How to Pass Oracle OCI Architect Associate (1Z0-1072-25) in 2026: Complete Study Guide

# How to Pass Oracle OCI Architect Associate (1Z0-1072-25) in 2026: Complete Study Guide The Oracle OCI Architect Associate certification (1Z0-1072-25) validates your ability to design and architect solutions on Oracle Cloud Infrastructure. Unlike the Foundations exam, this one expects you to make real architecture decisions: selecting the right compute shapes, designing VCN topologies, choosing database services, and applying security controls appropriately. If you have 6-12 months of OCI hands-on experience, you are likely closer to ready than you think. If you are coming from another cloud platform (AWS, Azure, GCP), this guide will map OCI concepts to familiar patterns and highlight the areas that require OCI-specific learning. --- ## Exam Format at a Glance | Detail | Value | |---|---| | Exam code | 1Z0-1072-25 | | Price | $245 USD | | Number of questions | 60 questions | | Time limit | 90 minutes | | Passing score | 70% (42/60) | | Difficulty | Medium | | Format | Multiple choice, multiple select | | Delivery | Pearson VUE (online or test center) | This is a medium-difficulty exam. The questions test architecture decision-making, not just service definitions. Expect scenario-based questions where two or three options are technically possible but only one is the best architectural choice. --- ## Domain Breakdown | Domain | Topic | Approx. Weight | |---|---|---| | Domain 1 | OCI Architecture and Core Services | 15% (~9 questions) | | Domain 2 | Networking | 20% (~12 questions) | | Domain 3 | Compute and Containers | 20% (~12 questions) | | Domain 4 | Storage Services | 15% (~9 questions) | | Domain 5 | Database Services | 15% (~9 questions) | | Domain 6 | Security and Identity | 15% (~9 questions) | Networking and Compute together account for about 40% of the exam. They are also the most complex domains. Prioritize these two areas if you have limited study time. --- ## Domain 1: OCI Architecture and Core Services ### Physical and Logical Structure OCI is organized into: **Regions**: geographic areas with independent infrastructure (e.g., US East Ashburn, UK South London, AP Tokyo). Each region has at least one Availability Domain. **Availability Domains (ADs)**: isolated, fault-independent data centers within a region. Commercial OCI regions typically have 3 ADs. Resources in separate ADs do not share power, cooling, or networking fabric. **Fault Domains (FDs)**: groupings of hardware within an AD that share no single points of failure. Each AD has 3 Fault Domains. FDs protect against hardware failure within an AD (e.g., a single top-of-rack switch failure). **Architecture implication:** For high availability within a region, distribute instances across multiple ADs (where available) or Fault Domains. For disaster recovery, replicate to another region. ### OCI Free Tier Two components: - **Always Free**: a permanent set of resources that never expire (2 AMD micro instances, 200 GB block storage, OCI Autonomous Database, OCI Object Storage up to 20 GB, etc.) - **Free Trial**: $300 credit, valid for 30 days, access to all services These distinctions appear in both the Foundations and Architect Associate exams. --- ## Domain 2: Networking — The Most Heavily Tested Domain ### Virtual Cloud Network (VCN) A VCN is a software-defined private network within a region. You define: - **CIDR block**: the IP address range for the VCN (e.g., 10.0.0.0/16) - **Subnets**: subdivisions of the VCN CIDR, either regional (spans all ADs) or AD-specific - **Internet Gateway (IGW)**: for public internet access from public subnets - **NAT Gateway**: for outbound internet access from private subnets (no inbound) - **Service Gateway**: for private connectivity to OCI services (Object Storage, etc.) without traversing the internet - **Dynamic Routing Gateway (DRG)**: for connectivity to on-premises networks, peered VCNs, or other OCI services ### Route Tables and Security **Route Tables**: control where traffic is directed (similar to AWS route tables). Each subnet is associated with one route table. **Security Lists**: firewall rules applied at the subnet level. Stateful (return traffic is automatically allowed). Applied to all instances in the subnet. **Network Security Groups (NSGs)**: firewall rules applied to specific VNICs (individual instances or OCI resources). More granular than Security Lists. Also stateful. 💡 **Exam Tip:** Security Lists apply at the subnet level (all resources in the subnet). NSGs apply to individual resources. NSGs are the recommended approach for fine-grained security. Security Lists remain widely used and both can be applied simultaneously. ### Connectivity Options **VPN Connect**: site-to-site IPsec VPN between OCI and on-premises. Encrypted, over the public internet. Lower cost, variable performance. **FastConnect**: dedicated private circuit from on-premises to OCI via a colocation provider or direct connection. Consistent throughput, low latency, higher cost. **Local VCN Peering**: connect two VCNs within the same region using a Local Peering Gateway (LPG). No traffic traverses the internet. **Remote VCN Peering**: connect two VCNs in different regions using a DRG. Required for cross-region connectivity. **Transit routing**: using a DRG as a hub to route traffic between multiple VCNs or between on-premises and multiple VCNs. DRG v2 supports this natively without custom route tables. ### Load Balancers OCI provides two load balancing services: **OCI Load Balancer (Layer 7 - Application Load Balancer):** - HTTP/HTTPS traffic - SSL termination - URL-based routing - Shapes: Flexible (10 Mbps to 8 Gbps), Micro (always free tier) **OCI Network Load Balancer (Layer 4):** - TCP/UDP traffic - No SSL termination - Preserves source IP - Lower latency than Layer 7 LB - Suitable for: non-HTTP protocols, high-performance networking, UDP-based applications --- ## Domain 3: Compute and Containers ### Compute Shapes **VM (Virtual Machine)**: shares physical hardware with other VMs. Choose from Standard (AMD, Intel, Arm), Dense I/O, GPU, and HPC shapes. **Bare Metal (BM)**: dedicated physical server with no hypervisor. Full hardware access, ideal for high-performance workloads, databases requiring low-latency storage, and workloads that cannot tolerate noisy neighbor issues. **GPU shapes**: A10, A100 series. For ML training, inference, and graphics workloads. **Flexible shapes**: specify exact OCPU and memory within the shape's allowed range (e.g., VM.Standard.E4.Flex — 1 to 64 OCPUs, 1 to 64 GB RAM per OCPU). ### Instance Pools and Autoscaling **Instance Configurations**: saved templates (shape, image, network, storage settings) for creating consistent instances. **Instance Pools**: groups of instances created from the same Instance Configuration. Enable lifecycle management of multiple identical instances. **Autoscaling Policies:** - **Metric-based autoscaling**: scale in/out based on OCI Monitoring metrics (CPU, memory, custom) - **Schedule-based autoscaling**: scale at defined times (e.g., scale up Monday mornings) ### Oracle Container Engine for Kubernetes (OKE) OKE is Oracle's managed Kubernetes service. Key concepts: **Cluster types:** - **Basic**: simple cluster management, limited options - **Enhanced**: more features (cluster add-ons, workload identity, image signing) **Node Pool types:** - **Managed nodes**: OCI manages the Kubernetes nodes (OS patching, node replacement). You choose shape and image. - **Virtual nodes (serverless)**: no node management — you just deploy pods. Oracle handles the underlying infrastructure. **Node pool configuration:** Each node pool specifies compute shape, OS image, Kubernetes version, subnet, and size. Node pools within a cluster can use different shapes. ### OS Management Hub Oracle's unified OS patching and lifecycle management service. Manages updates for Oracle Linux and Windows Server instances. Key for exam scenarios about patching strategies — OS Management Hub is the OCI-native answer, not third-party tools. --- ## Domain 4: Storage Services ### Block Volume Persistent block storage attached to compute instances. Key characteristics: - **Performance tiers**: Lower Cost, Balanced, Higher Performance, Ultra High Performance - **Multi-attach**: attach a single block volume to multiple instances (requires coordination at the OS level for write access) - **Block Volume Backup**: policy-based backups to Object Storage (automatic backup policies: Bronze, Silver, Gold, Platinum) - **Block Volume Replication**: async cross-region replication for disaster recovery - **Boot volumes**: system disks for compute instances; can be separately backed up and cloned ### Object Storage OCI Object Storage is the highly scalable, S3-compatible object store. Key tiers: | Tier | Use Case | Min. Retention | Access | |---|---|---|---| | Standard | Frequently accessed data | None | Immediate | | Infrequent Access | Accessed less than once a month | 31 days | Immediate | | Archive | Long-term cold storage | 90 days | Restore required (1 hour) | **Lifecycle policies**: automatically transition objects between tiers or delete them after a defined number of days. **Pre-authenticated requests (PARs)**: generate time-limited URLs for unauthenticated access to specific objects or buckets. **Versioning**: retain all versions of objects for recovery from accidental deletion or overwrites. ### File Storage NFS-based shared file system. Multiple compute instances can mount the same FSS mount target and access the same file system simultaneously. Use cases: shared application configurations, content management, NFS-required legacy apps. **Mount Target**: the NFS endpoint (IP address and port) that clients connect to. One Mount Target can serve multiple file systems. --- ## Domain 5: Database Services ### Autonomous Database Oracle's self-driving database. Two workload types: - **ATP (Autonomous Transaction Processing)**: OLTP workloads, mixed workloads - **ADW (Autonomous Data Warehouse)**: analytics, data warehousing Two deployment options: - **Serverless**: shared Exadata infrastructure, scales automatically, pay per ECPU consumed - **Dedicated**: your own Exadata infrastructure, maximum isolation and control ### Oracle Database on VM and Bare Metal (Base Database Service) For traditional Oracle Database deployments with full control. Choose DB System type (VM 1-node or 2-node RAC, BM). Choose DB edition (SE, EE, EE-HP, EE-EP). Supports 12c through 23ai. ### ExaDB-D and ExaDB-C@C **ExaDB-D (Exadata Database Service on Dedicated Infrastructure)**: Oracle manages the Exadata infrastructure in OCI; you manage database configuration. High performance, low latency, for mission-critical workloads. **ExaDB-C@C (Exadata Cloud@Customer)**: Exadata hardware physically located in your on-premises data center, managed as a cloud service by Oracle. Use when data residency regulations prohibit cloud migration. ### Oracle DB@Azure A managed Oracle Database service running on Oracle hardware physically located in Microsoft Azure data centers. Different from ExaDB-C@C (which is in your data center). Use when: applications run on Azure and need low-latency Oracle DB access without VPN between Azure and OCI. --- ## Domain 6: Security and Identity ### IAM: The Core Concepts **Identity Domains**: the modern IAM model in OCI. A domain is a container for users, groups, and identity provider configurations. Every tenancy has a Default Domain. **Users and Groups**: users are individuals or service accounts; groups are collections of users. Policies grant permissions to groups, not individual users. **Compartments**: logical containers for OCI resources that enable access control and cost tracking. Resources in a compartment inherit policies that allow access from parent compartments. Maximum depth: 6 levels. **Policies**: IAM rules written in a natural-language syntax: `Allow group to in compartment ` Verbs (in ascending order of privilege): `inspect`, `read`, `use`, `manage` **Dynamic Groups**: groups whose membership is defined by a matching rule (e.g., all compute instances in a compartment). Used to grant OCI resources permission to call OCI APIs without storing credentials on the instance. ### Key Security Services **OCI Vault**: managed key management and secrets management. Store encryption keys (AES, RSA, ECDSA), certificates, and application secrets. Supports BYOK (Bring Your Own Key) and HYOK (Hold Your Own Key via HSM). **Cloud Guard**: continuously monitors OCI for security posture issues. Uses Detectors (rules that identify problems) and Responders (automated or manual remediation actions). Security problems are reported as Problems. **Security Zones**: apply security policies to compartments that cannot be overridden. E.g., a Security Zone policy can prevent creating public buckets or unencrypted resources. Enforced even if an admin tries to create a non-compliant resource. **OCI Bastion**: managed SSH jump host service. Provides time-limited, audited SSH access to private instances without a bastion host VM. Two session types: Managed SSH session (connect to OCI instances) and Port forwarding session. --- ## 5-Week Study Plan ### Week 1: Architecture Foundations + Networking - Study OCI regions, ADs, FDs, and fault tolerance patterns - Master VCN design: subnets, gateways, route tables - Understand Security Lists vs. NSGs - Practice: draw a 3-tier web application VCN architecture ### Week 2: Networking Advanced + Compute - Study VPN Connect vs. FastConnect, DRG peering - Learn load balancer types (Layer 4 vs. Layer 7) - Study compute shapes, flexible sizing, instance pools, autoscaling - Study OKE: managed vs. virtual nodes ### Week 3: Storage + Database - Study block, object, and file storage — know the tiers and use cases - Study Autonomous Database: serverless vs. dedicated, ATP vs. ADW - Compare ExaDB-D vs. ExaDB-C@C, and Oracle DB@Azure - Take a 20-question practice quiz on Domains 4-5 ### Week 4: Security, Identity, and Governance - Master IAM: compartments, groups, policies, dynamic groups - Study OCI Vault, Cloud Guard, Security Zones, Bastion - Practice writing IAM policy statements - Take a 20-question practice quiz on Domain 6 ### Week 5: Full Practice Exams + Review - Take 2 full 60-question practice exams under timed conditions - Focus review on networking and IAM (highest percentage domains) - Re-study any topic scoring below 65% --- ## Top Exam Tips 1. **Networking is 20% of the exam** — invest significant time here; understand DRG transit routing cold 2. **Security List vs. NSG** is a perennial exam question — remember: Security Lists are subnet-level, stateful; NSGs are VNIC-level, stateful, preferred for fine-grained control 3. **Autonomous DB questions** often hinge on serverless vs. dedicated — dedicated = more isolation and control, serverless = auto-scaling and simplicity 4. **Dynamic groups** are frequently tested for scenarios where code running on a compute instance needs to call OCI APIs 5. **ExaDB-C@C** is the answer when data residency requires on-premises hardware --- ## Practice with 340 Questions Passing the OCI Architect Associate exam requires more than memorizing service names — you need to practice applying them to real architecture scenarios. Our practice exam includes 340 scenario-based questions covering all six domains. Start your preparation today with our [Oracle OCI Architect Associate (1Z0-1072-25) Practice Exam](/exams/oracle-oci-architect-associate-1z0-1072-25-340-questions).