OCI 1Z0-1072-25 Sample Questions with Explanations

These original sample questions are designed to help you check how the exam topics appear in decision-style prompts. They are not taken from the live exam.

Use these sample questions as a guided self-assessment for OCI Architect Associate (1Z0-1072-25) topics such as VCN design, subnet placement, load balancing, IAM, dynamic groups, storage, database placement, backups, monitoring, and high availability. The prompts focus on choosing a clean architecture rather than overbuilding every scenario.

Where these questions fit in the 1Z0-1072-25 guide

The sample set below is part of the Oracle OCI 1Z0-1072-25 guide path:

• Oracle certification hub
• OCI guides
• 1Z0-1072-25 exam guide
• 1Z0-1072-25 cheat sheet
• 1Z0-1072-25 study plan
• 1Z0-1072-25 FAQ
• 1Z0-1072-25 resources
• 1Z0-1072-25 glossary

1Z0-1072-25 OCI Architect Associate sample questions

Work through each prompt before opening the explanation. Architect Associate questions usually ask where a control belongs: public edge, private tier, subnet route, IAM boundary, backup plan, or monitoring layer.

---

Question 1

Topic: Public edge with private application tier

A web application must accept HTTPS traffic from the internet, but application servers and the database should not have public IP addresses. Which architecture is strongest?

• A. Put every server in a public subnet and rely only on operating-system firewalls.
• B. Use a public load balancer for internet-facing HTTPS and place application and database resources in private subnets with restrictive network controls.
• C. Put the database in a public subnet so users can connect directly if the application tier fails.
• D. Use only a NAT Gateway for inbound internet traffic.

Best answer: B

Explanation: A public load balancer is the correct internet-facing entry point. The application and database tiers can stay private, with routing and security controls limiting exposure between tiers.

Why the other choices are weaker:

• A exposes too much infrastructure.
• C exposes the database directly and weakens tier separation.
• D misunderstands NAT Gateway use; it supports outbound access from private resources, not inbound public service exposure.

What this tests: Load balancer placement, public versus private subnets, tier isolation, and network exposure control.

Related topics: Load balancer; Private subnet; Public subnet; VCN; Network security

---

Question 2

Topic: Private outbound internet access

Compute instances in a private subnet need to download software updates from the internet. The instances must not receive public IP addresses. Which design best fits?

• A. Use a NAT Gateway with route rules from the private subnet for outbound internet access.
• B. Assign temporary public IP addresses to the instances during every update window.
• C. Put the instances behind a public load balancer and use it for outbound updates.
• D. Use only a Local Peering Gateway because software repositories are always in another VCN.

Best answer: A

Explanation: A NAT Gateway allows private subnet resources to initiate outbound internet connections without assigning public IP addresses to those resources. It is the direct fit for private instances that need updates.

Why the other choices are weaker:

• B violates the no-public-IP requirement.
• C confuses inbound load balancing with outbound internet access.
• D is for VCN-to-VCN connectivity in a region, not general internet access.

What this tests: Gateway selection, route rules, and outbound access from private resources.

Related topics: NAT Gateway; Private subnets; Route tables; Internet access; VCN

---

Question 3

Topic: Instance access to Object Storage

An application running on OCI compute instances must write files to Object Storage. The team wants to avoid storing user credentials or API keys on the instances. Which identity design is strongest?

• A. Embed a user’s API key in the application configuration.
• B. Give every developer the same administrator password for the tenancy.
• C. Use a dynamic group that matches the instances and an IAM policy granting the group the required Object Storage permissions.
• D. Make the bucket public so the application does not need credentials.

Best answer: C

Explanation: Dynamic groups allow OCI resources such as compute instances to be treated as principals for IAM policy. This lets the application access Object Storage through resource identity and scoped policy rather than embedded user credentials.

Why the other choices are weaker:

• A creates credential storage and rotation risk.
• B destroys accountability and grants excessive access.
• D exposes data and bypasses controlled authorization.

What this tests: Dynamic groups, resource principals, IAM policy scope, and credential-free service access.

Related topics: Dynamic groups; IAM policies; Object Storage; Resource principals; Least privilege

---

Question 4

Topic: Backup and recovery planning

A production database must be recoverable after accidental deletion or regional disruption. The team also needs routine restore testing. Which answer is strongest?

• A. Rely on compute instance fault domains only, because fault domains replace backups.
• B. Keep one manual export on a developer laptop.
• C. Disable backups to reduce storage cost and recreate the database from memory if needed.
• D. Define backup retention, copy or replication strategy where required, access controls, and a tested restore procedure aligned to recovery objectives.

Best answer: D

Explanation: Recovery design is more than enabling a single backup. The architecture needs retention, location strategy, access protection, and restore testing so the team knows whether recovery objectives can actually be met.

Why the other choices are weaker:

• A confuses availability placement with recoverability.
• B is unmanaged and risky.
• C removes the recovery mechanism.

What this tests: Backup design, restore validation, recovery objectives, and resilience planning.

Related topics: Backups; Restore testing; Recovery objectives; Database resilience; Disaster recovery

Independent study note

Tech Exam Lexicon and IT Mastery are independent study tools. They are not affiliated with, endorsed by, or sponsored by Oracle or any certification body.