O R A C L E C E R T I F I C A T I O N
1Z0-997 Oracle Cloud Infrastructure Architect 2022 Professional Practice Exam
Exam Number: 4835 | Last updated April 19, 2026 | 700+ questions across 4 vendor-aligned objectives
The 1Z0-997 Oracle Cloud Infrastructure Architect 2022 Professional exam is the capstone credential for OCI architects who design enterprise-grade workloads on Oracle Cloud. Candidates validate the ability to translate business requirements into production-ready OCI architectures, covering networking, compute, storage, database, identity, observability, and disaster recovery at a level that supports high-availability and multi-region deployments.
The heaviest content is Advanced Networking and Connectivity (roughly 30%), covering VCN design, transit routing, FastConnect, Site-to-Site VPN, Dynamic Routing Gateways, and cross-region peering for global workloads. High Availability and Disaster Recovery contributes another 25% with Availability Domains, Fault Domains, Data Guard, Full Stack DR, and cross-region replication.
Identity, Security, and Governance sits near 25% and drills into compartments, policies, dynamic groups, tag-based conditions, Security Zones, Cloud Guard, and identity federation. Compute, Storage, Database, and Observability rounds out the remaining weight with instance shapes, block and object storage patterns, Autonomous Database, Exadata Cloud Service, and the Monitoring, Logging, and APM stack.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Oracle documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
855
practice exam users
93.0%
satisfied users
92.0%
passed the exam
4.8/5
quality rating
Test your 1Z0 997 OCI Architect Pro knowledge
10 of 700+ questions
Question #1 - Advanced Networking and Connectivity
A senior OCI architect is designing a global hub-and-spoke topology: one hub VCN in Ashburn, spoke VCNs in Ashburn, Frankfurt, and Tokyo for regional workloads. All spoke-to-spoke and spoke-to-on-prem traffic must transit the Ashburn hub for inspection.
Which OCI construct enables this cross-region transit routing pattern?
A) Dynamic Routing Gateways in each region with Remote Peering Connections to Ashburn, plus transit routing configured on the Ashburn hub DRG.
B) Public internet traffic between spokes and the hub.
C) A single VCN spanning all regions.
D) Direct Local Peering Gateways between every pair of VCNs across regions.
Show solution
Correct answers: A – Explanation:
RPCs connect DRGs across regions over Oracle’s backbone, and transit routing on the hub DRG sends all inter-spoke traffic through the hub for inspection — the correct enterprise design. Option D is full mesh, not hub-and-spoke. Option C is not possible. Option B is insecure and violates the inspection requirement. Source: Check Source
Question #2 - Advanced Networking and Connectivity
A network architect needs the highest availability FastConnect design: no single FastConnect location or PoP outage should interrupt on-prem to OCI connectivity, and path latency must be predictable.
Which FastConnect resiliency pattern fits?
A) A single VPN over public internet.
B) Redundant FastConnect virtual circuits from two separate on-prem locations to two separate OCI FastConnect edges with BGP failover.
C) A single circuit with no backup.
D) Two circuits both landing at the same OCI edge.
Show solution
Correct answers: B – Explanation:
Oracle’s FastConnect resiliency guidance prescribes two circuits from separate locations to separate edges with BGP-based failover — the maximum-HA design. Options C and D have single points of failure. Option A violates the latency/SLA requirement. Source: Check Source
Question #3 - High Availability and Disaster Recovery
An enterprise architect designs a DR strategy for a multi-tier application running in Ashburn with RPO of 30 seconds and RTO of 15 minutes. She needs automated failover of the entire stack (compute, database, network) to Phoenix.
Which OCI service fits the orchestrated full-stack DR need?
A) Backup-only with no standby region.
B) A BI Publisher report of the DR design only.
C) OCI Full Stack Disaster Recovery with Data Guard for the database tier.
D) Manual runbooks executed by the on-call engineer at 3 AM.
Show solution
Correct answers: C – Explanation:
Full Stack DR orchestrates failover of compute, database, and network tiers across regions, using Data Guard for zero-RPO-capable database replication — the designed service. Option D is slow and error-prone. Option B is documentation, not DR. Option A cannot meet the 15-minute RTO. Source: Check Source
Question #4 - High Availability and Disaster Recovery
A DBA wants the highest tier of Data Guard protection for a mission-critical Base Database: zero data loss is required even at the cost of shutting down the primary if the standby is unreachable.
Which Data Guard protection mode fits?
A) Maximum Availability with fallback to async.
B) Maximum Performance with async redo.
C) A snapshot standby with no redo apply.
D) Maximum Protection with SYNC and AFFIRM redo transport.
Show solution
Correct answers: D – Explanation:
Maximum Protection uses SYNC AFFIRM and halts the primary if standby acknowledgment cannot be received, guaranteeing zero data loss. Option B is async. Option A falls back to async on unreachable standby. Option C is not a protection mode. Source: Check Source
Question #5 - High Availability and Disaster Recovery
An architect wants every object uploaded to a production bucket in Ashburn asynchronously replicated to Phoenix for disaster recovery and read-access by Phoenix workloads.
Which OCI capability fits?
A) Object Storage cross-region replication from Ashburn to Phoenix.
B) A cron-triggered python loop with no OCI integration.
C) No replication; accept losing objects on a regional outage.
D) A nightly manual upload from Ashburn to Phoenix.
Show solution
Correct answers: A – Explanation:
OCI Object Storage supports async cross-region replication between buckets, which is the engineered DR mechanism for object data. Options B and D are manual/custom. Option C violates the requirement. Source: Check Source
Question #6 - Identity, Security, and Governance
A security architect needs an IAM design where a specific group can manage all OCI resources tagged Environment=Dev but cannot touch resources tagged Environment=Prod, even though the groups share the same tenancy.
Which IAM pattern fits this tag-conditional access?
A) Sharing credentials only when needed.
B) An IAM policy with a tag-based where condition: allow group DevAdmins to manage all-resources in tenancy where target.resource.tag.Operations.Environment = ‘Dev’.
C) Adding a deny policy for Prod — OCI IAM does not support deny rules.
D) A tenancy-wide manage policy with no conditions.
Show solution
Correct answers: B – Explanation:
OCI IAM policies support tag-based where-conditions, restricting a verb to resources carrying specified tag values — the precise control. Option D over-grants. Option C is correct that OCI IAM does not support deny — so this approach does not work. Option A is a security violation. Source: Check Source
Question #7 - Identity, Security, and Governance
A governance lead wants a compartment where resources must meet strict baseline policies automatically: no public buckets, no public IPs on compute, and encryption with customer-managed keys only.
Which OCI feature enforces preventive controls at the compartment level?
A) Hope that developers follow the guidelines.
B) Cloud Guard detectors alone.
C) Security Zones with a security recipe attached to the compartment.
D) A weekly audit meeting.
Show solution
Correct answers: C – Explanation:
Security Zones enforce preventive policies that block creation of non-compliant resources at the compartment level — preventive rather than detective. Option B is detection-only. Options A and D are not controls. Source: Check Source
Question #8 - Identity, Security, and Governance
An enterprise architect needs a dynamic group that automatically includes every compute instance in a specific compartment so those instances can call OCI APIs without embedded credentials.
Which dynamic group matching rule fits?
A) A static list of instance OCIDs maintained by hand.
B) A flat group of human users.
C) A shared API key for the group.
D) A matching rule like `ALL {instance.compartment.id = ‘ocid1.compartment.oc1..xxxxxx’}` binding all instances in that compartment.
Show solution
Correct answers: D – Explanation:
Dynamic groups use matching rules (on compartment, tags, etc.) to automatically include resources like compute instances, which then get identities for IAM policies. Option A is manual. Option B is for humans, not resources. Option C is a security anti-pattern. Source: Check Source
Question #9 - Compute, Storage, Database, and Observability
An architect designs an application that needs the highest I/O throughput and lowest latency for Oracle Database workloads, with RAC for availability and single-tenant dedicated hardware for compliance reasons.
Which OCI database service fits the highest I/O throughput with RAC on single-tenant hardware for compliance?
A) Exadata Cloud Service with RAC on dedicated Exadata infrastructure.
B) Object Storage treated as a database.
C) Autonomous Database shared infrastructure.
D) A compute instance with Oracle XE installed.
Show solution
Correct answers: A – Explanation:
Exadata Cloud Service provides the highest Oracle Database performance, supports RAC, and runs on dedicated hardware — matching every requirement. Option D is unmanaged and not RAC. Option C is multi-tenant. Option B is not a database. Source: Check Source
Question #10 - Compute, Storage, Database, and Observability
An architect needs end-to-end observability for a distributed application: traces across microservices, metrics with alerting, and searchable log aggregation — all native to OCI.
Which OCI stack delivers this?
A) A BI Publisher weekly report.
B) A third-party SIEM only with no OCI integration.
C) Application Performance Monitoring (APM) for traces, Monitoring for metrics/alarms, Logging (and Logging Analytics) for logs.
D) SSH into each VM and tail logs manually.
Show solution
Correct answers: C – Explanation:
APM Monitoring Logging ( Logging Analytics) is OCI’s native observability trio for traces, metrics, and logs. Options A, B, and D either skip OCI-native features or are not observability. Source: Check Source
Get 700+ more questions with source-linked explanations
Every answer traces to the exact Oracle documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated April 19, 2026
Learn more...
What the 1Z0 997 OCI Architect Pro exam measures
- Advanced networking and connectivity (30%) — design VCNs, transit routing, FastConnect, Site-to-Site VPN, Dynamic Routing Gateways, and cross-region peering for global workloads.
- High availability and disaster recovery (25%) — leverage Availability Domains, Fault Domains, Data Guard, Full Stack DR, and cross-region replication for durable architectures.
- Identity, security, and governance (25%) — apply compartments, policies, dynamic groups, Security Zones, Cloud Guard, and identity federation for enterprise control.
- Compute, storage, database, and observability (20%) — pick instance shapes, storage tiers, Autonomous Database or Exadata Cloud Service, and instrument workloads with Monitoring, Logging, and APM.
How to prepare for this exam
- Review the official 1Z0-997 exam page to confirm the current objectives and weights.
- Complete the Oracle University OCI Architect Professional learning path on MyLearn.
- In a practice tenancy, build a two-region active-passive architecture with cross-region Data Guard, an Object Storage replication policy, and a hardened landing zone secured by Cloud Guard and a Security Zone.
- Apply the skills on real work: co-author an architecture decision record, lead a DR tabletop, or redesign a legacy workload to use FastConnect and private endpoints.
- Master one objective at a time, starting with advanced networking and connectivity since it carries the most weight.
- Run PowerKram learn mode to see feedback after every question with sourced links back to Oracle documentation.
- Finish with PowerKram exam mode across all objectives until you clear the threshold three times in a row.
Career paths and salary outlook
OCI Architect Professional is a senior credential with strong salary leverage:
- Senior Cloud Solutions Architect (OCI) — $145,000–$200,000 (Glassdoor).
- Principal Cloud Engineer — $160,000–$220,000 (Levels.fyi).
- Enterprise Architect — $150,000–$210,000 (U.S. Bureau of Labor Statistics).
Official resources
Work through the OCI Architect Professional Learning Path on Oracle MyLearn. Reinforce with the Oracle Cloud Infrastructure documentation and the OCI Solutions Center reference architectures.