Domain 1: Design and Deploy OCI Virtual Cloud Networks (10%)
Domain 1 of the 1Z0-1124-25 Oracle Cloud Infrastructure 2025 Networking Professional exam covers VCN architecture, subnets, gateways, endpoints, route tables, DHCP options, and security constructs. At 10% of the exam this domain accounts for approximately 5 questions out of 50 (90 minutes, 68% passing score). Every subsequent domain builds on these foundational VCN concepts, so mastery here is non-negotiable.
1. VCN Architecture
A Virtual Cloud Network (VCN) is a software-defined private network you create in a single OCI region. It functions as a traditional network with firewall rules, gateways, and route tables, but exists entirely in the OCI control plane. (Networking Overview)
CIDR Blocks
| Attribute | Detail |
|---|---|
| Required | At least one IPv4 CIDR block |
| Allowed size | /16 to /30 |
| Maximum CIDRs per VCN | 16 IPv4 + 16 IPv6 prefixes |
| Recommended ranges | 10.0.0.0/16, 172.16.0.0/16, 192.168.0.0/16 (RFC 1918) |
| Post-creation | Can add, modify, or remove CIDR blocks (with restrictions) |
| Overlap rule | CIDRs must not overlap with each other, peered VCNs, or on-premises networks |
Prohibited address ranges (reserved by OCI for internal services):
- 169.254.0.0/16 (iSCSI, instance metadata)
- 224.0.0.0 - 239.255.255.255 (Class D multicast)
- 240.0.0.0 - 255.255.255.255 (Class E reserved)
Reserved Addresses Per Subnet
Every subnet reserves three addresses. For a 10.0.1.0/24 subnet:
| Address | Purpose |
|---|---|
| 10.0.1.0 | Network address |
| 10.0.1.1 | Default gateway |
| 10.0.1.255 | Broadcast address |
Usable range: 10.0.1.2 through 10.0.1.254 (253 addresses for a /24).
Regional Scope
A VCN resides in exactly one OCI region. It can span all availability domains (ADs) within that region, but cannot cross region boundaries. Cross-region connectivity requires a Dynamic Routing Gateway with Remote Peering Connections. (Networking Overview)
Default Components
Every VCN is created with three non-deletable default resources:
- Default route table (initially empty; rules can be added/modified)
- Default security list (pre-populated with essential rules; rules can be modified)
- Default DHCP options (standard configuration; can be modified)
You can create additional custom versions of each, but these defaults always exist and cannot be removed.
2. Subnets
Subnets are contiguous ranges of IP addresses within a VCN. Each subnet is associated with exactly one route table, one set of DHCP options, and one or more security lists. (Networking Overview)
Public vs. Private
| Attribute | Public Subnet | Private Subnet |
|---|---|---|
| Public IPv4 addresses | Allowed | Prohibited |
| IPv6 GUA internet access | Allowed (via IGW) | Blocked |
| Default at creation | Yes | Must explicitly select private |
| Typical workloads | Web servers, load balancers, bastion hosts | Databases, app servers, internal services |
Exam trap: Changing a subnet from public to private (or vice versa) after creation is not permitted. You must plan this at design time. The public/private flag is set at subnet creation and is immutable.
Regional vs. AD-Specific
| Attribute | Regional Subnet | AD-Specific Subnet |
|---|---|---|
| Scope | Entire region (all ADs) | Single availability domain |
| Flexibility | Resources in any AD can use it | Resources must be in that specific AD |
| Oracle recommendation | Preferred | Legacy; use only if required |
| Coexistence | Both types can exist in the same VCN | Both types can exist in the same VCN |
Exam trap: Oracle strongly recommends regional subnets. AD-specific subnets still exist for backward compatibility but offer no advantage for new deployments. The exam may present scenarios where an AD-specific subnet unnecessarily constrains resource placement.
3. IPv6 Addressing
OCI supports dual-stack VCNs with IPv4 and IPv6. IPv4 is always required; IPv6 is optional and additive. Once IPv6 is enabled on a VCN, it cannot be disabled. (IPv6 Addresses)
IPv6 Prefix Types
| Type | Prefix Size | Assigned By | Internet Routable | Use Case |
|---|---|---|---|---|
| Oracle-Allocated GUA | /56 (fixed) | Oracle | Yes (public subnet only) | Internet-facing resources |
| BYOIPv6 | /48 minimum to VCN; /64 minimum per assignment | Customer | Yes (public subnet only) | Existing IPv6 address space |
| ULA | /64 minimum | Customer (fd00::/7 range) | Never | Internal-only communication |
Subnet IPv6 Rules
- All IPv6-enabled subnets are exactly /64 in size (fixed, cannot change)
- A subnet can have only one IPv6 prefix
- Addresses are reserved per IPv6 subnet (exact count varies; consult OCI documentation for current reservation rules)
- IPv6 can be added to existing IPv4-only subnets
- A VCN can mix IPv4-only and dual-stack subnets
IPv6 Internet Access Model
Unlike IPv4, where you attach a separate public IP to an instance, IPv6 internet access depends on the address type and the subnet's public/private flag:
| Address Type | Public Subnet | Private Subnet |
|---|---|---|
| GUA | Internet-routable (inbound + outbound) | Not internet-routable |
| ULA | Internal only | Internal only |
There is no concept of a separate "public IPv6 address" that you attach. The GUA address itself is the public address when the subnet is public.
IPv6 Gateway Support
| Gateway | IPv6 Support |
|---|---|
| Internet Gateway | Yes |
| NAT Gateway | No |
| Service Gateway | No |
| Local Peering Gateway | Yes |
| DRG (FastConnect/VPN) | Yes |
Exam trap: NAT Gateway and Service Gateway do not support IPv6. If a question describes a private subnet needing outbound IPv6 internet access, NAT Gateway is not the answer. IPv6 private subnets simply cannot reach the internet.
IPv6 Limits
| Resource | Limit |
|---|---|
| IPv6 prefixes per VCN | 16 |
| IPv6 address objects per VNIC | 32 |
| IPv6 route rules per route table | 50 |
| IPv6 ingress rules per security list | 50 |
| IPv6 egress rules per security list | 50 |
| IPv6 rules per NSG | 16 total |
| IPv6 DNS hostname support | Not supported |
4. VCN Gateways
Gateways are the access points that connect a VCN to destinations outside it. Each gateway type serves a specific connectivity purpose. (Networking Overview)
Gateway Comparison Table
| Gateway | Direction | Connects To | Key Constraint |
|---|---|---|---|
| Internet Gateway (IGW) | Bidirectional | Public internet | Requires public subnet + public IP (IPv4) or GUA (IPv6) |
| NAT Gateway | Outbound only | Public internet | Private subnet; masks internal IPs; IPv4 only |
| Service Gateway (SGW) | Bidirectional | Oracle Services Network | No internet exposure; IPv4 only; uses service CIDR labels |
| Local Peering Gateway (LPG) | Bidirectional | Another VCN in same region | One LPG per peering relationship; CIDRs must not overlap |
| Dynamic Routing Gateway (DRG) | Bidirectional | On-premises, other regions, other VCNs | Virtual router; attachable to multiple VCNs; required for VPN/FastConnect |
Internet Gateway (IGW)
Provides bidirectional internet access for public subnets. All five conditions must be met: IGW exists and is enabled, instance is in a public subnet, instance has a public IP (IPv4) or GUA (IPv6), route table directs 0.0.0.0/0 (or ::/0) to IGW, and security rules permit the traffic.
NAT Gateway
Outbound-only internet access from private subnets. Instances share the gateway's public IP. Inbound connections blocked. IPv4 only.
Service Gateway (SGW)
Private access to Oracle services (Object Storage, Autonomous Database, etc.) without traversing the internet. Traffic stays on OCI's backbone. You select a service CIDR label (e.g., "All OCI Services in Oracle Services Network"). IPv4 only.
Exam trap: The SGW still uses public endpoint URLs for Oracle services, but the traffic path is private. Do not confuse the endpoint address being public with the traffic routing over the internet.
Local Peering Gateway (LPG)
Peers two VCNs within the same region via private IPs. Each side needs its own LPG. CIDRs must not overlap. IAM requires both local-peering-from and local-peering-to permissions.
Dynamic Routing Gateway (DRG)
A virtual router that acts as the hub for hybrid and multi-VCN connectivity. Supports Site-to-Site VPN (IPSec tunnels), FastConnect (dedicated private connection), Remote Peering Connections (cross-region VCN peering), hub-and-spoke topologies, and transit routing. A DRG can attach to multiple VCNs and can be detached and reattached.
5. Endpoints
Private Endpoints
A private endpoint is a VNIC in your VCN that provides private IP access to a specific OCI service resource. Each private endpoint maps to exactly one resource (e.g., one Autonomous Database instance = one private endpoint). The service manages the VNIC; you manage the subnet and security rules. (Private Access)
| Aspect | Private Endpoint | Service Gateway |
|---|---|---|
| Scope | Single resource | Multiple services |
| Number needed | One per resource | One per VCN |
| Address type | Private IP in your VCN | Public endpoint (private path) |
| DNS | FQDN (optional) | Service CIDR labels |
Accessible from peered VCNs and on-premises (via transit routing). On-premises access requires DNS resolution mapping the FQDN to the private IP.
Private Service Access (PSA) Endpoints
Similar to private endpoints: dedicated private IP and FQDN in your VCN subnet. Supports IPv4-only and dual-stack. Limit: one PSA endpoint per VCN per service.
Customer-Premises Equipment (CPE)
A CPE object represents your on-premises router/firewall that terminates IPSec VPN tunnels. Configured with your device's public IP and IKE identifier, used by OCI to establish Site-to-Site VPN connections through the DRG.
Object Storage Endpoints
Object Storage can be reached three ways, each with different network paths:
| Access Method | Endpoint Type | Network Path |
|---|---|---|
| Public endpoint | https://objectstorage.{region}.oraclecloud.com | Over the internet |
| Service Gateway | Same public endpoint URL | Private (OCI backbone only) |
| Private endpoint | Private IP in your VCN | Private (VCN-local) |
Exam trap: The Service Gateway still uses the public Object Storage endpoint URL, but the traffic routes privately through OCI's backbone. The URL does not determine the network path; the route table rules do.
6. Route Tables
Each subnet is associated with exactly one route table. Route tables contain rules that direct traffic destined for addresses outside the VCN to the appropriate gateway. (Networking Overview)
Key Behaviors
- Default route table: Created with VCN, initially empty, cannot be deleted
- Custom route tables: Can create additional tables and assign to subnets
- Intra-VCN traffic: Always routed directly (local routing), never needs a route rule
- Rule structure: Destination CIDR + Target gateway (e.g., 0.0.0.0/0 to IGW)
- Most-specific match: When multiple rules match, the most specific CIDR wins
- No explicit deny: If no rule matches, traffic is dropped (implicit deny for traffic leaving the VCN)
Common Route Table Patterns
| Destination | Target | Purpose |
|---|---|---|
| 0.0.0.0/0 | Internet Gateway | Default route for public internet |
| 0.0.0.0/0 | NAT Gateway | Default route for private subnet outbound |
| Oracle Services CIDR | Service Gateway | Access to OCI services privately |
| 10.1.0.0/16 | Local Peering Gateway | Traffic to peered VCN |
| 172.16.0.0/12 | DRG | Traffic to on-premises network |
| ::/0 | Internet Gateway | IPv6 default internet route |
7. DHCP Options
DHCP options control certain network configuration provided to instances at boot. Each subnet uses one set of DHCP options. (Networking Overview)
The two configurable settings:
| Setting | Options | Default |
|---|---|---|
| DNS Type | Internet and VCN Resolver (OCI-managed) or Custom Resolver (your DNS servers) | Internet and VCN Resolver |
| Search Domain | Domain name appended to unqualified hostnames | VCN domain name |
Exam trap: DHCP options only control DNS resolver type and search domain. They do not control IP addressing (OCI manages that), default gateway, or MTU.
8. Security Lists vs. Network Security Groups
OCI provides two virtual firewall mechanisms. Both use security rules with identical syntax but differ in scope and management. (Security Rules)
Comparison
| Attribute | Security Lists | Network Security Groups (NSGs) |
|---|---|---|
| Applies to | All VNICs in associated subnet | Only VNICs explicitly added to the NSG |
| Max per resource | 5 security lists per subnet | 5 NSGs per VNIC |
| Max per VCN | 300 | 1,000 |
| Rules per resource | 200 ingress + 200 egress per list | 120 total (ingress + egress combined) per NSG |
| Source/destination types | CIDR, Service CIDR label | CIDR, Service CIDR label, or another NSG |
| Default created with VCN | Yes (one default security list) | No |
| Oracle recommendation | Use for VCN-wide baseline rules | Preferred for application-specific rules |
Stateful vs. Stateless Rules
| Attribute | Stateful (Default) | Stateless |
|---|---|---|
| Connection tracking | Yes | No |
| Return traffic | Automatically allowed | Must create explicit rule in opposite direction |
| Use case | General purpose | High-volume traffic (avoids tracking table exhaustion) |
| Precedence | Loses to stateless if both match | Wins over stateful if both match |
Exam trap: When a packet matches both a stateful and a stateless rule in the same direction, the stateless rule takes precedence and connection tracking is disabled for that flow.
Combined Behavior
When both apply to a VNIC, a packet is allowed if any rule in any associated list or group permits it (OR logic). Exception: if ZPR is active, traffic must also satisfy ZPR policies (AND logic across all three).
Traffic to/from 169.254.0.0/16 (iSCSI, instance metadata) is exempt from security rules.
Exam Traps Summary
| Trap | Correct Answer |
|---|---|
| VCN CIDR size range | /16 to /30 (not /8 or /32) |
| Subnet public/private change after creation | Not allowed; immutable at creation |
| NAT Gateway + IPv6 | Not supported |
| Service Gateway + IPv6 | Not supported |
| IPv6 subnet prefix size | Always /64 (fixed) |
| IPv6 disabled after enabling | Cannot be disabled |
| Service Gateway traffic path | Private (OCI backbone), despite using public endpoint URL |
| DHCP options scope | DNS resolver type and search domain only |
| Stateful vs stateless precedence | Stateless wins when both match |
| Security list + NSG logic | Union (OR); packet allowed if any rule permits |
| IPv6 DNS hostname | Not supported for IPv6 addresses |
| Regional vs AD-specific subnets | Oracle recommends regional; AD-specific is legacy |