Oracle Cloud Infrastructure Foundations: The OCI Entry Cert for 2026

Domain 1 — Cloud Concepts and OCI Architecture (~20%)

OCI’s infrastructure model differs from AWS and Azure in ways the exam specifically tests.

• Regions and Availability Domains (ADs): each OCI Region contains up to three ADs — physically separate data centers connected by fast private fiber. A failure in one AD does not affect others. Cross-AD deployment is required for regional high availability.
• Fault Domains (FDs): three FDs per AD provide hardware-level isolation within the AD (separate power, network switches). Spreading instances across all three FDs protects against single-host hardware failures. The exam distinguishes FD protection (hardware within AD) from AD protection (full data center failure).
• Tenancy and Compartments: a Tenancy is the root OCI account. Compartments are hierarchical logical groupings of resources (up to six levels deep) that serve as both cost allocation and access control boundaries — every IAM policy scopes permissions to a compartment or the tenancy root. Every OCI resource lives in exactly one compartment.
• Always Free tier: permanently free resources include two AMD E2.1.Micro VMs, up to 4 Ampere A1 Flex OCPUs and 24 GB RAM, 200 GB Block Volume, 20 GB Object Storage, two Autonomous Database instances (20 GB each), and 10 TB outbound data per month.

Domain 2 — Core OCI Services: Compute, Storage, Networking (~30%)

The highest-weighted domain tests service selection across shapes, storage tiers, and VCN components.

• Compute shapes: Standard shapes (AMD E-series, Intel X-series), Arm-based Ampere A1 Flex (Always Free-eligible, the exam answer for most compute at zero cost), and Bare Metal for dedicated hardware. Flex shapes allow arbitrary CPU-to-memory ratios — the cost optimisation path for non-standard profiles.
• Block Volume vs Object Storage vs File Storage: Block Volume is NVMe-attached to a single instance (boot volumes + data volumes, backup policies for automated snapshots). Object Storage has three tiers: Standard (hot), Infrequent Access (cool, 31-day minimum, retrieval fee), and Archive (lowest cost, 90-day minimum, hour-scale restore). Pre-Authenticated Requests (PARs) grant time-limited external access without OCI credentials. File Storage Service (FSS) provides NFS-compatible shared access across multiple instances simultaneously.
• VCN architecture: regional subnets span all ADs. Gateways: Internet Gateway (bidirectional internet for public subnets), NAT Gateway (egress-only for private subnets), Service Gateway (private access to OCI services without touching the public internet), Dynamic Routing Gateway (DRG) (connects VCNs, on-premises via IPSec VPN or FastConnect). Local Peering Gateways (LPGs) connect two VCNs within the same region.
• Security Lists vs NSGs: the most-tested networking concept. Security Lists are subnet-level rules applying to all VNICs in the subnet. Network Security Groups (NSGs) are VNIC-level and can reference other NSGs as sources/destinations — the microsegmentation pattern. Use NSGs when different instances in the same subnet need different firewall rules.
• Load Balancer vs Network Load Balancer: Load Balancer is Layer 7 (HTTP/HTTPS, SSL termination, content routing). Network Load Balancer is Layer 4 (TCP/UDP, preserves client source IP, lower latency for non-HTTP).

Domain 3 — OCI Security and Identity (~20%)

IAM policy syntax is a guaranteed exam topic and one of the areas most distinct from AWS IAM.

• IAM policy syntax: Allow <principal> to <verb> <resource-type> in <location>. Four hierarchical verbs: inspect (list only) → read (list + get data) → use (read + work with) → manage (all operations). Each verb implies all verbs below it. Exam pattern: select the minimum verb for the described permission requirement.
• Dynamic Groups: OCI non-user resources (instances, functions) cannot join user Groups. Dynamic Groups match resources via rules (by OCID, compartment, tag) and allow those resources to be granted IAM permissions — enabling Instance Principal authentication so application code calls OCI APIs without embedded credentials.
• Security Zones: a Security Zone enforces a Recipe of security policies at compartment level at resource creation time (block public subnets, block public Object Storage buckets, require encrypted Block Volumes). Attempts to create non-compliant resources fail immediately — the exam answer for preventing engineers from accidentally creating insecure resources in production.
• Vault: managed key management (KMS equivalent). Master Encryption Keys (MEKs) in Vault wrap Data Encryption Keys (DEKs) for envelope encryption. Supports HSM-backed keys (Virtual Private Vault) and software-backed keys. Customer-managed keys answer compliance requirements mandating key ownership.
• Cloud Guard: CSPM that continuously detects misconfigurations (public Object Storage bucket, Security List allowing 0.0.0.0/0 on port 22, unencrypted boot volume) and publishes Problems. Responders can auto-remediate. The exam answer for continuous misconfiguration detection across the full tenancy.
• Data Safe: Oracle Database-specific security service. Security Assessment, User Assessment, Data Discovery (finds PII/financial/PCI columns), Data Masking (replaces sensitive values in non-production copies), Activity Auditing. Applies to Autonomous Database, Base DB Service, and Exadata only — not to non-Oracle databases.

Domain 4 — OCI Database Services and Generative AI (~20%)

Autonomous Database is the single most-tested topic on this exam. Candidates who cannot distinguish ATP from ADW will answer multiple questions incorrectly.

• Autonomous Transaction Processing (ATP): optimised for OLTP — high-concurrency short transactions, row-format storage, web application data, event streams, JSON document workloads. Select ATP when the scenario describes transactional or CRUD operations.
• Autonomous Data Warehouse (ADW): optimised for analytics — column-format storage, parallel query, large aggregations, BI dashboards, reporting. Select ADW when the scenario describes analytical queries or data warehouse workloads.
• Serverless vs Dedicated: Serverless Autonomous Database runs on shared Oracle-managed Exadata, auto-scales OCPUs up to 3× provisioned, Oracle handles all patching. Dedicated Exadata Infrastructure provides a single-tenant Exadata rack with full isolation, custom patching schedules, and predictable performance — the answer for regulatory requirements mandating dedicated infrastructure.
• Oracle Database on OCI (Base DB Service): co-managed; Oracle manages hardware, you manage the Oracle Database software. VM DB Systems for smaller workloads, Bare Metal DB Systems for high-memory OLTP. Gives full DBA control but requires you to manage the database — contrasted with Autonomous (Oracle manages everything).
• Exadata Database Service on OCI: fully managed Exadata for the highest-performance Oracle workloads or on-premises Exadata migrations. Highest performance, highest cost tier.
• MySQL HeatWave: managed MySQL with optional HeatWave in-memory analytics add-on (analytics queries 400× faster than standard MySQL). HeatWave Lakehouse also queries Object Storage data (Parquet, CSV). The answer when a scenario needs MySQL analytics without a separate ETL pipeline.
• OCI Generative AI Service: managed LLM inference using Cohere Command R+ and Meta Llama 3 models. Generation, summarisation, and embeddings endpoints. No GPU management required. Distinct from Oracle Digital Assistant (conversational chatbot platform with its own dialogue management and NLU).

Compartments are not just billing boundaries — they are the primary access control mechanism in OCI. Every IAM policy grants permissions within a compartment scope. Designing your compartment hierarchy means designing your security boundary: resources managed by the same team with the same access requirements belong in the same compartment.

Domain 5 — Observability, Pricing, and Support (~10%)

• Monitoring: collects metrics from all OCI services. Alarms define MQL-based conditions (e.g. CpuUtilization[1m].mean() > 80) that trigger Notifications. Monitoring Query Language (MQL) is OCI-specific — know basic alarm condition syntax.
• Logging: ingests Service Logs (VCN Flow Logs, Load Balancer access logs), Audit Logs (all API calls in the tenancy), and Custom application logs. Service Connectors (Connector Hub) route log data to Object Storage, Kafka-compatible Streaming, Functions, or Monitoring for downstream processing.
• Application Performance Monitoring (APM): distributed tracing across microservices. Instruments code to emit spans; correlates spans into traces with flame graph visualisation. The answer for diagnosing latency across service boundaries in distributed architectures.
• Pricing models: Pay-as-you-go (no commitment), Monthly Flex (committed monthly spend, ~33% discount), Annual Flex, Universal Credits (pooled prepaid budget across all services and regions). Egress from OCI to the internet is metered; inbound and inter-AD traffic within OCI is free.
• Always Free limits to memorise: 2 AMD E2.1.Micro VMs (1 OCPU, 1 GB RAM each) + 4 Ampere A1 Flex OCPUs + 24 GB A1 RAM, 200 GB Block Volume, 20 GB Object Storage, 2 × Autonomous Database at 20 GB each, 1 Load Balancer at 10 Mbps, 10 TB outbound data/month.