Domain 2: Plan and Design OCI Networking Solutions and App Services (20%)
Domain 2 of the 1Z0-1124-25 Oracle Cloud Infrastructure 2025 Networking Professional exam covers IP address management, load balancing, DNS services, and traffic management steering policies. At 20% of the exam this domain accounts for approximately 10 questions out of 50 (90 minutes, 68% passing score). This is the second-largest domain and tests your ability to design and plan networking solutions using OCI application services.
1. IP Address Management
Public IP Addresses: Ephemeral vs. Reserved
Every instance that needs direct internet access requires a public IP address assigned to its VNIC's private IP object. OCI provides two types with fundamentally different lifecycle behavior. (Public IP Addresses)
| Characteristic | Ephemeral | Reserved |
|---|---|---|
| Assignment target | Primary private IP only | Primary or secondary private IP |
| Per-VNIC limit | 1 | 65 |
| Per-instance limit | 2 (VM), 16 (bare metal) | 2 (VM), 16 (bare metal) |
| Regional limit | N/A | 50 per region |
| Scope | Availability domain | Regional (any AD in region) |
| Lifetime | Tied to private IP lifetime | Persists until explicitly deleted |
| On instance termination | Automatically deleted | Remains in pool, can be reassigned |
| Cross-resource movement | Cannot move | Can move to any private IP in same region |
| Compartment | Same as private IP | Can differ from private IP |
Exam traps:
- You cannot convert an ephemeral public IP to a reserved public IP with the same address. You must delete the ephemeral and create a new reserved IP (different address).
- An ephemeral IP remains assigned when an instance is stopped but is deleted when the instance is terminated.
- An instance in a public subnet gets an ephemeral public IP by default at launch unless you explicitly disable it.
- All four requirements must be met for internet access: public subnet, public IP, internet gateway, and correct route table + security list rules.
Resources That Always Get Public IPs
NAT gateways and public load balancers automatically receive public IPs. For both, you can choose ephemeral (default) or reserved. NAT gateways also support BYOIP public IP pools. (Public IP Addresses)
BYOIP (Bring Your Own IP)
BYOIP lets you import your own public IPv4 CIDR blocks and IPv6 prefixes into OCI so that resources use addresses you already own. This preserves IP reputation and avoids renumbering during cloud migrations. (BYOIP)
BYOIP Limits
| Parameter | Limit |
|---|---|
| IPv4 CIDR block size | Minimum /24, maximum /8 |
| IPv6 prefix size | Minimum /48 |
| BYOIPv6 prefixes per VCN | 5 |
| IPv6 prefixes per subnet | 3 |
| Total BYOIP imports per tenancy | 20 (IPv4 + IPv6 combined) |
| Availability | Not available on Free Tier |
Supported RIRs and Required Statuses
| RIR | Required Registration Status |
|---|---|
| ARIN | Direct Allocation, Direct Assignment |
| RIPE NCC | ALLOCATED PA, LEGACY, ASSIGNED PI, ALLOCATED-BY-RIR |
| APNIC | ALLOCATED PORTABLE, ASSIGNED PORTABLE |
Oracle's commercial cloud BGP ASN is 31898 (Serbia Central uses 14544). You must know this number for the exam. (BYOIP)
BYOIP Import Process (7 Steps)
- Request import in a compartment (specify IPv4 CIDR or IPv6 prefix).
- Receive verification token from Oracle (format:
OCITOKEN::<cidrBlock>:<validationToken>). - Add token to RIR account -- ARIN: Public Comments field; RIPE NCC:
descrfield; APNIC:remarksfield via email. Allow up to 1 day for propagation. - Create Route Origin Authorization (ROA) with your RIR authorizing Oracle's BGP ASN 31898. Set expiry at least 6 months in the future.
- Request Oracle to complete import -- Oracle validates ownership. Takes up to 10 business days.
- Provisioning -- Oracle provisions addresses to your compartment.
- Manage resources -- For IPv4: add to public IP pools, then reserve IPs from pools. For IPv6: assign prefixes directly to VCNs (no IP pool step needed).
After provisioning, you must explicitly advertise the BYOIP CIDR block before it is reachable from the internet. Advertising uses Oracle's BGP ASN. You can withdraw advertisement at any time, but withdrawal does not remove the block from your tenancy -- you must delete it separately. (BYOIP)
Exam traps:
- BYOIP addresses are regional -- they can only be imported to a specific OCI region and cannot span regions.
- The same address range cannot be imported to more than one compartment simultaneously.
- IP addresses with malicious behavior history will be rejected by Oracle.
- The token must be attached to the address range information at the RIR, not the organization information.
- IPv4 requires public IP pools as an intermediary; IPv6 is assigned directly to VCNs.
BYOIP Lifecycle States
| State | Meaning |
|---|---|
| CREATING | Import requested, validation pending |
| PROVISIONED | Ready for use, can be advertised |
| ACTIVE | Currently advertised to the internet |
| FAILED | Validation failed |
Only CREATING, PROVISIONED, ACTIVE, or FAILED states allow deletion.
IP Address Insights
IP Address Insights is a new OCI capability (added in the 2025 exam) that provides visibility into public IP address usage across your tenancy. It helps identify unused, underutilized, or misconfigured public IP addresses.
| Capability | Detail |
|---|---|
| Scope | All public IP addresses in the tenancy (reserved, ephemeral, BYOIP) |
| Visibility | Which resource each IP is assigned to, assignment state, compartment |
| Unused IP detection | Identifies reserved IPs not assigned to any resource |
| Integration | Works with OCI Network Command Center |
| Access | Console: Networking > IP Management > IP Address Insights |
Key use cases:
- Cost optimization: Find and release reserved public IPs that are allocated but not assigned to any resource (you are billed for unattached reserved IPs)
- Security audit: Identify all public-facing IP addresses across the tenancy for attack surface review
- Migration planning: Inventory existing public IPs before cloud migration or VCN restructuring
- Compliance: Document which resources have public internet exposure
Exam trap: Reserved public IPs incur charges whether or not they are assigned to a resource. IP Address Insights helps identify these "orphaned" IPs that should be released to reduce cost.
2. OCI Load Balancing
OCI provides two load balancing services with different operating layers, protocols, and use cases. Understanding which to use is a core exam topic.
Flexible Load Balancer (Layer 7)
The Flexible Load Balancer operates as a reverse proxy at Layer 7 (HTTP/HTTPS) and Layer 4 (TCP). It terminates client connections and creates new connections to backend servers. (Load Balancer Overview)
Configuration Limits
| Resource | Limit |
|---|---|
| IPv4 addresses per LB | 1 |
| IPv6 addresses per LB | 1 |
| Backend sets | 16 |
| Backend servers per backend set | 512 |
| Backend servers total | 512 |
| Listeners | 16 |
| Virtual hostnames | 16 |
Shapes and Bandwidth
The Flexible Load Balancer uses a flexible shape where you specify minimum and maximum bandwidth:
| Parameter | Range |
|---|---|
| Minimum bandwidth | 10 Mbps |
| Maximum bandwidth | 8,000 Mbps (8 Gbps) |
| Maximum (hard ceiling) | 8 Gbps |
The minimum bandwidth guarantees instant capacity for normal traffic. The maximum bandwidth caps throughput during peaks, controlling cost. The maximum is optional -- if omitted, the LB can scale up to 8 Gbps. (Flexible Load Balancing)
Always Free tier: One load balancer instance limited to 10 Mbps.
Load Balancing Policies
| Policy | Algorithm | Best For |
|---|---|---|
| Round Robin (default) | Sequential rotation through backend list | Uniform-capacity backends, consistent request load |
| Least Connections | Routes to backend with fewest active connections | Uneven request processing times, varied backend capacity |
| IP Hash | Source IP hashed to select backend | Client affinity without cookies; same client always hits same backend |
All three policies support weight assignment (1-100). A server weighted 3 receives three times the connections of a server weighted 1. (Load Balancer Policies)
Exam traps:
- IP Hash cannot use backup backend servers -- adding a backend marked as Backup to an IP Hash backend set is prohibited.
- With IP Hash, clients behind a NAT/proxy share the same source IP and all land on the same backend -- potential overload.
- For TCP connections: the policy selects the backend for the initial request; all subsequent packets on that connection go to the same backend regardless of policy.
- Cookie-based session persistence overrides the load balancing policy for sticky sessions.
SSL Handling (Three Modes)
| Mode | Client-to-LB | LB-to-Backend | Use Case |
|---|---|---|---|
| SSL Termination (Frontend SSL) | Encrypted (HTTPS) | Unencrypted (HTTP) | Offload SSL processing from backends |
| Backend SSL | Unencrypted (HTTP) | Encrypted (HTTPS) | Encrypt internal traffic only |
| End-to-End SSL (Point-to-Point) | Encrypted (HTTPS) | Encrypted (HTTPS) | Full encryption, compliance requirements |
Certificate requirements: PEM format only (x.509), minimum 2048-bit RSA key length. The load balancer does not generate certificates -- it only imports them. Supports single-domain, SAN (multi-domain), wildcard, and self-signed certificates. (Managing SSL Certificates)
Mutual TLS (mTLS) requires a private CA from the OCI Certificates service (not user-uploaded) and a CA bundle. Peer certificate verification depth: depth 1 = client cert + root cert; depth 2 = one intermediate + client cert + root cert.
Session Persistence
Two mutually exclusive cookie-based methods: (Session Persistence)
| Feature | Application Cookie Stickiness | Load Balancer Cookie Stickiness |
|---|---|---|
| Who creates the cookie | Backend application | Load balancer |
| Use when | Backend can generate cookies | Backend cannot generate cookies |
| Configuration | Specify cookie name to match | Cookie name (default X-Oracle-BMC-LBS-Route), domain, path, max-age, secure, HttpOnly |
| Disable fallback option | Yes | Yes |
| Fallback disabled behavior | HTTP 502 when original backend unavailable | HTTP 502 when original backend unavailable |
Exam trap: When disable fallback is enabled and the original backend is unavailable, the load balancer returns HTTP 502 to every request carrying the persistent session cookie until the client stops sending it. A cookie with a distant future expiration date can cause prolonged client outages.
Backend servers in drain state continue to serve existing persistent sessions but reject new non-persisted requests.
Request Routing
The Flexible Load Balancer supports five routing mechanisms that can be combined:
- Virtual Hostnames -- route based on the
Hostheader (hostname-based routing) - Routing Policies -- named, ordered list of routing rules applied to a listener
- Path Route Sets -- URL path-based routing to different backend sets
- Rule Sets -- actions applied to listener traffic (header manipulation, URL redirects)
- Virtual Hostname + Path Route combinations -- sophisticated multi-tier routing
Path route rules take precedence over session persistence when selecting a target backend set.
Public vs. Private Load Balancers
| Attribute | Public LB | Private LB |
|---|---|---|
| Accessibility | Internet-facing | VCN-internal only |
| Subnet type | Public (1 regional or 2 AD-specific) | Private (1 subnet) |
| Private IPs consumed | 2 (primary + standby) | 3 (primary + standby + floating) |
| HA in multi-AD regions | Primary/standby in different ADs | Primary/standby in same subnet (regional = failover capable) |
| IPv6 | Supported | Supported (no global routing for private) |
Network Load Balancer (Layer 3/4)
The Network Load Balancer (NLB) operates as a pass-through (non-proxy) solution at Layer 3/Layer 4. It preserves source and destination IP addresses and port information -- the backend sees the real client IP. (Network Load Balancer Overview)
Key NLB Specifications
| Specification | Value |
|---|---|
| Default concurrent connections per AD | 330,000 |
| Multi-AD regions (3 ADs) default | 1,000,000 concurrent connections |
| Maximum throughput | Exceeds 8 Gbps (no fixed cap) |
| Bandwidth configuration | None required -- elastically scalable |
| Supported protocols | TCP, UDP, ICMP, IP |
| Always Free tier | Available |
Flexible LB vs. Network LB Comparison
This table is the single most important reference for load balancer exam questions:
| Feature | Flexible Load Balancer | Network Load Balancer |
|---|---|---|
| OSI Layer | Layer 7 (HTTP/HTTPS) + Layer 4 (TCP) | Layer 3/4 (TCP/UDP/ICMP/IP) |
| Proxy model | Reverse proxy | Pass-through (non-proxy) |
| Maximum throughput | 8 Gbps | Exceeds 8 Gbps |
| Bandwidth configuration | Flexible shape (10-8000 Mbps) | Automatic, elastic |
| SSL termination | Yes | No |
| HTTP/HTTPS routing | Yes (path, hostname, header, rule sets) | No |
| UDP support | No | Yes |
| ICMP support | No | Yes |
| Source IP preservation | No (proxy rewrites source) | Yes |
| Cookie-based persistence | Yes (application + LB cookies) | No (IP-based only) |
| Web Application Firewall | Yes | No |
| gRPC support | Yes | No |
| Session persistence | IP-based + HTTP cookie-based | IP-based (flow-level) |
| Connection duration | Short-lived HTTP requests | Long-running (days/months) |
| Always Free tier | 1 instance at 10 Mbps | Available |
| Best for | Web apps, APIs, SSL offloading | Network appliances, VoIP, IoT, trading, databases |
Exam decision framework: Use the Flexible LB when you need HTTP features (SSL termination, URL routing, cookies, WAF). Use the NLB when you need raw Layer 4 performance, UDP, source IP preservation, or long-lived connections.
Exam traps:
- NLB preserves source IP -- this means security lists and NSGs on backends must allow the client's actual IP, not the load balancer's IP.
- NLB has no bandwidth configuration knob -- it scales elastically. The Flexible LB requires you to set min/max bandwidth.
- Only the Flexible LB supports SSL termination. If the question mentions SSL offloading, the answer is Flexible LB.
- Only the NLB supports UDP and ICMP. Any question involving DNS load balancing (UDP port 53) or health probes (ICMP) points to NLB.
3. OCI DNS Service
Public DNS
OCI DNS provides authoritative DNS hosting for publicly registered domain names. Public zones are only available in the OC1 commercial realm. OCI is not a domain registrar -- you must register domains with a third-party registrar and delegate to OCI nameservers. (DNS Zone Management)
Public DNS Limits
| Resource | Limit |
|---|---|
| Zones per account | 1,000 |
| Records per zone | 25,000 |
| Zone file upload size | 1 MB per file |
Key Concepts
| Concept | Definition |
|---|---|
| Domain | Complete delegated portion of DNS tree (e.g., example.com) |
| Zone | Portion of namespace defined by SOA record; contains all labels underneath |
| Label | Prefix prepended to zone name (e.g., www in www.example.com) |
| Child Zone | Independent subdomain with its own SOA and NS records |
| Delegation | NS records on parent zone pointing to child zone's nameservers |
OCI normalizes Internationalized Domain Names (IDNs) to Punycode format (RFC 3492). Requests can use IDNs but responses always return Punycode.
Private DNS
Private DNS provides hostname resolution for applications within and between VCNs without exposing records to the internet. (Private DNS)
Private DNS Architecture
Every VCN automatically gets a dedicated private DNS resolver at creation, listening on 169.254.169.254. This resolver and its default view are protected resources managed by Oracle that do not count toward service limits.
| Component | Description |
|---|---|
| Private Zone | DNS zone accessible only from within a VCN |
| Private View | Collection of private zones; same zone name can appear in multiple views but must be unique within a single view |
| Resolver | Auto-created per VCN; serves DNS queries within the VCN |
| Default View | Auto-created with each resolver; evaluated last unless explicitly reordered |
DNS Resolution Evaluation Order
This is critical for the exam. The resolver evaluates in strict sequential order:
- Views -- each attached view is evaluated in order (default view evaluated last unless repositioned). First view providing an answer is used.
- Resolver rules -- evaluated in order. Only FORWARD rules are supported. First matching rule is applied.
- Internet resolution -- if no view or rule provides an answer, the query resolves to the internet.
After any answer is provided (even NXDOMAIN), evaluation stops. No further views or rules are checked. This is a frequently tested concept.
Resolver Endpoints
Two types of endpoints enable cross-VCN and hybrid DNS resolution:
| Endpoint Type | Direction | IP Addresses Consumed | Purpose |
|---|---|---|---|
| Listening | Ingress | 1 | Receives DNS queries from other VCNs or on-premises |
| Forwarding | Egress | 2 (one unused, one active) | Sends DNS queries to external DNS servers or other VCNs |
Critical constraint: Resolver endpoints must be in IPv4-only subnets. Creating endpoints in IPv6-enabled subnets will fail.
Required security rules for both endpoint types:
- UDP ingress/egress on port 53 (connectionless)
- TCP ingress/egress on port 53
Forwarding Rules
Forwarding rules support two condition types:
- clientAddressConditions -- match based on the client's IP address
- qnameCoverConditions -- match based on the query domain name (covers exact match AND all subdomains)
First match wins. Rules after a matching general rule are unreachable.
Common Private DNS Use Cases
| Use Case | How |
|---|---|
| Custom zones within a VCN | Add private zone to resolver's default view or create a new view |
| Split-horizon DNS | Same zone name in private view (VCN queries) and public DNS (internet queries) |
| Shared zones across VCNs | Add VCN A's default view to VCN B's resolver and vice versa |
| Cross-VCN resolution | Listening endpoint on target VCN, forwarding endpoint + forward rule on source VCN |
| On-premises integration | Forwarding endpoint + rule with on-premises server IP (requires FastConnect or IPSec VPN) |
Supported Private DNS Record Types
A, AAAA, CAA, CNAME, DNAME, MX, PTR, SRV, TXT. OCI auto-appends trailing dots to CNAME, DNAME, and MX RDATA values.
Exam trap: Traffic Management Steering Policies are only available for public DNS and are not supported on private DNS.
DNSSEC
DNSSEC provides cryptographic authentication for DNS responses. It verifies integrity and authenticity but does not encrypt DNS traffic. (DNSSEC)
DNSSEC Key Facts
| Parameter | Value |
|---|---|
| Signing algorithm | RSASHA256 |
| Key length | 256 bytes |
| Delegation algorithm | SHA256 |
| Signing method | Dynamic (inline) -- RRSIG and NSEC3 generated at query time |
| ZSK auto-rollover | Every 30 days |
| KSK auto-rollover | Annually |
| Maximum key versions per zone | 10 |
DNSSEC Setup (4 Steps)
- Enable DNSSEC on a new or existing zone.
- Create DS record on parent zone containing KSK digest information (manual step -- can be OCI zone or external provider).
- Promote the KSK to signal that the DS record exists.
- Create KSK rollover alarm for notification when new KSK versions are generated.
DNSSEC Constraints
- Not supported on private zones
- Not compatible with secondary egress (but works with secondary ingress)
- Compatible with ALIAS records, CNAME records, and Traffic Management
- Increases likelihood of TCP port 53 usage (larger response sizes fall back from UDP)
Exam trap: DNSKEY records are automatically managed by OCI, but DS records must be manually created and updated at the parent zone during setup and key rollovers. This is the most common DNSSEC failure point.
4. Traffic Management Steering Policies
Traffic Management uses DNS-based steering to direct traffic to endpoints based on health, geography, ASN, or IP prefix. It is only available for public DNS. (Traffic Management Overview)
Components
| Component | Purpose |
|---|---|
| Steering Policy | Framework defining traffic management behavior |
| Attachment | Links a steering policy to a zone/domain (max 1 per record type per domain) |
| Rules | Filter answers based on DNS request properties |
| Answers | DNS record data with metadata, weights, and health check associations |
Attachments occlude all underlying DNS records at the domain for the covered record type. This means the steering policy fully takes over DNS responses for that record type.
Five Steering Policy Types
| Policy Type | Mechanism | Use Case |
|---|---|---|
| Failover | Primary/secondary priority with health checks | Active-passive DR; primary unavailable triggers automatic switch to secondary |
| Load Balancer | Weight-based distribution with health checks | Distribute traffic across multiple endpoints; weighted ratios for gradual migration |
| Geolocation | Route by originating continent, country, or state/province (NA only) | Regional content delivery, data sovereignty, ring-fencing |
| ASN | Route by originating Autonomous System Number | Zero-rating, ISP-specific routing, commercial agreement enforcement |
| IP Prefix | Route by originating query IP prefix | Canary testing (internal vs. external), network-segment routing |
Traffic Management Limits
| Resource | Limit |
|---|---|
| Steering policies per tenancy | 100 |
| Attachments per tenancy | 1,000 |
How Each Policy Works
Failover: Monitors endpoint health via OCI Health Checks service. When the primary endpoint becomes unhealthy, DNS responses automatically switch to the secondary. Health check probes run continuously.
Load Balancer: Assigns weights to endpoints. Equal weights produce even distribution. Custom weights create ratio-based load balancing (e.g., 90/10 split for gradual cloud migration). Unhealthy endpoints are automatically removed from the response pool.
Geolocation: Define geographic regions by continent, country, or state/province. Each region maps to a different endpoint or endpoint set. Queries from undefined regions fall through to a default answer if configured.
ASN: Routes based on the BGP ASN of the DNS resolver making the query. Different ASNs map to different endpoint sets. Useful for ISP-specific routing or zero-rating agreements.
IP Prefix: Routes based on the IP prefix of the originating DNS query. Allows fine-grained control -- e.g., internal corporate IP ranges get the canary deployment while external IPs get the stable version.
Exam traps:
- Traffic Management is DNS-based only -- it is not a Layer 4 or Layer 7 load balancer. It steers at the DNS resolution level.
- Geolocation steering only supports state/province granularity in North America. Outside NA, the finest granularity is country.
- Steering policy attachments occlude underlying records. If you attach a policy to
www.example.comfor A records, all existing A records at that domain are hidden. - Traffic Management is public DNS only -- not supported on private DNS zones.
- Health checks are integrated with Failover and Load Balancer policies but are not applicable to Geolocation, ASN, or IP Prefix policies in the same way (those route based on request origin, not endpoint health).
5. Key Comparisons for the Exam
DNS-Based Steering vs. Load Balancer
| Aspect | Traffic Management Steering | Flexible / Network Load Balancer |
|---|---|---|
| Layer | DNS (pre-connection) | Layer 4 or Layer 7 (connection-level) |
| Granularity | Per DNS query | Per TCP/HTTP connection or request |
| TTL impact | Clients cache DNS response for TTL duration | Real-time per-connection decisions |
| Health check response | Remove from DNS answers (propagation delay) | Immediate connection rerouting |
| Best for | Geographic routing, DR failover, multi-region | Single-region backend distribution, SSL, HTTP routing |
Flexible LB SSL Modes Quick Reference
| Question Clue | Answer |
|---|---|
| "Offload SSL from backend servers" | SSL Termination (Frontend SSL) |
| "Encrypt traffic between LB and backends" | Backend SSL or End-to-End SSL |
| "Full encryption client to backend" | End-to-End SSL (Point-to-Point) |
| "SSL with NLB" | Not supported -- NLB does not terminate SSL |
IP Type Selection Quick Reference
| Scenario | IP Type |
|---|---|
| Temporary web server, standard instance | Ephemeral public IP |
| DR failover IP that survives instance termination | Reserved public IP |
| Move IP between instances in same region | Reserved public IP |
| Migrate existing public IP range to OCI | BYOIP |
| Internal-only application | Private IP (no public IP) |