints for each region.
o ROUTE_BY_ASN - ASN-based steering policies enable you to steer DNS traffic based on Autonomous System Numbers (ASN). DNS queries originating from a specific ASN or set of ASNs can be steered to a specified endpoint.
o ROUTE_BY_IP - IP Prefix-based steering policies enable customers to steer DNS traffic based on the IP Prefix of the originating query.
· OCI also provides an option to resize an instance using change shape feature in the OCI console.
· Autonomous transaction processing – serverless database option is not available for Oracle enterprise business suite.
I want to add a few tips from my experience during the exam –
§ I noticed most of the answers are in the question, so if you are not completely confident, select what you think is right, mark the question to come back for review and then revisit it as soon as you are reviewing your exam.
§ You will notice as you traverse through rest of the tests, some of the questions that follow latter may also have answer to what you could not answer earlier
Benefits From Certification