Oracle Cloud Infrastructure 2020 Architect Professional — Question 15

An organization has its IT infrastructure in a hybrid setup with an on-premises environment and an Oracle Cloud Infrastructure (OCI) Virtual Cloud Network (VCN) in the us-phoenix-1 region. The on-premises applications communicate with compute instances inside the VCN over a hardware VPN connection. They are looking to implement an Intrusion Detection and Prevention (IDS/IPS) system for their OCI environment. This platform should have the ability to scale to thousands of compute instances running inside the VCN.
How should they architect their solution on OCI to achieve this goal? (Choose the best answer.)

Answer options

• A. Set up an OCI Private Load Balancer and configure IDS/IPS related health checks at TCP and/or HTTP level to inspect traffic.
• B. Configure autoscaling on a compute instance pool and set vNIC to promiscuous mode to collect traffic across the VCN and send it to the IDS/IPS platform for inspection.
• C. Configure each host with an agent that collects all network traffic and sends that traffic to the IDS/IPS platform for inspection.
• D. There is no need to implement an IPS/IDS system as traffic coming over IPSec VPN tunnels is already encrypted.

Correct answer: B

Explanation

Option B is the correct choice because enabling promiscuous mode allows the IDS/IPS system to capture and analyze all traffic within the VCN, which is essential for effective intrusion detection and prevention. Option A focuses on load balancing and health checks but does not provide the necessary traffic visibility for IDS/IPS. Option C, while collecting traffic, may not scale effectively compared to using a promiscuous vNIC setup. Option D is incorrect as encrypted traffic still requires monitoring for potential threats.