OCI 1Z0-1151-25 cheat sheet for key facts, traps, service mappings, and final review.
On this page
Use this for last-mile review. Multicloud questions usually collapse into five lanes: identity, network path, data boundary, operations ownership, and failure behavior.
Read every scenario in this order
Identify which cloud owns the identity source, the network edge, the data source, and the operator workflow.
Decide whether the requirement is about reachability, latency, resilience, governance, or cost.
Choose the narrowest trust and connectivity model that satisfies the requirement.
Confirm routing, DNS, security lists or network security groups, and logging before calling the design complete.
Treat replication as incomplete until failover, access, application behavior, and rollback are testable.
OCI answer sequence
Use this when the stem mixes ingress, async delivery, reliability, security, or operations.
flowchart TD
S["Scenario"] --> I["Classify the interaction mode"]
I --> E["Pick API Gateway, Events, Notifications, Streaming, or Functions"]
E --> R["Check retry, idempotency, ordering, and dead-letter behavior"]
R --> S2["Check Vault, IAM, private exposure, logs, and auditability"]
Fast lane picker
If the question is mainly about…
Start with…
Usual winning move
who should trust whom
federation and identity boundary
reduce credential sprawl first
how clouds should connect
VPN, FastConnect, or partner/private path
choose by scale and reliability
where data should live
locality, replication, and egress trade-off
put data near the consuming compute when practical
shared responsibility
audit, ownership, and recovery model
make provider and team responsibilities explicit
cross-cloud resilience
replication scope and failover path
do not treat sync as proof of recovery
app dependency placement
latency and managed-service fit
place compute near the dependency that drives the critical path
governance or compliance
tenancy, compartment, region, and policy scope
keep the control plane explicit
Multicloud boundary map
flowchart TD
IDP["Identity Provider"] --> OCI["OCI"]
IDP --> Other["Other Cloud"]
OCI <--> Conn["VPN / FastConnect / Partner Path"]
Conn <--> Other
OCI <--> Data["Shared or Replicated Data"]
Other <--> Data
OCI --> Ops["Audit, Monitoring, Recovery"]
Other --> Ops
Fast rule: the strongest multicloud answer keeps trust, transport, data, and operations boundaries explicit instead of pretending the clouds behave like one blurred platform.
Boundary-first decision map
Boundary
Exam question to ask
identity
who authenticates the user or workload, and who authorizes the action?
network
which private or public path carries traffic, and what happens during failure?
DNS
where does the name resolve, and does resolution match the private route?
data
where is the system of record, and what is copied, cached, or replicated?
keys
who owns encryption keys, rotation, and access evidence?
observability
which team can see logs, metrics, audit trails, and service health?
Identity and federation chooser
Requirement
Strongest first fit
Why
reduce local credential sprawl
federation
centralize identity and shorten credential life where possible
narrow cross-cloud permissions
scoped roles and compartment or project boundaries
least privilege still applies across clouds
trace who did what
strong audit path in each environment
one cloud’s logs do not replace the other’s
workload-to-workload access
short-lived identity or managed federation pattern
avoids static key copying
central operator access
federated identity plus role mapping
keeps human lifecycle management centralized
Identity traps
Trap
Better reading
copying long-lived credentials across clouds
federation and scoped identity are usually stronger
assuming one provider’s IAM model fully replaces the other
trust boundaries still need explicit mapping
ignoring audit because the integration “already works”
multicloud without traceability is operationally weak
solving authorization with networking only
private reachability is not permission
granting broad admin in both clouds for convenience
cross-cloud blast radius expands quickly
OCI identity and governance reminders
Topic
Fast rule
tenancy
top-level OCI isolation and administration boundary
compartment
governance and policy boundary for resources
policy
grants permissions to groups or dynamic groups over compartments or tenancy scope
dynamic group
lets OCI resources act under policy rules
federation
maps external identity into OCI access patterns
tag strategy
useful for cost, ownership, and governance, not just labeling
Connectivity chooser
Requirement
Strongest first fit
Why
quick setup or lower cost
VPN
simplest private path
steadier bandwidth and latency
FastConnect or partner private path
stronger performance and predictability
many networks and attachments
hub-and-spoke routing pattern
reduces connection sprawl
lowest-necessary exposure
narrow private connectivity path
strong answers minimize unnecessary public travel
internet-facing global entry
public edge and load-balancing design
do not force private interconnect into an edge-use case
private PaaS or database access
private endpoint or private service access pattern
keeps data-plane traffic off the public internet where supported
Connectivity traps
Trap
Better reading
choosing the most expensive path automatically
choose based on actual bandwidth, latency, and reliability requirements
designing without route and failure-path thinking
path design must include how traffic fails over
assuming cross-cloud networking removes the need for segmentation
segmentation and trust boundaries still matter
creating private links but forgetting DNS
private routing and private name resolution must agree
allowing broad CIDR overlap
overlapping address space breaks routing options and migration paths
Network design reminders
Topic
Fast rule
VCN
OCI virtual network boundary
subnet
placement and routing boundary inside a VCN
route table
determines next hop for traffic
security list / NSG
controls allowed traffic; do not confuse with routing
DRG
hub for connecting VCNs to external networks or other VCN patterns
LPG / remote peering
VCN-to-VCN style connectivity, not generic internet access
NAT gateway
outbound internet without inbound exposure
service gateway
private access to supported Oracle services
Routing and DNS triage
Symptom
Check first
private endpoint unreachable
route table, security rule, and DNS resolution
intermittent cross-cloud failure
redundant path, BGP state, and failover route behavior
traffic exits publicly by surprise
name resolution and route preference
one subnet works and another fails
subnet route table and security rules
latency is too high
region distance, path choice, and dependency placement
Data placement and replication chooser
Concern
Stronger first reading
latency-sensitive workload
keep data near the consuming compute when practical
egress-sensitive design
avoid unnecessary cross-cloud transfer loops
shared reporting or analytics
replicate only the needed slice with clear ownership
recovery target
define RPO and RTO before choosing replication style
transactional source of truth
keep one write authority unless the app is designed for multi-write
regulated data
region, residency, key ownership, and audit controls come before convenience
Data-boundary traps
Trap
Better reading
replicating all data “just in case”
replicate only what the use case and recovery goal need
assuming synchronized data means operational readiness
failover and application behavior still need testing
ignoring key-management ownership
cross-cloud encryption responsibility must stay explicit
moving data to compute without egress thinking
cross-cloud movement can become the design bottleneck
treating backup, replica, and analytics copy as the same thing
each has different freshness, ownership, and recovery behavior
Data-service fit map
Requirement
Stronger first instinct
Oracle workload with tight database integration
keep Oracle Database service fit central
file/object exchange
use object storage or transfer pattern with lifecycle and access controls
low-latency app-to-database path
place app tier and database path deliberately before scaling compute
reporting copy
replicate curated data, not every operational table by default
disaster recovery
define RPO, RTO, DNS cutover, and operator runbook
Recovery and DR chooser
Requirement
Better design cue
lowest cost standby
backup-and-restore or pilot-light pattern
faster regional recovery
warm standby or active-passive design
minimal data loss
tighter replication and tested application consistency
broad outage tolerance
independent control-plane assumptions and documented failover
audit-ready recovery
runbooks, evidence, and regular test results
Recovery traps
Trap
Better reading
replication equals DR
DR also needs access, compute, DNS, testing, and rollback
active-active is automatically best
conflict handling, cost, and operational complexity may be worse
backups prove recovery
restore tests prove recovery
failover path ignores identity
operators and workloads still need access after failover
no failback plan
recovery design is incomplete without return-to-normal thinking
Recovery and operations cues
Area
Strong default
observability
logs, metrics, and audit in each cloud with a usable operator view
ownership
clear responsibility for each platform and handoff
recovery
tested failover or restoration path, not just replication settings
change safety
rollback-aware cross-cloud change process
cost control
tags, budgets, egress awareness, and service-level right-sizing
security evidence
audit logs and policy history in each environment
Observability and operations map
Need
Better signal
who changed what
audit logs in each provider
traffic reachability
flow logs, route checks, DNS resolution, and security rules
app health
metrics, traces, synthetic checks, and service-level alerts
database health
service metrics plus database-specific diagnostics
cross-cloud incident
shared timeline across providers, not one dashboard only
Cost and governance traps
Trap
Better reading
private connectivity solves all cost problems
interconnect, data transfer, idle standby, and duplicate services still cost money
every workload should be portable
portability has design, testing, and operations cost
tagging is optional cleanup
tags often drive cost ownership and governance evidence
one cloud’s compliance controls cover the whole system
each boundary needs its own evidence
over-centralized operations
a single team can own process, but provider-specific controls still matter
Decision order that usually wins
Classify the scenario as identity, network, data, operations, recovery, or cost.
Keep the source of truth clear for identity, data, and keys.
Choose the narrowest private path that meets latency and reliability needs.
Confirm DNS, routing, and security rules as a single path, not separate guesses.
Add recovery testing, observability, and ownership before calling the design complete.
Last 15-minute review
If you only keep one thing from each lane…
Remember this
identity
reduce credential sprawl and keep trust explicit
network
choose the narrowest private path that meets the requirement
data
locality, egress, and replication all trade off against each other
recovery
replication is not the same thing as tested failover
operations
multicloud ownership must stay explicit
DNS
private connectivity fails if names still resolve to the wrong place
cost
cross-cloud data movement and duplicate standby capacity are not free
What strong 1Z0-1151-25 answers usually do
classify the issue first as identity, connectivity, data placement, or operations control
choose the narrowest inter-cloud trust and transport model that still satisfies the need
keep shared responsibilities explicit instead of assuming provider boundaries disappear
prefer architectures that preserve auditability, recovery paths, and clear ownership
verify DNS, route, and security-rule alignment before blaming the application
treat recovery as a tested workflow, not a replication setting