1Z0-1124-25 Syllabus — Learning Objectives by Topic

Use this syllabus as your source of truth for 1Z0‑1124‑25.

What’s covered

• Topic 1: VCN Architecture and IP Design
• Topic 2: Routing, Gateways, and Private Access
• Topic 3: Network Security Controls and Edge Services
• Topic 4: Hybrid, Peering, and Cross-Region Connectivity
• Topic 5: Load Balancing, DNS, and Network Services
• Topic 6: Troubleshooting, Observability, and Automation

Topic 1: VCN Architecture and IP Design

Practice this topic →

1.1 CIDR planning, subnets, and segmentation

• Explain CIDR planning concepts and how to avoid overlaps with on-prem and peer networks (concept-level).
• Given a scenario, design subnet segmentation for web/app/db tiers with least exposure and controlled egress.
• Identify how regional resources and availability domains affect network design and resilience (concept-level).
• Recognize public vs private subnet patterns and proper gateway placement for safe exposure.
• Given a scenario, plan address growth to avoid re-IPing later (concept-level).
• Explain how compartments and tags organize network resources for governance and cost attribution.

1.2 VCN components and resource relationships

• Identify core VCN components: subnets, route tables, DHCP options, security lists, and NSGs.
• Given a scenario, choose security lists vs NSGs based on subnet-level vs resource-level scope requirements.
• Explain the purpose of DHCP options and DNS labels at a conceptual level.
• Recognize how multiple route tables enforce different egress and connectivity intent across subnets.
• Given a scenario, design a shared services VCN with spoke VCNs to improve isolation and manageability.
• Identify common anti-patterns: flat VCNs, wide-open rules, and placing sensitive resources in public subnets.

1.3 Availability and multi-region network patterns

• Explain high-availability design for networked applications (multiple subnets, multi-AD placement) conceptually.
• Given a scenario, design multi-AD layouts for tier redundancy and failure isolation.
• Identify when multi-region deployment is required for DR and how networking supports failover objectives (concept-level).
• Recognize latency and data residency considerations when selecting regions and connectivity paths.
• Given a scenario, design DNS and traffic steering approaches for failover (concept-level).
• Explain how to document network architecture and validate paths before changes to reduce outage risk.

Topic 2: Routing, Gateways, and Private Access

Practice this topic →

2.1 Route tables, gateways, and reachability

• Explain how route tables determine reachability and how security rules restrict traffic separately (separation of concerns).
• Given a scenario, choose Internet Gateway, NAT Gateway, or Service Gateway for egress requirements.
• Identify when to use local peering vs DRG-based connectivity (concept-level).
• Recognize common routing issues: missing routes, route conflicts, and asymmetric routing (concept-level).
• Given a scenario, design controlled egress with NAT and restrictive egress rules to reduce exfiltration risk.
• Explain how to test reachability using basic tools and verification checks (concept-level).

2.2 Private access to OCI services and endpoints

• Explain Service Gateway purpose and how it enables private access to Oracle services without public internet.
• Given a scenario, design private access to Object Storage and other regional services using Service Gateway.
• Identify private endpoint patterns to managed services and why they reduce public exposure (concept-level).
• Recognize how DNS and route rules affect private service access and troubleshooting (concept-level).
• Given a scenario, design egress restrictions using route intent and inspection controls (concept-level).
• Explain why private access patterns reduce exfiltration risk and support compliance objectives.

2.3 DRG routing and route distribution (concept-level)

• Explain DRG purpose and components: attachments, route tables, and route distribution statements (concept-level).
• Given a scenario, design DRG hub-and-spoke to connect multiple VCNs and on-prem networks (concept-level).
• Identify how to prevent route leaks between spokes using DRG route tables and distributions (concept-level).
• Recognize BGP route propagation considerations with FastConnect and VPN connectivity (concept-level).
• Given a scenario, troubleshoot DRG connectivity by checking attachments, routes, and security rules conceptually.
• Explain multi-region DRG and transit routing considerations at a conceptual level.

Topic 3: Network Security Controls and Edge Services

Practice this topic →

3.1 Security lists, NSGs, and layered security

• Differentiate security lists and NSGs and apply least-privilege rules to reduce lateral movement risk.
• Given a scenario, design ingress/egress rules for common tiers (web/app/db) with minimal exposure.
• Explain stateful vs stateless rules and when each matters at a conceptual level.
• Recognize the importance of restricting egress, not just ingress, for data protection.
• Given a scenario, implement rules for hybrid connectivity (on-prem ranges) without opening access broadly.
• Identify troubleshooting steps for blocked traffic: check NSGs, security lists, routes, and endpoints in order.

3.2 Network Firewall, WAF, and DDoS considerations

• Explain what Network Firewall provides and where to place it in an architecture (concept-level).
• Given a scenario, choose WAF vs Network Firewall vs security lists based on L7 vs L3/L4 needs.
• Recognize patterns for centralized inspection (hub VCN) vs per-spoke controls and the trade-offs.
• Explain how rate limiting and edge protections reduce abuse and DDoS impact (concept-level).
• Given a scenario, design logging and monitoring for security devices to support incident response and forensics.
• Identify trade-offs: added latency, operational complexity, and cost vs risk reduction.

3.3 Secure administration and private connectivity

• Explain bastion/jump host patterns and why direct public administration access is risky (concept-level).
• Given a scenario, design admin access using bastions, private subnets, and restrictive NSGs.
• Identify how to secure management planes with IAM controls, MFA, and limited operator networks (concept-level).
• Recognize the role of VPN/client access for operators and how to scope it safely (concept-level).
• Given a scenario, implement segmentation to limit lateral movement from admin access paths.
• Explain audit and logging requirements for administrative access and privileged network changes (concept-level).

Topic 4: Hybrid, Peering, and Cross-Region Connectivity

Practice this topic →

4.1 IPSec VPN design and operations

• Explain IPSec VPN components: tunnels, CPE, DRG attachment, and routing (concept-level).
• Given a scenario, design redundant VPN tunnels for high availability and maintenance flexibility.
• Identify how to choose static vs dynamic routing (BGP) and the operational consequences (concept-level).
• Recognize common VPN issues: MTU problems, phase mismatches, route overlap, and asymmetric routing (concept-level).
• Given a scenario, plan VPN cutover steps and rollback procedures to minimize downtime.
• Explain monitoring and alerting for VPN tunnel health, throughput, and packet loss (concept-level).

4.2 FastConnect design and operations

• Explain FastConnect concepts and when it is preferred over VPN for consistent performance.
• Given a scenario, design FastConnect redundancy (multiple circuits/providers/locations) conceptually.
• Identify bandwidth planning considerations for data-heavy workloads (migration, backups, analytics).
• Recognize BGP routing and route filtering needs with FastConnect (concept-level).
• Given a scenario, integrate FastConnect with DRG hub-and-spoke and multiple VCNs (concept-level).
• Explain how to troubleshoot FastConnect issues (BGP session, route propagation, VLAN mapping) conceptually.

4.3 Peering patterns and service connectivity

• Differentiate local VCN peering vs remote peering and choose based on scope and latency needs (concept-level).
• Given a scenario, design connectivity between VCNs across regions or tenancies (concept-level).
• Identify how to avoid unintended transitive routing and route leaks between peers (concept-level).
• Recognize shared services patterns (central DNS, logging, inspection) and how peering supports them (concept-level).
• Given a scenario, design private DNS resolution across VCNs and verify name resolution paths (concept-level).
• Explain security implications of peering and how to enforce least privilege across connected networks.

Topic 5: Load Balancing, DNS, and Network Services

Practice this topic →

5.1 Load balancer types and use cases

• Differentiate OCI Load Balancer vs Network Load Balancer and choose based on L7 vs L4 requirements.
• Given a scenario, design health checks and backend sets for high availability and safe failover.
• Explain TLS termination options and certificate management implications at a conceptual level.
• Recognize session persistence and timeout configuration and how they affect application behavior (concept-level).
• Given a scenario, design internal vs public load balancers and choose subnet placement appropriately.
• Identify monitoring signals for load balancers: backend health, latency, throughput, and error rates (concept-level).

5.2 DNS design and traffic management

• Explain DNS zones, records, and TTL trade-offs for stability vs agility.
• Given a scenario, design split-horizon DNS for private vs public resolution.
• Identify service discovery patterns and why consistent naming improves operations (concept-level).
• Recognize common DNS failure modes: stale caches, wrong records, and overlapping zones (concept-level).
• Given a scenario, plan DNS changes for cutovers (lower TTL, staged updates) conceptually.
• Explain how to monitor DNS and validate resolution from different network locations (concept-level).

5.3 Service gateways, private endpoints, and egress control

• Explain Service Gateway usage for accessing OCI services privately and reducing internet exposure.
• Given a scenario, restrict egress using route tables, NAT, and inspection controls (concept-level).
• Identify private endpoint patterns to managed services and why they reduce public exposure (concept-level).
• Recognize proxy/egress allowlist patterns that support compliance and data loss prevention (concept-level).
• Given a scenario, design network paths for managed services without public internet (Object Storage, databases) conceptually.
• Explain how to validate egress controls with tests and monitoring to prevent silent regressions (concept-level).

Topic 6: Troubleshooting, Observability, and Automation

Practice this topic →

6.1 Network troubleshooting workflows

• Given a scenario, troubleshoot connectivity by checking route tables, gateways, and security rules in a reliable order.
• Explain how to isolate DNS vs routing vs security issues using verification checks (concept-level).
• Recognize symptoms of asymmetric routing and how to correct route propagation (concept-level).
• Identify how to debug load balancer issues: backend health, security rules, and subnet reachability (concept-level).
• Given a scenario, diagnose hybrid outages by checking VPN/FastConnect status, BGP, routes, and ACLs conceptually.
• Explain why change tracking and annotations help correlate network changes with incidents (concept-level).

6.2 Network monitoring and logging (concept-level)

• Identify what to monitor for networks: gateway metrics, tunnel status, load balancer metrics, and firewall logs (concept-level).
• Given a scenario, design alerts for critical failures (VPN down, route blackhole, unhealthy backends) conceptually.
• Explain how to collect and retain network logs for troubleshooting and compliance (concept-level).
• Recognize the need to monitor egress and potential data exfiltration paths (concept-level).
• Given a scenario, design dashboards that show end-to-end network health for an application.
• Explain how suppression, ownership, and runbooks reduce alert noise and improve response (concept-level).

6.3 Automation and infrastructure as code for networking

• Explain why networking changes should be managed with infrastructure as code to reduce drift and increase repeatability.
• Given a scenario, use Resource Manager/Terraform patterns for repeatable VCN and DRG deployments (concept-level).
• Identify safe rollout patterns for network changes (staged updates, maintenance windows) to avoid outages (concept-level).
• Recognize guardrails: policy-as-code, approvals for risky changes, and least-privilege automation identities (concept-level).
• Given a scenario, design automated tests for reachability after deployments and changes.
• Explain documentation practices: diagrams, runbooks, and configuration inventories to support operations (concept-level).