O R A C L E C E R T I F I C A T I O N
1Z0-1072 Oracle Cloud Infrastructure Architect Associate Practice Exam
Exam Number: 4816 | Last updated April 19, 2026 | 700+ questions across 4 vendor-aligned objectives
The 1Z0-1072 Oracle Cloud Infrastructure Architect Associate exam is aimed at cloud architects, platform engineers, and infrastructure specialists who design and operate core workloads on OCI. Candidates validate command of identity and access management, networking, compute, storage, database services, and the observability and security controls that keep production workloads compliant and resilient.
The heaviest content is Networking and Security (roughly 30%), covering VCNs, subnets, security lists, Network Security Groups, gateways, load balancers, FastConnect, and Identity and Access Management policies. Compute and Storage contributes another 25% with instance shapes, boot volumes, block volumes, object storage, file storage, and backups.
Database and Application Services sits near 25% and drills into Oracle Autonomous Database, Base Database Service, Exadata Cloud Service, and the Container Engine for Kubernetes. Observability, Governance, and Cost Management rounds out the remaining weight with Monitoring, Logging, Events, Cloud Guard, compartments, budgets, and tagging.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Oracle documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
816
practice exam users
96.0%
satisfied users
94.9%
passed the exam
4.7/5
quality rating
Test your 1Z0 1072 OCI Architect Associate knowledge
10 of 700+ questions
Question #1 - Networking and Security
A cloud architect designs a VCN with a public subnet for web tier and a private subnet for an app tier in OCI. The web tier needs internet access; the app tier must reach the internet for package updates but must never be reachable from the internet.
Which OCI networking components support this pattern?
A) An Internet Gateway for the public subnet, and a NAT Gateway for the private subnet.
B) An Internet Gateway for both subnets.
C) Only a Service Gateway for both subnets.
D) No gateways — rely on security lists alone.
Show solution
Correct answers: A – Explanation:
The Internet Gateway allows inbound and outbound internet for the public tier. A NAT Gateway provides outbound-only connectivity for the private tier, keeping it unreachable from the internet. Option B exposes the app tier. Option C is for OCI service endpoints only. Option D cannot provide routing. Source: Check Source
Question #2 - Networking and Security
An OCI security admin needs to allow only database admins to manage Autonomous Database resources in a specific compartment. The Sales team uses the same tenancy but should have no database visibility.
Which IAM pattern satisfies this?
A) A tenancy-level policy granting all users full access.
B) An IAM policy granting the database admin group manage autonomous-database-family scoped to the compartment.
C) Shared credentials for all DB admins.
D) A local user account per DB admin with no groups.
Show solution
Correct answers: B – Explanation:
Compartment-scoped IAM policies on the autonomous-database-family resource give the DB admin group exactly the access needed, without affecting the Sales team. Option A over-grants. Option D sidesteps IAM best practice. Option C violates security. Source: Check Source
Question #3 - Compute and Storage
A workload needs 2 TB of shared storage accessible from 15 Linux compute instances simultaneously via NFS, with snapshots taken daily.
Which OCI storage service best fits?
A) Local NVMe on each instance.
B) Object Storage standard tier.
C) File Storage Service (FSS) with scheduled snapshots.
D) Block Volume attached to a single instance.
Show solution
Correct answers: C – Explanation:
FSS provides NFS-accessible shared storage with built-in snapshots, exactly matching multi-instance concurrent access and daily snapshot needs. Option D is single-attach only. Option B is not a file system. Option A is local and not shared. Source: Check Source
Question #4 - Database and Application Services
A DBA team needs to run a mission-critical OLTP workload on OCI with Real Application Clusters, automatic tuning, and elastic CPU scaling, without managing the underlying infrastructure.
Which OCI database service fits best?
A) Object Storage with a SQL engine layered on top.
B) MySQL HeatWave single-node.
C) A plain compute instance with Oracle XE installed.
D) Oracle Autonomous Database on Dedicated Infrastructure.
Show solution
Correct answers: D – Explanation:
Autonomous Database delivers RAC, automatic tuning, and elastic scaling as a managed service suitable for mission-critical OLTP. Option A is not a database. Option C is unmanaged and free-tier. Option B is a different product with different characteristics. Source: Check Source
Question #5 - Observability, Governance, and Cost
A finance-driven cloud governance team wants automatic alerts when monthly spend in a specific compartment is forecast to exceed a threshold, plus a hard stop once a second higher threshold is reached.
Which OCI services together deliver budget forecasting alerts plus hard stops?
A) OCI Budgets with alerts and compartment quotas for hard limits.
B) Manual monthly reviews of invoices.
C) Shutting down the tenancy whenever spend is concerning.
D) A BI Publisher scheduled report.
Show solution
Correct answers: A – Explanation:
Budgets deliver alert thresholds with forecasting; compartment quotas cap the amount of resource usage, creating a hard stop. Option B is lagging. Option D is reporting only. Option C is disruptive. Source: Check Source
Question #6 - Networking and Security
An architect needs stateful rules on packets entering and leaving a specific set of compute instances, independent of the subnet and across multiple subnets in the same VCN.
Which VCN construct fits?
A) A Dynamic Routing Gateway.
B) Network Security Groups (NSGs) applied to vNICs.
C) Route tables filtering by IP.
D) Security lists applied to the subnet only.
Show solution
Correct answers: B – Explanation:
NSGs operate on vNICs and can span subnets, giving per-instance stateful control exactly as the requirement demands. Option D is subnet-scoped. Option C does not filter packets. Option A is an on-prem connection construct. Source: Check Source
Question #7 - Compute and Storage
A data analytics team needs to store 40 TB of raw, rarely accessed log files that may be retrieved in batches for reanalysis once or twice a year. Cost efficiency is more important than retrieval latency.
Which OCI storage tier is most cost-efficient for this profile?
A) Block Volume Higher Performance.
B) File Storage with daily snapshots.
C) Object Storage Archive tier.
D) Object Storage Standard tier.
Show solution
Correct answers: C – Explanation:
Archive tier Object Storage is purpose-built for rarely accessed data and offers the lowest storage cost with higher retrieval latency, matching the scenario. Options A, B, and D are designed for more frequent access and cost more. Source: Check Source
Question #8 - Database and Application Services
A developer wants to deploy a microservice to a managed Kubernetes platform on OCI, use Oracle-managed control plane, and only pay for worker nodes.
Which service fits?
A) Object Storage with a Kubernetes plugin.
B) Oracle Functions only, no orchestration.
C) A bare-metal compute instance with a manual Kubernetes install.
D) Container Engine for Kubernetes (OKE) with managed worker node pools.
Show solution
Correct answers: D – Explanation:
OKE provides a managed Kubernetes control plane where customers pay for worker nodes. Option C is unmanaged. Option A is not a runtime. Option B is serverless, not container orchestration. Source: Check Source
Question #9 - Observability, Governance, and Cost
A security architect wants automated detection of risky IAM configurations like overly permissive policies or public buckets, with a central console and remediation recommendations.
Which OCI service fits automated detection of risky IAM and resource configurations?
A) Cloud Guard with detector recipes and responders.
B) A manual audit once per quarter.
C) A BI Publisher scheduled report.
D) A third-party SIEM only.
Show solution
Correct answers: A – Explanation:
Cloud Guard continuously evaluates configurations against detector recipes and can auto-remediate via responders, matching the requirement. Option B is lagging. Option D may exist but is not the native OCI answer. Option C is reporting only. Source: Check Source
Question #10 - Compute and Storage
A workload needs flexible CPU and memory sizing, the ability to change shape without rebuilding the instance, and the option to pin cores for licensing.
Which OCI compute option best fits?
A) Dedicated VM hosts with no flex.
B) Always-free micro instances only.
C) Flexible shapes (E4/E5 Flex) with adjustable OCPUs and memory.
D) Bare metal servers only.
Show solution
Correct answers: C – Explanation:
Flexible shapes let you pick OCPUs and memory independently and resize without a rebuild, which matches the requirement. Option B is size-limited. Option D lacks flex sizing. Option A is capacity isolation, not flex sizing. Source: Check Source
Get 700+ more questions with source-linked explanations
Every answer traces to the exact Oracle documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated April 19, 2026
Learn more...
What the 1Z0 1072 OCI Architect Associate exam measures
- Networking and security (30%) — design VCNs, subnets, gateways, load balancers, and FastConnect, and author IAM policies with dynamic groups and tag-based conditions.
- Compute and storage (25%) — select instance shapes, sizing, and boot volumes, configure block, file, and object storage, and implement backups and lifecycle rules.
- Database and application services (25%) — deploy Oracle Autonomous Database, Base Database Service, Exadata Cloud Service, and workloads on the Container Engine for Kubernetes.
- Observability, governance, and cost (20%) — set up Monitoring, Logging, Events, and Cloud Guard, and govern spend with compartments, budgets, quotas, and tagging.
How to prepare for this exam
- Review the official 1Z0-1072 exam page to confirm the current objectives and weights.
- Complete the Oracle University OCI Architect Associate learning path on MyLearn.
- Stand up a three-tier reference architecture in an OCI always-free tenancy, attach a load balancer, mount both block and file storage, and lock it down with IAM policies.
- Apply the skills on real work: move a test workload into OCI, migrate a database to Autonomous Database, or harden a VCN with Cloud Guard recommendations.
- Master one objective at a time, beginning with networking and security since it carries the most weight.
- Run PowerKram learn mode to see feedback after every question with sourced links back to Oracle documentation.
- Finish with PowerKram exam mode across all objectives until you pass three back-to-back full-length attempts.
Career paths and salary outlook
OCI Architect Associate is a gateway credential for cloud infrastructure careers:
- Cloud Solutions Architect (OCI) — $125,000–$175,000 (Glassdoor).
- Cloud Infrastructure Engineer — $110,000–$155,000 (PayScale).
- DevOps Engineer (Oracle shops) — $115,000–$165,000 (Levels.fyi).
Official resources
Work through the OCI Architect Associate Learning Path on Oracle MyLearn, then reinforce with the Oracle Cloud Infrastructure documentation and the OCI Solutions Center reference architectures.