Amit's Oracle DBA Blog: OCI Network - Interview Questions and Answers

OCI Network : Interview Questions and Answers

✅ Fundamentals

Q: What is a Virtual Cloud Network (VCN)?
A: A logically isolated, customizable virtual network in OCI — consisting of subnets, route tables, gateways, and security rules.
Q: Define a subnet in OCI.
A: A partition within a VCN that segments IP address blocks, designated as public (with IGW) or private (no IGW).
Q: What is an Internet Gateway (IGW)?
A: A virtual router providing bi-directional public internet connectivity for public subnets; only one IGW per VCN
Q: What is a NAT Gateway?
A: Provides outbound-only internet access for private subnets, enabling updates/patching without inbound exposure.
Q: What is a Service Gateway (SGW)?
A: Enables private access to OCI public services (like Object Storage) without public internet .
Q: How does SGW differ from IGW/NAT?
A: SGW enables OCI service access only, not general internet access; traffic stays on Oracle’s network.

Q: Define Security Lists.
A: Firewall rules applied at the subnet layer—control inbound/outbound traffic.
Q: Define Network Security Groups (NSG).
A: Virtual firewall assigned to individual resources, offering fine-grained ingress/egress rules
Q: IGW requires public IP. True/False?
A: True. Only resources with a public IP can send/receive through IGW .
Q: NAT gateway allows inbound Internet traffic. True/False?
A: False. NAT only supports outbound traffic from private subnets.

Q: What is a Route Table?
A: Contains route rules to direct traffic to IGW, NAT, SGW, DRG, etc.
Q: Can a subnet reference multiple NAT Gateways?
A: No. Each private subnet can route to only one NAT Gateway at a time.
Q: Why add route 0.0.0.0/0 → IGW in public subnets?
A: To enable all external traffic to ingress/egress via IGW.
Q: Why add route 0.0.0.0/0 → NAT Gateway in private subnets?
A: To allow outbound access from private instances to external destinations.

Q: What is VPN Connect?
A: Enables IPSec VPN between on-premise or other cloud networks and OCI VCNs.
Q: What is a Dynamic Routing Gateway (DRG)?
A: A virtual router attaching a VCN to on-prem networks via VPN Connect or FastConnect.
Q: What is Local Peering Gateway (LPG)?
A: Enables VCN-to-VCN peering within the same region, private IP communication.
Q: What is Remote Peering Connection (RPC)?
A: Similar to LPG, but for cross-region VCN peering.
Q: Do LPG/RPC use internet?
A: No. Traffic remains on Oracle's private network backbone.

Q: IGW + NSG + Security List setup for a public web server?
A: IGW with public IP + route table entry. NSG/Security List allow TCP 80/443 inbound & all outbound.
Q: Private DB instance using NAT Gateway?
A: DB in private subnet. Route to NAT. Security allows DB ports inbound only from app tier.
Q: Restrict outbound on private instances?
A: Use NSG to whitelist only required outbound endpoints, e.g., SGW.
Q: Can you use NSG instead of Security Lists?
A: Yes. NSGs apply to specific resources and offer more granular control.

Web Tier: public subnet, IGW, NSG allowing HTTP/HTTPS.
App Tier: private subnet, NSG only allow web VCN CIDR.
DB Tier: private subnet, NSG restricting access from app tier only. Use NAT or SGW for updates.

Q: Backup DB to Object Storage via SGW.
A: Use SGW in DB subnet’s route table for private path to Object Storage.
Q: Cross-region DR with private Oracle Autonomous DB.
A: Use RPC for cross-region VCN peering; route VPN traffic via RPC.
Q: Centralized egress firewall with NAT.
A: Route from private to NAT → firewall instance → IGW.
Q: Cost optimization: shared NAT among subnets?
A: Yes, central NAT Services work; each subnet route to single NAT per AZ.

IGW can be used by peered VCNs. False. Only VCN-associated subnets.
Each VCN can have multiple IGWs. False. Only one IGW permitted SGW eliminates public IP necessity. True.
NAT Gateway handles inbound SSH from Internet. False.
DRG supports dynamic route propagation. True.
VPN Connect requires both endpoints to have public IPs. True.
LPG automatically updates route tables. False. Manual route entries required.

Q: Multiple availability zones—how design NAT?
A: Deploy a NAT Gateway per AZ or central NAT per region.
Q: How to ensure resilience for VPN?
A: Use dual-ISP VPN, high-availability on-prem, and BGP routing failover.
Q: How to segregate production vs. dev?
A: Use separate VCNs, compartments, LPG/RPC if necessary with strict NSG/security list.
Q: Ensure secure OCI service access from on-prem?
A: On-prem → VPN → SGW → OCI services (no public Internet exposure).
Q: Compliance needs with public internet exposure.
A: Use private subnets; service/NAT/SGW; NSG + Security Zones.

Q: Multi-region network design best practices.
A: Use RPCs, DRGs, DRG with FastConnect; ensure route propagation and failover.
Q: Can NAT block outbound port usage?
A: No; NAT only handles IP translation—filter using NSGs or firewall.
Q: Compare NSG vs. Security List performance/scale.
A: Similar perf; NSG is more resource-granular.
Q: Egress-only subnet for Oracle services?
A: Combine SGW + route table; no public internet exposure.
Q: Transit Gateway vs. DRG?
A: Transit Gateway supports hub‑and‑spoke multiple VCNs + on-prem; DRG is one-to-one VCN.
Q: How route propagation works in DRG?
A: It propagates on-prem or VCN-originated routes to VCN route tables.
Q: Upgrading NSG dynamically—impact?
A: Changes apply immediately to traffic; plan updates during low usage.
Q: Troubleshooting no internet on public subnet?
A: Check: IGW present, route table entry, public IP, security list/NSG rules.
Q: Audit network changes in OCI.
A: Use OCI Audit logs to track create/update/delete on subnets, gateways, NSGs, route tables.
Q: Balancing security vs. agility in network design.
A: Use multi-tier isolation, NSGs, minimal privileges, infrastructure-as-code (Terraform) with review pipelines.

IGW: Only one per VCN; supports bidirectional internet with public IP requirement expertoracle.comjavainuse.com.
SGW: Enables private access to Oracle services on OCI’s internal network .
NSG: Enables granular rules per resource; virtual firewall within a VCN .