Earlier this week I took the 1Z0-997 Oracle Cloud Infrastructure 2019 Certified Architect Professional. In this post I’ll try to share on how I studied on the test and what areas I feel helped me on passing the certification. I won’t be posting any questions or answers but rather want to help you on studying on the exam.
First of all, the test is not easy! It really tests your knowledge on designing different solutions on OCI by giving you couple answers which are most likely wrong and couple which seem correct. With each question you need to know if you are designing for high availability, cost, security or some other requirement. So always check what design the question is after on and then answer based on that, if the question is for example about cost then don’t pick the answer which has the most complicated and expensive solution!
If you’ve taken the AWS Certified Architect Professional then above might sound familiar and yes, at times I felt I was doing that test with an Oracle twist. Not a bad thing though!
If you are planning to take this exam you need to have the OCI Certified Architect Associate exam passed beforehand. In the exam blueprint currently you have following information available:
- Plan and design solutions; implement and operate solutions
- Design, implement and operate databases
- Design for hybrid cloud architecture
- Migrate on-premises workloads to OCI
- Design for Security and Compliance
I got the understanding from Oracle that quite soon they will be providing sample questions and more information on each area which is relevant to the exam including videos. This is really good as I at least had trouble on concentrating on which areas I would study on. As I’ve been mostly working with OCI past year I had good basis to rely on but didn’t feel comfortable on taking the test without deepening my knowledge.
In the end my study material was really simple. The official OCI documentation is really good and clear so that was my main area what I used. I also used the Technical White Papers section a lot and picked up several good papers which I read.
You won’t be needing to know specific limits or versions in the test but the test is about knowing why one option is correct while others are not or why one option is better than others. So don’t memorize limits but rather try understanding whole concepts.
That’s why my studying was more based on questions rather than trying to remember everything, for me it helps to get better understanding on the services. I’ve tried to apply same on my post so what you will get is lot of conceptual questions.
I started my studying with networking. This is something you need to know inside out so you will be able to determine which solution is correct in several cases. Understand concepts of Regions, Availability Domains and Fault Domains. After that move on to connecting on-premises to OCI with VPN Connect or Fast Connect – which one you would choose in which case and how to make the connection redundant? Also think what is required to have highly available connection towards customer datacenter (think of CPE’s). What different connection options there are for Fast Connect depending if you need to access Oracle services vs your VCNs? How can I use the new Azure and OCI interconnect?
When you are building VCN’s think what they require including Subnets, Route Tables, DHCP Options, Security Lists and Network Security Groups and how you normally set them up. When thinking of routing understand concepts of different gateways; Dynamic Routing Gateway (DRG), Local Peering Gateway (LPW), Service Gateway (SGW), Network Address Translation Gateway (NATGW) and Internet Gateway (IGW). When do you need which one? What makes a subnet private or public?
How does one setup transit routing in place and what kind of routing rules you need for it in the route table? When routing traffic from one VCN to another think what CIDR blocks you need to set so traffic flows correctly.
Also Virtual Network Interface Cards (VNICs) are under networking section, know what is needed when VNIC requires a public IP address and what is a life cycle of each IP. What kind of cases there are that you use multiple IP addresses or multiple VNICs?
DNS and Traffic Management is another important service related to migration and high availability solutions. What different DNS zones are there, how you can use them and how does traffic management help with migrations. Can you for example route traffic to on-premises during migration with traffic management? Think different rules which can be setup with traffic management!
Networking Solutions section in the Technical White Papers has several good papers discussing different solutions which shouldn’t be overlooked. My picks which ones to read:
- Virtual Cloud Network (VCN) Overview and Deployment Guide
- Connectivity Redundancy Guide
- IPSec VPN Best Practices
- NAT Instance Configuration: Enabling Internet Access for Private Subnets
- Encrypted FastConnect: Public Peering
After networking I went on to compute instances. They play a big role when you design different solutions so you need to understand what are differences between Bare Metal and Virtual Machine instances. What different kind of instances there are in terms of shape and type? When would you use which one? What makes a compute instance and how do you use images with compute instances. How does one use different images between Regions?
How can you use Marketplace together with images?
Auto scaling is another important concept which I studied a lot including Instance Configurations and Pools which are related to Compute Service. And I rehashed my memory on lifecycle of auto scaling instances, which instances get terminated first when scale in event happens?. If you use a regional subnet how are the instances balanced when a scaling event happens? What can trigger a scaling event and what is cool down period?
Good Compute related whitepapers:
You could argue this is also part of networking but it’s a wide and important topic so it’s best to take as a separate source of study. I started with what different types of load balancers there? What happens when you deploy a load balancer in a single AD region vs multi-AD region? What are the differences between public and private load balancers? What components do you need to have a fully working load balancer service? When does your load balancer show a specific health status and when would it change?
What about encryption? How do you apply a certificate in a load balancer and what options you have when terminating the SSL while using load balancer?
I studied also OCI concepts with cookies, headers and session persistance when using load balancer, I remembered these were important areas with AWS certification so figured it wouldn’t be a bad idea to see how they are done in OCI.
How can you also route different requests within a single listener? How do you distribute load to the backend servers? When does it make sense to use multiple listeners?
Load Balancing whitepaper which I found useful:
Since Block Volumes are so tightly related to Compute I studied on differences between Boot Volumes and Block Volumes. Specially what is difference when you backup or clone one, how they can be used and what actions are needed if you want to use copy in a different Availability Domain or Region for example. How many Volumes can you attach in a single Compute instance and what options do you have when assigning disks (Raid for example) to an instance.
When you look on backups what kind of backup is taken on a block volume, what kind of retention time can you assign for it and what happens when you delete block volume?
There are other storage options as well instead of just Block Volumes. They all are related in a way that you need to be able to determine which storage is best for a specific case. Why would you choose File Storage over Object Storage. Should you use Storage Gateway with your migration or does using Object Storage make more sense. What about low-cost Archive Storage, when do you prefer using that over Object Storage and what kind of functionality does Archive Storage have?
What is the structure of Object Storage? How do you manage buckets and objects? How can you restrict access to Object Storage and what are pre-authorized URLs? How large files can you upload to Object Storage and when does it make sense to use multi-part upload?
I linked studying Data Transfer Service under storage as well. Not only because you are moving data using storage but it’s an option always when discussing about migration to cloud. How long does it normally to ship data over Internet vs Data Appliance. How much data can I ship by using Data Transfer Service using different options it has? Do I need to copy data from Data Transfer appliance to OCI or how does it come accessible?
Huge part of the exam studying! Oracle is all about databases so I thought I need to be prepared for this section.
Remember that there are different type of databases: Autonomous databases, Virtual Machine, Bare metal and Exadata databases. What are the differences between each? What different layers are on the Exadata database. What does a dedicated deployment mean and what is a serverless deployment?
What different options you have when you migrate a on-premises database to OCI? When can you use export dump or when do you need to use Data guard? How can you access databases?
How can you scale each type of database if needed or how do you create high availability configuration? Can you do that within a Availability Domain or do you need to do it on a Region level?
What options you have for backup, restore and cloning with each database service?
Good whitepapers I read on databases:
IAM & Security
Identity and Access Management (IAM) and Security is a wide topic which applies to all areas I read while studying. I wouldn’t take it as a separate part of study but more trying to understand how Oracle has applied it on each service.
What concepts are there for IAM? Study users, groups, compartments (nested ones too!), dynamic groups and policies. How do you write group specific policies for a user and how are they applied on a nested group? Think how you can do larger organizational setup with policies so access is granted only to specific groups. And when do you use dynamic groups instead of saving your access keys on the server? How are policies applied across Regions when you assign them to specific group and compartment? You can also transfer services to a different group, how does that impact policies?
What options you have when you want to use federated to login into OCI? Are there any cases when you can’t use federation? Look for the concepts on creation federation between your company and OCI.
Like I mentioned I tried to apply security in my thinking whenever I was reading on a specific service. Questions what came to my mind for example were how are block volumes encrypted and what about database encryption? What happens to encryption when you migrate a PDB from on-premises? Think each service and data, how it’s always handled at REST and in-transit? What about networking services, how is data between on-premises and OCI handled?
Key Management Service, how do you use it? What option do you have with keys in OCI? When should you use your own keys instead of KMS? How can I encrypt Object Storage objects with my own keys?
My picks for Security whitepapers:
Study IAM properly, know advanced policies well and know the structure of a policy when you write one!
I combined rest of my studies under one group which consists multiple services. Services I studied were:
- Container Engine & Registry
- Email Delivery
- Web Application Firewall
There is lot info on each but I suspected these are needed for the exam so I included them in my studying.
Services which link together are Events, Notifications and Email Delivery for example. Having setup Events Service and getting one event triggered you can send different kinds of notifications or launch functions. What options you have with each and how do they help you when you are building up services? Which types of events are logged and what different types of notifications you can send? Are there any restrictions with Email Delivery, how can you enable email sending?
What kind of monitoring is available in OCI and what kind of alerts can you setup?
What is a streaming service and when would you use it when handling data? Think how much you are reading data and how can you consume it? How long is the data stored in a stream and how big chunks of data does one block contain?
When building up a public service when would you use Web Application Firewall (WAF)? How can you configure it and where do you place it when designing service? What kind of rules can you setup with WAF?
What is audited in OCI and how does an audit event look like? How long do you store audit logs before they are purged?
I also read about Container Engine & Registry. Get an overall understanding with the services, how they are connected and how you can use them. I purposely didn’t dive too deep into these as I suspected they wouldn’t play a huge part in the exam.
Putting it all together
This might sound as a repeat but when I had studied each area I tried to combine what I had learned. When designing a service how do I make it High Availability solution using functionality what OCI offers? How do I apply layers of security? How do I design for cost? How does IAM apply on my designs?
In the end this is the way I passed the exam and also learned how can I use specific services in different use cases.
To add on the list of whitepapers these are useful ones as well:
- Best Practices for Disaster Recovery in Oracle Cloud Infrastructure
- Best Practices for Deploying High Availability Architecture on Oracle Cloud Infrastructure
- Building Highly Available Applications in a Region with One Availability Domain
- Blueprint: Oracle E-Business Suite on Oracle Cloud Infrastructure
Good luck with your studies! Let me know if you feel something should be added here or if you have further questions on the exam.