O R A C L E C E R T I F I C A T I O N
1Z0-1124 Oracle Cloud Infrastructure Networking 2022 Professional Practice Exam
Exam Number: 4827 | Last updated April 19, 2026 | 700+ questions across 4 vendor-aligned objectives
The 1Z0-1124 Oracle Cloud Infrastructure Networking 2022 Professional exam is written for network engineers and cloud architects who design, operate, and secure networks on OCI. Candidates confirm command of Virtual Cloud Network design, load balancing, DNS, FastConnect and VPN connectivity, and the security controls that govern traffic inside and at the edge of an OCI tenancy.
The heaviest content is VCN Design and Routing (roughly 30%), covering VCNs, subnets, gateways, route tables, VCN peering, and the transit routing patterns that connect hub-and-spoke topologies. Hybrid and Cross-Region Connectivity contributes another 25% with FastConnect, Site-to-Site VPN, Remote Peering Connections, and Dynamic Routing Gateways.
Load Balancing and DNS sits near 20% and drills into the flexible and network load balancers, OCI DNS, traffic steering policies, and Web Application Firewall. Network Security and Monitoring rounds out the remaining weight with security lists, Network Security Groups, VCN Flow Logs, and the observability services that diagnose connectivity issues.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Oracle documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
139
practice exam users
89.2%
satisfied users
84.2%
passed the exam
4.1/5
quality rating
Test your 1Z0 1124 OCI Networking Pro knowledge
10 of 700+ questions
Question #1 - VCN Design and Routing
A network architect is designing a hub-and-spoke topology with one hub VCN, three spoke VCNs, and on-prem connectivity via FastConnect. She wants spoke-to-spoke traffic to transit through the hub for inspection.
Which OCI construct supports this transit routing pattern?
A) Dynamic Routing Gateway attached to the hub with transit routing configured for inter-spoke traffic.
B) Internet routing via public IP for spoke-to-spoke.
C) A single flat VCN with all workloads mixed.
D) Direct Local Peering Gateways between every spoke pair.
Show solution
Correct answers: A – Explanation:
A DRG with transit routing lets spoke VCNs communicate through the hub where inspection and security policies are enforced — the hub-and-spoke pattern. Option D bypasses the hub. Option C eliminates separation. Option B is insecure. Source: Check Source
Question #2 - VCN Design and Routing
A cloud engineer is troubleshooting why packets from subnet A cannot reach subnet B in the same VCN. Both subnets are in the same AD. Security lists allow the traffic, but traffic still drops.
What should she check next?
A) Whether the region has an outage.
B) Route tables associated with the subnets and any Network Security Groups on the vNICs.
C) The physical cable between the hypervisors.
D) The Object Storage bucket policies.
Show solution
Correct answers: B – Explanation:
Intra-VCN subnet-to-subnet traffic needs correct route tables plus NSG rules (which also affect traffic when attached). Option C is not customer-accessible. Option A is unlikely for intra-VCN traffic. Option D is unrelated. Source: Check Source
Question #3 - Hybrid and Cross-Region Connectivity
A multi-region architect needs VCNs in Ashburn and Frankfurt to communicate privately without traversing the public internet, so databases can replicate across regions.
Which OCI service fits private cross-region VCN connectivity over Oracle’s backbone?
A) A Site-to-Site VPN over the public internet.
B) Internet routing via public IPs.
C) Remote Peering Connection between DRGs in each region.
D) Two NAT Gateways talking to each other.
Show solution
Correct answers: C – Explanation:
RPC via DRGs provides private cross-region connectivity over the Oracle backbone — the designed pattern. Option A uses the public internet. Option D is not valid connectivity. Option B is insecure and exposed. Source: Check Source
Question #4 - Hybrid and Cross-Region Connectivity
A small branch office needs encrypted connectivity to OCI for a handful of users. Cost sensitivity is higher than throughput. The team does not have a FastConnect provider on-prem.
Which OCI connectivity option fits a cost-sensitive, low-throughput branch-office link?
A) Unencrypted public internet traffic.
B) RPC between the branch and OCI.
C) FastConnect private peering with a dedicated circuit.
D) Site-to-Site VPN (IPsec) via a DRG.
Show solution
Correct answers: D – Explanation:
Site-to-Site VPN is the cost-effective encrypted tunneling option for low-throughput branch connectivity and doesn’t require a FastConnect provider. Option C is overkill and expensive. Option A is insecure. Option B is VCN-to-VCN only. Source: Check Source
Question #5 - Load Balancing and DNS
A backend team needs a Layer 4 load balancer that preserves the source IP of the client, supports millions of connections per second, and does not perform SSL termination.
Which OCI load balancer fits?
A) Network Load Balancer with preserve source IP option.
B) Object Storage as a load balancer.
C) Flexible Load Balancer with HTTPS listener.
D) A manual HAProxy on a compute instance.
Show solution
Correct answers: A – Explanation:
Network Load Balancer operates at Layer 4, scales to very high throughput, and preserves the source IP — exactly the requirement. Option C is Layer 7 and does SSL termination. Option D is unmanaged. Option B is storage. Source: Check Source
Question #6 - Load Balancing and DNS
A web architect wants DNS to return the Ashburn backend IP to users close to Virginia and the Frankfurt backend to European users, dynamically based on latency.
Which OCI service fits geolocation- and latency-based DNS response steering?
A) A round-robin DNS with no geography awareness.
B) OCI DNS with Traffic Steering policies (geolocation or latency-based).
C) A static A record with one global IP.
D) Hard-coded IPs in each client.
Show solution
Correct answers: B – Explanation:
OCI DNS Traffic Steering supports geolocation and latency-based policies, routing users to the nearest or lowest-latency endpoint. Option C loses dynamism. Option A is not geo-aware. Option D is not maintainable. Source: Check Source
Question #7 - Network Security and Monitoring
A security engineer wants to confirm whether traffic to a specific port on a private subnet is actually reaching the instance, without installing any agent.
Which OCI capability supports this network-level observation?
A) Nothing — network traffic cannot be observed without agents.
B) A BI Publisher report of subnet activity.
C) VCN Flow Logs exported to OCI Logging.
D) A manual tcpdump requiring SSH access.
Show solution
Correct answers: C – Explanation:
VCN Flow Logs record accepted and denied traffic at the subnet level without agents, giving packet-header visibility. Option D is agent-based. Option B is reporting, not packet-level. Option A is incorrect. Source: Check Source
Question #8 - VCN Design and Routing
An architect needs a private subnet whose instances can download software updates from the public internet but cannot be reached from the internet inbound.
Which OCI gateway supports outbound-only internet for a private subnet?
A) Internet Gateway attached directly to the private subnet.
B) No gateway needed — private subnets have internet by default.
C) Service Gateway for public internet.
D) NAT Gateway attached to the VCN with the private subnet’s route table pointing to it.
Show solution
Correct answers: D – Explanation:
NAT Gateway provides outbound-only internet for private subnets — the precise requirement. Option A would allow inbound too. Option C connects to OCI services, not public internet. Option B is false; private subnets have no internet by default. Source: Check Source
Question #9 - Network Security and Monitoring
A security architect wants to let subnets in a VCN access Object Storage without traversing the internet, and without requiring each instance to have a public IP.
Which OCI gateway fits?
A) Service Gateway routed to Object Storage and other OCI public services.
B) NAT Gateway used as the Object Storage path.
C) Internet Gateway attached to each subnet.
D) Attaching public IPs to every instance.
Show solution
Correct answers: A – Explanation:
Service Gateway provides private connectivity from a VCN to OCI public services like Object Storage without traversing the internet — the designed pattern. Option C routes via internet. Option B is outbound-internet. Option D defeats the goal. Source: Check Source
Question #10 - Hybrid and Cross-Region Connectivity
An enterprise needs redundant FastConnect circuits from two different locations to two different OCI edge PoPs, so that a single PoP or path failure does not disconnect on-prem from OCI.
Which OCI best practice addresses FastConnect resiliency?
A) A Site-to-Site VPN as the only link.
B) A public internet-only connection.
C) Two FastConnect virtual circuits from separate on-prem locations to separate OCI edges with BGP failover.
D) One FastConnect virtual circuit with no backup.
Show solution
Correct answers: C – Explanation:
OCI’s FastConnect resiliency guidance calls for multiple circuits from separate locations to separate edges with BGP-based failover, meeting the described HA requirement. Option D has no redundancy. Option A is a bandwidth-limited backup only. Option B has no SLA. Source: Check Source
Get 700+ more questions with source-linked explanations
Every answer traces to the exact Oracle documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated April 19, 2026
Learn more...
What the 1Z0 1124 OCI Networking Pro exam measures
- VCN design and routing (30%) — design VCNs, subnets, gateways, route tables, VCN peering, and transit routing for hub-and-spoke topologies.
- Hybrid and cross-region connectivity (25%) — configure FastConnect, Site-to-Site VPN, Remote Peering Connections, and Dynamic Routing Gateways for on-prem and cross-region scenarios.
- Load balancing and DNS (20%) — deploy flexible and network load balancers, OCI DNS, traffic steering policies, and Web Application Firewall.
- Network security and monitoring (25%) — apply security lists, Network Security Groups, VCN Flow Logs, and the observability tools that troubleshoot connectivity.
How to prepare for this exam
- Review the official 1Z0-1124 exam page and align your study with the current objectives.
- Complete the Oracle University OCI Networking Professional learning path on MyLearn.
- In a practice tenancy, build two VCNs connected by local peering through a DRG, attach a flexible load balancer, and enable VCN Flow Logs on a critical subnet.
- Apply the skills on real work: troubleshoot a connectivity ticket, design a FastConnect topology for an on-prem partner, or harden a VCN against the CIS benchmark.
- Master one objective at a time, starting with VCN design and routing since it carries the most weight.
- Run PowerKram learn mode to see feedback after every question with sourced links back to Oracle documentation.
- Finish with PowerKram exam mode across all objectives until you clear the threshold three times in a row.
Career paths and salary outlook
OCI Networking credentials pay off across cloud and hybrid networking careers:
- Cloud Network Engineer — $115,000–$165,000 (Glassdoor).
- Network Architect — $135,000–$185,000 (U.S. Bureau of Labor Statistics).
- Cloud Infrastructure Engineer — $110,000–$155,000 (PayScale).
Official resources
Follow the OCI Networking Professional Learning Path on Oracle MyLearn. Reinforce with the OCI Networking documentation and the FastConnect documentation.