Reference

Domain 2: Core OCI Services Overview (20%)

This domain covers three foundational OCI service areas that underpin every multicloud deployment: Identity and Access Management (IAM), Virtual Cloud Networking (VCN), and Database Services. Expect roughly 10 questions testing your ability to design identity federation, plan network interconnects, and select appropriate database services in multicloud contexts.

1. OCI Identity and Access Management (IAM)

1.1 Core IAM Concepts

OCI IAM controls who can access cloud resources and what they can do with them. Every OCI tenancy is a root compartment containing all IAM entities and resources (OCI IAM Overview).

Principal types:

Principal	Description
Users	Individual accounts (human or service) with one or more credentials
Groups	Collections of users requiring identical access. The built-in `Administrators` group cannot be deleted and must always contain at least one user
Dynamic Groups	Rules-based groups whose members are OCI resources (e.g., compute instances). Membership changes automatically as matching resources are created or deleted

Key structural components:

Tenancy -- Root compartment. All resources and IAM entities live here. Automatically provisioned by Oracle.
Compartments -- Logical containers for organizing resources. Support nesting (hierarchy). Drive billing isolation, access control, and project separation. Every resource belongs to exactly one compartment.
Policies -- Documents defining who can access which resources and how. Attached to a compartment or the tenancy. Use a human-readable syntax.
Home Region -- The region where IAM resources are mastered. All IAM changes must be made in the home region and propagate automatically to all subscribed regions.

Policy syntax:

Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name>

Four permission verbs, from least to most privilege:

Verb	Capability
`inspect`	List and read metadata only
`read`	Inspect + read resource contents (e.g., security list rules)
`use`	Read + work with existing resources (e.g., launch instances in existing subnets)
`manage`	Full control: create, update, delete, move

Exam trap: use does not grant the ability to create or delete resources. Creating a VCN requires manage virtual-network-family, not just use. However, updating security list rules on an existing security list requires manage security-lists specifically -- use is insufficient for security list and route table modifications (OCI IAM Overview).

1.2 Identity Domains

Identity domains are the IAM boundary within an OCI tenancy. Each domain is an independent identity and access management container with its own users, groups, applications, and federation configurations (Identity Domain Types).

Five domain types:

Domain Type	Intended Use	Max Users	Third-Party Apps	Bi-Directional AD Sync	App Gateway
Free	Cloud admins managing OCI IaaS/PaaS	2,000	2	No	No
Oracle Apps	Oracle SaaS/PaaS customers	1,000,000	2	No	No
Oracle Apps Premium	Hybrid: Oracle SaaS + on-premises Oracle apps (EBS, PeopleSoft, Oracle DB)	1,000,000	10	Yes	Oracle apps only
Premium	Enterprise-wide IAM standardization across hybrid IT	1,000,000	5,000	Yes	Any app
External User	Consumer-facing apps, non-employee users	100,000,000	5,000	No	Yes

Exam trap: The Free domain supports only 2,000 users and 2 third-party apps. It does not support bi-directional AD/LDAP sync, Application Gateway, or RADIUS proxy. If a question describes enterprise-scale federation with AD bridge and delegated authentication, the answer is Premium or Oracle Apps Premium -- never Free.

Exam trap: External User domains cannot manage OCI infrastructure resources. They are exclusively for non-employee accounts. If employees need OCI console access, they must exist in a Free, Oracle Apps, Oracle Apps Premium, or Premium domain.

Key feature differences for the exam:

Uni-directional AD sync: Supported by Free and all higher tiers. Syncs users from Active Directory into OCI.
Bi-directional AD/LDAP sync: Only Oracle Apps Premium and Premium. Syncs changes both ways.
Delegated authentication via AD bridge: Only Oracle Apps Premium and Premium. Allows on-premises AD to handle authentication directly.
Application Gateway: Not available on Free or Oracle Apps. Oracle Apps Premium supports it for Oracle apps only. Premium and External User support any app.
RADIUS proxy: Oracle Apps Premium (Oracle DB only) and Premium (all). Not available on Free, Oracle Apps, or External User.

1.3 Federation with External Identity Providers

OCI supports SAML 2.0 and OpenID Connect (OIDC) for federation with external identity providers. In a multicloud context, this is how Azure AD, Google Cloud Identity, and other IdPs integrate with OCI (OCI IAM Overview).

Federation model:

External IdP (e.g., Azure AD) manages users and groups
OCI acts as the Service Provider (SP)
Authentication is delegated to the IdP via SAML 2.0 or OIDC
Authorization remains in OCI IAM via policies mapped to federated groups

Azure AD federation specifics:

Oracle and Microsoft have a cloud partnership enabling cross-cloud networking and unified IAM
Azure AD users can access the OCI Console and Oracle applications (EBS, PeopleSoft) through federation
Federation uses SAML 2.0 protocol
Group mappings link Azure AD groups to OCI groups, which then inherit OCI policies

All domain types support:

External IdP integration (up to 5 for Free/Oracle Apps, up to 30 for Premium tiers)
Social login (Google, Facebook, etc.)
SAML 2.0 and OIDC protocols
Passwordless authentication (FIDO2)
MFA (TOTP, push, phone, security questions, DUO)

1.4 Multicloud Automated Onboarding (Oracle Database@Azure)

Automated onboarding creates the full federation and network infrastructure (Azure AD enterprise app, custom roles, groups, Multicloud Link, private interconnect, and identity federation) in 3-5 minutes. For complete onboarding details including prerequisites, step-by-step flow, and guided vs. automated options, see Domain 4: Oracle Database@Azure Section 4.2.

Key IAM facts for Domain 2:

Only Azure users added to the auto-created OracleDB for Azure groups are synced to OCI IAM — this is scoped federation, not full directory sync
Azure user must hold Application Administrator, Cloud Application Administrator, Privileged Role Administrator, or Global Administrator role
Post-onboarding, users must be manually added to the custom Azure AD groups and assigned OracleDB for Azure roles

Exam trap: Automated onboarding does not sync all Azure AD users. Only users in the specifically created OracleDB for Azure groups are synced to OCI IAM. This is a scoped federation, not a full directory sync.

2. Virtual Cloud Network (VCN) Networking

2.1 VCN Architecture

A VCN is a software-defined private network within a single OCI region. It supports one or more CIDR blocks ranging from /16 to /30 (VCN Overview).

Core components:

Component	Description
Subnets	Subdivisions of a VCN with their own CIDR range. Can be regional (recommended) or AD-specific. Public subnets allow public IPs; private subnets do not.
VNICs	Virtual Network Interface Cards attached to compute instances. Primary VNIC created at launch (cannot be removed). Secondary VNICs can be added in the same or different subnets.
Route Tables	Rules directing traffic from subnets to gateways or other targets. Each subnet associates with exactly one route table. VCN includes a default (empty) route table.
Security Lists	Firewall rules applied at the subnet level to all VNICs in that subnet.
Network Security Groups (NSGs)	Firewall rules applied to specific VNICs regardless of subnet. More granular than security lists.
DHCP Options	Configuration pushed to instances at boot (DNS resolver type, search domain).

IP addressing:

Private IPs: From subnet CIDR. Primary private IP cannot change during instance lifetime. Secondary private IPs can be added/removed.
Public IPs: Optional, only in public subnets. Two types:
- Ephemeral: Lives only as long as the instance/VNIC assignment. Released on termination.
- Reserved: Persists independently. Can be moved between instances. Survives instance termination.
Reserved per subnet: Network address, broadcast address, and default gateway (3 IPs). A /24 subnet yields 253 usable addresses, not 256.

2.2 Gateways

Gateway	Direction	Purpose
Internet Gateway (IGW)	Bidirectional	Provides direct internet access for resources with public IPs in public subnets
NAT Gateway	Outbound only	Allows private subnet resources to initiate outbound internet connections without exposure to inbound traffic
Service Gateway	To Oracle Services	Private path to Oracle services (Object Storage, Autonomous DB) without internet or public IPs
Dynamic Routing Gateway (DRG)	Bidirectional	Hub router for on-premises (VPN/FastConnect), cross-region, cross-tenancy, and cross-cloud connectivity
Local Peering Gateway (LPG)	Bidirectional	Connects two VCNs in the same region. One LPG per peering relationship per VCN

Internet access checklist (all required):

Internet Gateway exists and is enabled
Subnet is public
Route table has a rule directing 0.0.0.0/0 to the IGW
Security rules allow the traffic (protocol, port, CIDR)
Instance OS firewall allows the traffic
Instance has a public IP address

Exam trap: A NAT Gateway provides outbound-only internet access. Resources behind a NAT Gateway cannot be reached from the internet. If a question asks about allowing database backups to Object Storage from a private subnet without internet access, the answer is Service Gateway -- not NAT Gateway. Service Gateway provides a private path to Oracle services without any internet traversal.

2.3 Security Lists vs. Network Security Groups (NSGs)

This is a high-frequency exam topic. Both enforce firewall rules, but they differ in scope and application (Security Rules).

Attribute	Security Lists	NSGs
Scope	Entire subnet (all VNICs)	Selected VNICs only
Assignment	Subnet associates with up to 5 security lists	VNIC associates with up to 5 NSGs
Default	VCN includes a default security list with initial rules	No default NSGs; created empty
Source/Destination	CIDR blocks only	CIDR blocks OR another NSG (self-referencing possible)
Oracle recommendation	Legacy approach	Preferred for new deployments
Use together	Yes. Both are evaluated; traffic must pass all applicable rules	Same

Stateful vs. stateless rules:

Aspect	Stateful (Default)	Stateless
Return traffic	Automatically allowed; connection tracked	Must explicitly allow return traffic with a separate rule
Connection tracking	Yes (uses memory)	No (lower overhead)
Use case	General purpose	High-volume traffic (e.g., internet-facing web servers)
Conflict resolution	If traffic matches both a stateful and stateless rule, the stateless rule takes precedence	--

Exam trap: When stateful and stateless rules conflict (same traffic matches both), stateless wins. This means the connection is NOT tracked, and you need an explicit rule in the opposite direction. This is a common exam pitfall.

Cross-cloud traffic rules (common ports):

Traffic	Protocol	Port
SSH	TCP	22
SQL*Net (Oracle DB)	TCP	1521
HTTPS	TCP	443
ICMP (ping)	ICMP	Type 3 Code 4 (path MTU), Type 8 (echo)
ONS (Oracle Notification)	TCP	6200

2.4 Dynamic Routing Gateway (DRG) in Multicloud

The DRG is the central routing hub for all non-internet connectivity: on-premises, cross-region, cross-tenancy, and cross-cloud (DRG Documentation).

DRG attachment types:

Attachment Type	Purpose
VCN	Connects VCNs. Multiple VCNs can attach to one DRG. Each VCN attaches to only one DRG.
VIRTUAL_CIRCUIT	FastConnect dedicated private connections to on-premises
IPSEC_TUNNEL	Site-to-Site VPN encrypted tunnels to on-premises
REMOTE_PEERING_CONNECTION (RPC)	DRG-to-DRG peering across regions and tenancies
LOOPBACK	Encrypts FastConnect virtual circuits via Site-to-Site VPN overlay

DRG route tables:

Two default route tables are auto-generated per DRG:

VCN route table -- assigned to VCN attachments by default
Non-VCN route table -- assigned to all other attachment types (FastConnect, VPN, RPC)

Custom route tables can be created and assigned to any attachment. Same route table can serve multiple attachments.

Import/export route distributions:

Import route distributions: Define which routes get pulled into a DRG route table from attachments. Two auto-generated: "VCN routes only" and "All routes." Match criteria include OCID, attachment type, or "Match All."
Export route distributions: One auto-generated per DRG. Exports route table contents to assigned attachments. Cannot create additional export distributions. Not supported for VCN attachments.

Route conflict resolution order:

Static routes always beat dynamic routes
Shortest AS path wins
Attachment type priority: VCN > VIRTUAL_CIRCUIT > IPSEC_TUNNEL > RPC
For same-type conflicts: ECMP if enabled (max 8 paths), otherwise stable arbitrary selection

Route propagation restriction: Routes from IPSec tunnels or virtual circuits are never exported to other IPSec tunnels or virtual circuits. Traffic entering via VPN cannot exit via FastConnect (or vice versa) through the same DRG. Packets violating this rule are dropped.

Hub-and-spoke topology:

          On-Premises
              |
         FastConnect/VPN
              |
        ┌─────────────┐
        │     DRG      │  (Hub)
        │  Route Tables │
        └──┬───┬───┬───┘
           │   │   │
      VCN-A VCN-B VCN-C   (Spokes)

DRG acts as the hub. Spoke VCNs attach to the DRG.
Import distributions route on-premises prefixes to spoke route tables.
Spoke VCN routes are imported into the on-premises-facing route table.
All cross-VCN and VCN-to-on-premises traffic transits through the DRG.

BGP route preference (Oracle side):

Priority	Path	AS Path Length
1 (highest)	FastConnect	1
2	Site-to-Site VPN (BGP)	2
3 (lowest)	Site-to-Site VPN (Static)	3

Exam trap: Routes cannot propagate through more than 4 DRGs via RPC. This limits the depth of cross-region/cross-tenancy routing chains.

2.5 CIDR Planning for Multicloud

Non-overlapping CIDR ranges are mandatory between OCI VCNs and partner cloud virtual networks (Azure VNets, Google VPCs, AWS VPCs). Overlapping CIDRs prevent routing because the DRG cannot distinguish destinations.

Planning guidelines:

OCI VCN supports /16 to /30 CIDR blocks
Use RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Reserve separate ranges per cloud: e.g., 10.0.0.0/16 for OCI, 10.1.0.0/16 for Azure, 10.2.0.0/16 for GCP
Account for future growth -- a /24 feels right for a pilot but may be too small for production
Three IPs per subnet are reserved (network, broadcast, gateway)

3. OCI Database Services

OCI offers multiple database services at different tiers of management, performance, and cost. Understanding which service fits which use case is critical for multicloud architecture decisions.

3.1 Base Database Service

The foundational Oracle Database service running on VM or Bare Metal shapes in OCI (Base Database Service).

Infrastructure options:

Option	Description
VM DB Systems	Virtual machines on flexible shapes (Standard x86, AMD E5 Flex, Intel X9 Flex, Ampere A1 Flex). Scale OCPUs and memory independently.
BM DB Systems	Bare metal servers. Dedicated physical hardware. Higher performance ceiling.

Database editions:

Edition	Key Features
Standard Edition (SE)	Core RDBMS. Department-level and web applications. No RAC, no Data Guard, no advanced compression.
Enterprise Edition (EE)	SE + OLTP, data warehousing, internet applications. Adds partitioning (limited), advanced queuing.
EE - High Performance (EE-HP)	EE + Partitioning, Multitenant, Advanced Compression, Real Application Testing, Advanced Security, Label Security, Database Vault, Spatial & Graph, Data Masking, Management Packs
EE - Extreme Performance (EE-EP)	EE-HP + In-Memory, Active Data Guard, Real Application Clusters (RAC)

Exam trap: RAC and Active Data Guard are only available with EE-Extreme Performance. If a question mentions RAC or Active Data Guard, the edition must be EE-EP. In-Memory is also EE-EP only.

Exam trap: Multitenant (pluggable databases) is an EE-HP feature, not base EE. If a question involves CDB/PDB architecture with multiple pluggable databases, the minimum edition is EE-HP.

Storage:

VM DB Systems use OCI Block Volumes for data storage
Automated backups to Object Storage (configurable retention)
ASM (Automatic Storage Management) manages database storage
Data Guard available for EE-EP for standby/disaster recovery

3.2 Autonomous Database

Oracle's fully managed, self-driving database service built on Exadata infrastructure. Available in serverless (shared) and dedicated deployment models (Autonomous Database).

Three autonomous pillars:

Pillar	What It Does
Self-Driving	Automated provisioning, tuning, scaling, patching. ML-driven index and statistics management. Auto-scales compute based on workload.
Self-Securing	Automatic encryption (at rest and in transit), automated security patching, protection against both external attacks and internal threats. No downtime for security patches.
Self-Repairing	Continuous monitoring for faults. Automatic failover and recovery. Runs on redundant Exadata hardware. 99.95% availability SLA (99.995% with Autonomous Data Guard enabled). Most faults resolved without customer intervention.

Workload types:

Workload	Optimized For
Autonomous Transaction Processing (ATP)	OLTP, mixed workloads, IoT, ML, operational reporting, batch processing
Autonomous Data Warehouse (ADW)	Analytics, data warehousing, data marts, data lakes, ML
Autonomous JSON Database (AJD)	JSON document store workloads. Subset of ATP optimized for JSON-centric applications
APEX Application Development	Low-code application development with Oracle APEX. Subset of ATP optimized for APEX workloads

Deployment models:

Model	Shared (Serverless)	Dedicated
Infrastructure	Multi-tenant Exadata, shared with other customers	Dedicated Exadata infrastructure, isolated
Minimum commitment	1 OCPU, 1 TB storage, 1 hour	Full Exadata rack or portion
Scaling	Instant, online. Pay only for what you use	Pre-provisioned capacity
Isolation	Logical isolation	Physical isolation (hardware, network)
Control	Oracle manages all infrastructure	Customer controls maintenance schedules, patching windows, network access
Use case	Dev/test, variable workloads, cost optimization	Regulated industries, strict SLA requirements, consistent high performance
Network	Public or private endpoint (VCN-native)	Private endpoint within customer VCN, no public access

Exascale infrastructure (newer option):

Exascale is Oracle's next-generation architecture for Autonomous Database that decouples compute and storage, providing elastic scaling without the fixed rack commitment of traditional dedicated infrastructure. It offers dedicated-like isolation with serverless-like elasticity.

Exam trap: Autonomous Database Serverless (shared) can have either a public endpoint or a private endpoint inside a VCN. Dedicated infrastructure is always private (VCN-native). If a question asks about an Autonomous Database accessible only through a private subnet with no public access, both serverless with private endpoint and dedicated satisfy this -- but dedicated provides physical isolation.

3.3 HeatWave MySQL

MySQL HeatWave is OCI's fully managed MySQL database service with an integrated, massively parallel in-memory query accelerator (HeatWave MySQL).

Key capabilities:

Feature	Description
In-Memory Query Acceleration	HeatWave cluster provides orders-of-magnitude faster query performance for analytics. Scales to 512 nodes.
HeatWave Lakehouse	Query up to 500 TB of data in Object Storage without copying it to the MySQL instance. Combines transactional data with lakehouse data in a single query.
HeatWave AutoML	Built-in machine learning directly in the database. No data movement required.
HeatWave GenAI	Integrated generative AI with in-database LLMs, automated vector store, and scale-out vector processing.
Autopilot	Auto schema inference, adaptive data sampling, automated provisioning recommendations. Can scan a 400 TB file for schema mapping in under a minute.
OLTP + OLAP	Single service handles both transactional and analytical workloads. No ETL needed between separate systems.

Exam context: HeatWave MySQL is relevant for multicloud when organizations need a managed MySQL solution in OCI that can join analytical workloads with data stored in Object Storage. It is not an Oracle Database product -- it is MySQL.

3.4 Exadata Database Service

The highest-performance Oracle Database service, running on purpose-built Exadata hardware (Exadata Database Service).

Deployment options:

Option	Description
Dedicated Infrastructure	Exadata racks in OCI data centers. X9M and X11M shapes available in OCI public cloud. Start with 2 DB + 3 storage servers, scale to 32 DB + 64 storage servers.
Cloud@Customer	Exadata hardware deployed in customer's own data center, managed by Oracle. Same software and APIs as OCI.
Exascale Infrastructure	Decoupled compute and storage. Elastic scaling without fixed rack commitment. Uses same Exadata hardware (X8M, X9M, X10M).

Exadata hardware capabilities (X9M):

Single DB server: 126 usable OCPUs, 1,390 GB memory
Single storage server: 63.6 TB usable disk capacity
RDMA over Converged Ethernet (RoCE) networking
Persistent Memory (PMEM) modules for ultra-low latency
Smart Scan offloads query processing to storage servers

Exam trap: Exadata Database Service on Dedicated Infrastructure requires a minimum of 2 database servers and 3 storage servers. It is not suitable for small workloads due to this minimum commitment. For smaller Oracle Database workloads, Base Database Service (VM shapes) or Autonomous Database Serverless are more appropriate.

3.5 Database Services Comparison

Feature	Base DB Service	Autonomous DB (Serverless)	Autonomous DB (Dedicated)	Exadata DB Service	HeatWave MySQL
Database Engine	Oracle	Oracle	Oracle	Oracle	MySQL
Management Level	Customer manages DB	Fully automated	Fully automated + customer scheduling	Customer manages DB	Fully managed
Infrastructure	VM or BM	Shared Exadata	Dedicated Exadata	Dedicated Exadata	VM
Editions	SE, EE, EE-HP, EE-EP	N/A (includes all features)	N/A (includes all features)	EE-EP equivalent	N/A
RAC	EE-EP only	Built-in HA	Built-in HA	Yes	N/A (MySQL clustering)
Data Guard	EE-EP (Active DG)	Autonomous Data Guard	Autonomous Data Guard	Yes	N/A
Minimum Size	1 OCPU	1 OCPU, 1 TB	Exadata portion	2 DB + 3 Storage servers	1 OCPU
Scaling	Manual	Auto-scale	Pre-provisioned	Add servers independently	Cluster to 512 nodes
Patching	Customer-scheduled	Automated, zero-downtime	Customer-scheduled windows	Customer-scheduled	Automated
Public Endpoint	Optional	Optional	No (private only)	Optional	Optional
In-Memory	EE-EP only	Included	Included	Yes	HeatWave cluster
Multicloud Relevance	Available via Database@Azure	Available via Database@Azure	Available via Database@Azure	Available via Database@Azure	OCI native only

3.6 Multicloud Database Deployment

In Oracle Database@Azure and Oracle Database@Google Cloud, OCI database services are provisioned and managed through OCI but consumed from the partner cloud's network. Key points:

Base Database Service: Available in Oracle Database@Azure (added in 2025)
Autonomous Database: Primary offering in both Database@Azure and Database@Google Cloud
Exadata Database Service: Available on dedicated and Exascale infrastructure through partner cloud integrations
Network path: Database traffic flows over the private interconnect (Oracle Interconnect for Azure, or Cross-Cloud Interconnect for Google Cloud), not over the public internet
IAM: Federation between partner cloud IdP and OCI IAM governs access (see Section 1.4)
Billing: Unified billing through the partner cloud marketplace (Azure Marketplace or Google Cloud Marketplace)

Exam Preparation: Key Distinctions

Identity Quick Reference

If the question mentions...	Think...
2,000 user limit, 2 third-party apps	Free identity domain
On-premises Oracle apps + AD bridge	Oracle Apps Premium
Unlimited third-party apps, enterprise SSO	Premium identity domain
Consumer-facing app, millions of users	External User domain
Automated Azure federation, custom groups, 3-5 min setup	Automated onboarding (Database@Azure)
SAML 2.0, external IdP, group mapping	Identity federation
Resources making API calls as principals	Dynamic groups

Networking Quick Reference

If the question mentions...	Think...
Private subnet needs Oracle service access (Object Storage, ADB)	Service Gateway
Private subnet needs outbound internet	NAT Gateway
Public-facing web server	Internet Gateway + public subnet + public IP
On-premises connectivity	DRG + FastConnect or Site-to-Site VPN
Cross-region VCN connectivity	DRG + Remote Peering Connection (RPC)
Same-region VCN connectivity	DRG (preferred) or Local Peering Gateway
Subnet-level firewall	Security Lists
Instance-level firewall	Network Security Groups (NSGs)
Stateful vs stateless conflict	Stateless takes precedence
Hub-and-spoke topology	DRG as hub with VCN attachments as spokes
Cross-cloud private connectivity	Oracle Interconnect for Azure / Cross-Cloud Interconnect

Database Quick Reference

If the question mentions...	Think...
RAC or Active Data Guard	EE-Extreme Performance (Base DB) or Exadata
Multitenant / pluggable databases	EE-High Performance minimum
Fully automated patching, zero DBA	Autonomous Database
Physical isolation + automated management	Autonomous Database Dedicated
Cost-effective, variable workload	Autonomous Database Serverless
MySQL analytics, lakehouse	HeatWave MySQL
Maximum Oracle DB performance	Exadata Database Service
Small Oracle DB workload	Base Database Service (VM)
On-premises Exadata, Oracle-managed	Exadata Cloud@Customer
Elastic Exadata without rack commitment	Exascale infrastructure