Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

All Video Courses at $9.99 ONLY

AWS Certified Advanced Networking – Specialty ANS-C01 Exam Study Path

The AWS Certified Advanced Networking – Specialty ANS-C01 certification exam is a part of the AWS Specialty learning path and is a highly in-demand certificate among AWS Specialty certifications. The Advanced Networking path focuses on designing and maintaining network architectures in AWS, and using core AWS services to perform networking tasks. You are also tested on your technical skills in implementing hybrid network solutions that span multiple locations for both on-premises and in AWS. Since networking in AWS is quite intricate, companies need individuals like you who meet the competency level in designing complex network solutions.

This Study Guide Path for the new AWS Certified Advanced Networking Specialty ANS-C01 is quite lengthy so I suggest that you use the handy bookmark links on the left-hand menu for easier navigation. This comprehensive report contains a lot of valuable information to help you pass your ANS-C01 exam on your first try. So without further ado, let’s get started!

AWS Certified Advanced Networking Specialty ANS-C01 Overview

Primarily, this certification exam is recommended for people who have experience with AWS networking services and setting up application networking for monolithic, containerized, microservices, and other architectures. The AWS Certified Advanced Networking – Specialty ANS-C01 exam can be as difficult as a Professional-level exam, so ample preparation is needed. You can know more about your exam through the official exam guide here. It breaks down the different domains that you can expect from the exam, with each domain discussing the different scenarios and services that you should have knowledge of.

The ANS-C01 exam has a total of 65 questions that are either multiple choice or multiple response questions. You have 170 minutes (or 2 hours 50 minutes) to complete the AWS Certified Advanced Networking – Specialty exam. It costs 300 USD to take this exam so if you have already passed an AWS exam in the past, make sure to apply your 50% exam voucher to significantly reduce your exam cost. You can take this exam online in the comforts of your home or at an authorized Pearson Vue/PSI testing center. To book your exam, you can follow this guide.

AWS Certifed Advanced Networking Specialty 2023 ANS-C01 Exam Guide

Before you can take the AWS Certified Advanced Networking – Specialty ANS-C01, it is recommended (but required) that you have:

  • Professional experience using AWS technology, AWS security best practices, AWS storage options and their underlying consistency models, and AWS networking nuances and how they relate to the integration of AWS services.
  • Knowledge of advanced networking architectures and interconnectivity options [e.g., IP VPN, multiprotocol label switching (MPLS), virtual private LAN service (VPLS)].
  • Familiarity with the development of automation scripts and tools. This should include the design, implementation, and optimization of the following:
    • Routing architectures (including static and dynamic);
    • multi-region solutions for a global enterprise;
    • highly available connectivity solutions (e.g., AWS Direct Connect, VPN).
  • Knowledge of CIDR and sub-netting (IPv4 and IPv6); IPv6 transition challenges; and generic solutions for network security features, including AWS WAF, intrusion detection systems (IDS), intrusion prevention systems (IPS), DDoS protection, and economic denial of service/sustainability (EDoS).

Network configuration for containerized applications hosted in Amazon Elastic Kubernetes Service (EKS) and Amazon Elastic Container Service (ECS) is also covered. Make sure that you know how to configure your Docker containers and Kubernetes pods to talk to each other and to connect to various services on both AWS and on external resources. This  includes pod-to-pod networking  using the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes, Kube-Proxy, AWS Load Balancer Controller add-ons and many more.

AWS Certified Advanced Networking Specialty ANS-C01 Study Materials

The best things in life are free. With that said, the primary study materials we recommend for the AWS Certified Advanced Networking Specialty exam are:

  1. Exam Readiness: AWS Certified Advanced Networking – Specialty ANS-C01 – This is a 9-hour course that is FREE to take on the AWS Skills Builder site. It is a great way to get started on your review.
  2. Official AWS Certified Advanced Networking – Specialty ( ANS-C01 ) Exam Guide
  3. Official AWS Certified Advanced Networking – Specialty ( ANS-C01 ) Sample Questions
  4. AWS Practice Tests for AWS Certified Advanced Networking Specialty ANS-C01
  5. Related ANS-C01 AWS Whitepapers – This will be listed below
  6. AWS Documentation and FAQs
  7. AWS Blogs – This is also important since blogs often contain scenarios or architecture diagrams that might appear as questions in your exam.
  8. AWS Re:Invent videos – The same goes with Re:Invent videos. AWS usually features sample architectures for new features or services to give a better idea of how to use them.

 

Relevant ANS-C01 Whitepapers:

  1. Best Practices for VPCs and Networking in Amazon WorkSpaces Deployments
  2. Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
  3. Amazon Virtual Private Cloud Connectivity Options
  4. AWS Best Practices for DDoS Resiliency
  5. High-Performance Computing on AWS Redefines What is Possible

 

Relevant ANS-C01 Blogs:

  1. Reviewing DNS Mechanisms for Routing Traffic and Enabling Failover for AWS PrivateLink Deployments
  2. Connecting a Single Customer Router to Multiple VPCs
  3. How to Set Up DNS Resolution Between On-Premises Networks and AWS by Using Unbound

 

Core AWS Services to Focus On for the AWS Certified Advanced Networking Specialty ANS-C01 Exam

The official AWS Certified Advanced Networking Specialty ANS-C01 Exam Guide provides a list of exam domains and topics that you should focus on. There are 4 exam domains for the ANS-C01 exam namely:

  • Networking Design
  • Network Implementation
  • Network Management and Operation
  • Network Security, Compliance, and Governance

Each exam domain has its respective coverage in the ANS-C01 test which is represented by the Exam Percentage (% of Exam) column as shown below. Based on this, you can deduce that you have to focus on Domain 1: Network Design as this one has the biggest percentage of the exam with 30% coverage. This is followed by Domain 2: Network Implementation and Domain 4: Network Security, Compliance, and Governance with 26% and 24% coverage respectively. The smallest one is Domain 4: Network Management and Operation with 20% coverage. This goes without saying that you should limit the time you spent studying for this particular domain.

AWS Certified Advanced Networking Specialty ANS-C01 Study Exam Guide

Now that we have identified the particular exam domain that we will focus on (which is apparently Domain 1: Network Design), what are the specific AWS topics and services that we should study? What are the relevant knowledge areas in AWS that falls under the Network Design category? To answer that question, we can further check the detailed description of each Exam Domain. This information can be retrieved from the official AWS Certified Advanced Networking Specialty (ANS-C01) Exam Guide.

Below are the detailed content outline of all four exam domains. The list is quite exhaustive but please don’t be overwhelmed by the sheer volume of the information below. Just take them in small bites and mind the modules and sub-classifications of each topic. In my opinion, this list is a goldmine of relevant, specific, and official information from the AWS team themselves which can help you pass the AWS Advanced Networking Specialty exam on your first try. I suggest that you skim this first and then re-read them again and again until you get familiar with the topics that will show up on the ANS-C01 certification exam:

 

ANS-C01 Domain 1: Network Design (30%)

Task Statement 1.1: Design a solution that incorporates edge network services to optimize user performance and traffic management for global architectures.

Knowledge of:

    •  Design patterns for the usage of content distribution networks (for example, Amazon CloudFront)
    •  Design patterns for global traffic management (for example, AWS Global Accelerator)
    • Integration patterns for content distribution networks and global traffic management with other services (for example, Elastic Load Balancing, Amazon API Gateway)

Skills in:

    • Evaluating requirements of global inbound and outbound traffic from the internet to design
      an appropriate content distribution solution
Tutorials dojo strip

Task Statement 1.2: Design DNS solutions that meet public, private, and hybrid requirements.

Knowledge of:

    • DNS protocol (for example, DNS records, TTL, DNSSEC, DNS delegation, zones)
    • DNS logging and monitoring
    • Amazon Route 53 features (for example, alias records, traffic policies, resolvers, health checks)
    • Integration of Route 53 with other AWS networking services (for example, Amazon VPC)
    • Integration of Route 53 with hybrid, multi-account, and multi-Region options
    • Domain registration

Skills in:

    • Using Route 53 public hosted zones
    • Using Route 53 private hosted zones
    • Using Route 53 Resolver endpoints in hybrid and AWS architectures
    • Using Route 53 for global traffic management
    • Creating and managing domain registrations

Task Statement 1.3: Design solutions that integrate load balancing to meet high availability, scalability, and security requirements.

Knowledge of:

    • How load balancing works at layer 3, layer 4, and layer 7 of the OSI model
    • Different types of load balancers and how they meet requirements for network design, high availability, and security
    • Connectivity patterns that apply to load balancing based on the use case (for example, internal load balancers, external load balancers)
    • Scaling factors for load balancers
    • Integrations of load balancers and other AWS services (for example, Global Accelerator, CloudFront, AWS WAF, Route 53, Amazon Elastic Kubernetes Service [Amazon EKS], AWS Certificate Manager [ACM])
    • Configuration options for load balancers (for example, proxy protocol, cross-zone load balancing, session affinity [sticky sessions], routing algorithms)
    • Configuration options for load balancer target groups (for example, TCP, GENEVE, IP compared with instance)
    • AWS Load Balancer Controller for Kubernetes clusters
    • Considerations for encryption and authentication with load balancers (for example, TLS termination, TLS passthrough)

Skills in:

    • Selecting an appropriate load balancer based on the use case
    •  Integrating auto-scaling with load balancing solutions
    • Integrating load balancers with existing application deployments

Task Statement 1.4: Define logging and monitoring requirements across AWS and hybrid networks.

Knowledge of:

    • Amazon CloudWatch metrics, agents, logs, alarms, dashboards, and insights in AWS architectures to provide visibility
    • AWS Transit Gateway Network Manager in architectures to provide visibility
    • VPC Reachability Analyzer in architectures to provide visibility
    • Flow logs and traffic mirroring in architecture to provide visibility
    • Access logging (for example, load balancers, CloudFront)

Skills in:

    • Identifying the logging and monitoring requirements
    • Recommending appropriate metrics to provide visibility of the network status
    • Capturing baseline network performance

Task Statement 1.5: Design a routing strategy and connectivity architecture between on-premises networks and the AWS Cloud.

Knowledge of:

    • Routing fundamentals (for example, dynamic compared with static, BGP)
    • Layer 1 and layer 2 concepts for physical interconnects (for example, VLAN, link aggregation group [LAG], optics, jumbo frames)
    • Encapsulation and encryption technologies (for example, Generic Routing Encapsulation [GRE], IPsec)
    • Resource sharing across AWS accounts
    • Overlay networks

Skills in:

    • Identifying the requirements for hybrid connectivity
    • Designing a redundant hybrid connectivity model with AWS services (for example, AWS Direct Connect, AWS Site-to-Site VPN)
    • Designing BGP routing with BGP attributes to influence the traffic flows based on the desired traffic patterns (load sharing, active/passive)
    • Designing for integration of a software-defined wide area network (SD-WAN) with AWS (for example, Transit Gateway Connect, overlay networks)

Task Statement 1.6: Design a routing strategy and connectivity architecture that includes multiple AWS accounts, AWS Regions, and VPCs to support different connectivity patterns.

Knowledge of:

    • Different connectivity patterns and use cases (for example, VPC peering, Transit Gateway, AWS PrivateLink)
    • Capabilities and advantages of VPC sharing
    • IP subnets and solutions accounting for IP address overlaps

Skills in:

    • Connecting multiple VPCs by using the most appropriate services based on requirements (for example, using VPC peering, Transit Gateway, PrivateLink)
    • Using VPC sharing in a multi-account setup
    • Managing IP overlaps by using different available services and options (for example, NAT, PrivateLink, Transit Gateway routing)

 

ANS-C01 Domain 2: Network Implementation (26%)

Task Statement 2.1: Implement routing and connectivity between on-premises networks and the AWS Cloud.

Knowledge of:

    • Routing protocols (for example, static, dynamic)
    • VPNs (for example, security, accelerated VPN)
    • Layer 1 and types of hardware to use (for example, Letter of Authorization [LOA] documents, colocation facilities, Direct Connect)
    • Layer 2 and layer 3 (for example, VLANs, IP addressing, gateways, routing, switching)
    • Traffic management and SD-WAN (for example, Transit Gateway Connect)
    • DNS (for example, conditional forwarding, hosted zones, resolvers)
    • Security appliances (for example, firewalls)
    • Load balancing (for example, layer 4 compared with layer 7, reverse proxies, layer 3)
    • Infrastructure automation
    • AWS Organizations and AWS Resource Access Manager (AWS RAM) (for example, multi-account Transit Gateway, Direct Connect, Amazon VPC, Route 53)
    • Test connectivity (for example, Route Analyzer, Reachability Analyzer)
    • Networking services of VPCs

Skills in:

    • Configuring the physical network requirements for hybrid connectivity solutions
    • Configuring static or dynamic routing protocols to work with hybrid connectivity solutions
    • Configuring existing on-premises networks to connect with the AWS Cloud
    • Configuring existing on-premises name resolution with the AWS Cloud
    • Configuring and implementing load balancing solutions
    • Configuring network monitoring and logging for AWS services
    • Testing and validating connectivity between environments

Task Statement 2.2: Implement routing and connectivity across multiple AWS accounts, Regions, and VPCs to support different connectivity patterns.

Knowledge of:

    • Inter-VPC and multi-account connectivity (for example, VPC peering, Transit Gateway, VPN, third-party vendors, SD-WAN, multiprotocol label switching [MPLS])
    • Private application connectivity (for example, PrivateLink)
    • Methods of expanding AWS networking connectivity (for example, Organizations, AWS RAM)
    • Host and service name resolution for applications and clients (for example, DNS)
    • Infrastructure automation
    • Authentication and authorization (for example, SAML, Active Directory)
    • Security (for example, security groups, network ACLs, AWS Network Firewall)
    • Test connectivity (for example, Route Analyzer, Reachability Analyzer, tooling)

Skills in:

    • Configuring network connectivity architectures by using AWS services in a single-VPC or multi VPC design (for example, DHCP, routing, security groups)
    • Configuring hybrid connectivity with existing third-party vendor solutions
    • Configuring a hub-and-spoke network architecture (for example, Transit Gateway, transit VPC)
    • Configuring a DNS solution to make hybrid connectivity possible
    • Implementing security between network boundaries
    • Configuring network monitoring and logging by using AWS solutions

Task Statement 2.3: Implement complex hybrid and multi-account DNS architectures.

Knowledge of:

    • When to use private hosted zones and public hosted zones
    • Methods to alter traffic management (for example, based on latency, geography, weighting)
    • DNS delegation and forwarding (for example, conditional forwarding)
    • Different DNS record types (for example, A, AAAA, TXT, pointer records, alias records)
    • DNSSEC
    • How to share DNS services between accounts (for example, AWS RAM)
    • Requirements and implementation options for outbound and inbound endpoints

Skills in:

    • Configuring DNS zones and conditional forwarding
    • Configuring traffic management by using DNS solutions
    • Configuring DNS for hybrid networks
    • Configuring appropriate DNS records
    • Configuring DNSSEC on Route 53
    • Configuring DNS within a centralized or distributed network architecture
    • Configuring DNS monitoring and logging on Route 53

Task Statement 2.4: Automate and configure network infrastructure.

Knowledge of:

    • Infrastructure as code (IaC) (for example, AWS Cloud Development Kit [AWS CDK], AWS CloudFormation, AWS CLI, AWS SDK, APIs)
    • Event-driven network automation
    • Common problems of using hardcoded instructions in IaC templates when provisioning cloud networking resources

Skills in:

    • Creating and managing repeatable network configurations
    • Integrating event-driven networking functions
    • Integrating hybrid network automation options with AWS native IaC
    • Eliminating risk and achieving efficiency in a cloud networking environment while maintaining the lowest possible cost
    • Automating the process of optimizing cloud network resources with IaC

 

ANS-C01 Domain 3: Network Design

Task Statement 3.1: Maintain routing and connectivity on AWS and hybrid networks.

Knowledge of:

    • Industry-standard routing protocols that are used in AWS hybrid networks (for example, BGP over Direct Connect)
    • Connectivity methods for AWS and hybrid networks (for example, Direct Connect gateway, Transit Gateway, VIFs)
    • How limits and quotas affect AWS networking services (for example, bandwidth limits, route limits)
    • Available private and public access methods for custom services (for example, PrivateLink, VPC peering)
    • Available inter-Regional and intra-Regional communication patterns

Skills in:

    • Managing routing protocols for AWS and hybrid connectivity options (for example, over a Direct Connect connection, VPN)
    • Maintaining private access to custom services (for example, PrivateLink, VPC peering)
    • Using route tables to direct traffic appropriately (for example, automatic propagation, BGP)
    • Setting up private access or public access to AWS services (for example, Direct Connect, VPN)
    • Optimizing routing over dynamic and static routing protocols (for example, summarizing routes, CIDR overlap)

Task Statement 3.2: Monitor and analyze network traffic to troubleshoot and optimize connectivity patterns.

Knowledge of:

    • Network performance metrics and reachability constraints (for example, routing, packet size)
    • Appropriate logs and metrics to assess network performance and reachability issues (for example, packet loss)
    • Tools to collect and analyze logs and metrics (for example, CloudWatch, VPC Flow Logs, VPC Traffic Mirroring)
    • Tools to analyze routing patterns and issues (for example, Reachability Analyzer, Transit Gateway Network Manager)

Skills in:

    • Analyzing tool output to assess network performance and troubleshoot connectivity (for example, VPC Flow Logs, Amazon CloudWatch Logs)
    • Mapping or understanding network topology (for example, Transit Gateway Network Manager)
    • Analyzing packets to identify issues in packet shaping (for example, VPC Traffic Mirroring)
    • Troubleshooting connectivity issues that are caused by network misconfiguration (for example, Reachability Analyzer)
    • Verifying that a network configuration meets network design requirements (for example, Reachability Analyzer)
    • Automating the verification of connectivity intent as a network configuration changes (for example, Reachability Analyzer)
    • Troubleshooting packet size mismatches in a VPC to restore network connectivity

Task Statement 3.3: Optimize AWS networks for performance, reliability, and cost-effectiveness.

Knowledge of:

    •  Situations in which a VPC peer or a transit gateway are appropriate
    • Different methods to reduce bandwidth utilization (for example, unicast compared with multicast, CloudFront)
    • Cost-effective connectivity options for data transfer between a VPC and on-premises environments
    • Different types of network interfaces on AWS
    • High-availability features in Route 53 (for example, DNS load balancing using health checks with latency and weighted record sets)
    • Availability of options from Route 53 that provide reliability
    • Load balancing and traffic distribution patterns
    • VPC subnet optimization
    • Frame size optimization for bandwidth across different connection types

Skills in:

    • Optimizing for network throughput
    • Selecting the right network interface for the best performance (for example, elastic network interface, Elastic Network Adapter [ENA], Elastic Fabric Adapter [EFA])
    • Choosing between VPC peering, proxy patterns, or a transit gateway connection based on analysis of the network requirements provided
    • Implementing a solution on an appropriate network connectivity service (for example, VPC peering, Transit Gateway, VPN connection) to meet network requirements
    • Implementing a multicast capability within a VPC and on-premises environments
    • Creating Route 53 public hosted zones and private hosted zones and records to optimize application availability (for example, private zonal DNS entry to route traffic to multiple Availability Zones)
    • Updating and optimizing subnets for auto-scaling configurations to support increased application load
    • Updating and optimizing subnets to prevent the depletion of available IP addresses within a VPC (for example, secondary CIDR)
    • Configuring jumbo frame support across connection types
    • Optimizing network connectivity by using Global Accelerator to improve network performance and application availability

 

ANS-C01 Domain 4: Network Design (24%)

Task Statement 4.1: Implement and maintain network features to meet security and compliance needs and requirements.

Knowledge of:

    • Different threat models based on application architecture
    • Common security threats
    • Mechanisms to secure different application flows
    • AWS network architecture that meets security and compliance requirements

Skills in:

    •  Securing inbound traffic flows into AWS (for example, AWS WAF, AWS Shield, Network Firewall)
    • Securing outbound traffic flows from AWS (for example, Network Firewall, proxies, Gateway Load Balancers)
    • Securing inter-VPC traffic within an account or across multiple accounts (for example, security groups, network ACLs, VPC endpoint policies)
    • Implementing an AWS network architecture to meet security and compliance requirements(for example, untrusted network, perimeter VPC, three-tier architecture)
    • Developing a threat model and identifying appropriate mitigation strategies for a given network architecture
    • Testing compliance with the initial requirements (for example, failover test, resiliency)
    • Automating security incident reporting and alerting using AWS

Task Statement 4.2: Validate and audit security by using network monitoring and logging services.

Knowledge of:

    • Network monitoring and logging services that are available in AWS (for example, CloudWatch, AWS CloudTrail, VPC Traffic Mirroring, VPC Flow Logs, Transit Gateway Network Manager)
    • Alert mechanisms (for example, CloudWatch alarms)
    • Log creation in different AWS services (for example, VPC flow logs, load balancer access logs, CloudFront access logs)
    • Log delivery mechanisms (for example, Amazon Kinesis, Route 53, CloudWatch)
    • Mechanisms to audit network security configurations (for example, security groups, AWS Firewall Manager, AWS Trusted Advisor)

Skills in:

    • Creating and analyzing a VPC flow log (including base and extended fields of flow logs)
    • Creating and analyzing network traffic mirroring (for example, using VPC Traffic Mirroring)
    • Implementing automated alarms by using CloudWatch
    • Implementing customized metrics by using CloudWatch
    • Correlating and analyzing information across single or multiple AWS log sources
    • Implementing log delivery solutions
    • Implementing a network audit strategy across single or multiple AWS network services and accounts (for example, Firewall Manager, security groups, network ACLs)

Task Statement 4.3: Implement and maintain confidentiality of data and communications of the network.

Knowledge of:

    • Network encryption options that are available on AWS
    • VPN connectivity over Direct Connect
    • Encryption methods for data in transit (for example, IPsec)
    • Network encryption under the AWS shared responsibility model
    • Security methods for DNS communications (for example, DNSSEC)

Skills in:

    • Implementing network encryption methods to meet application compliance requirements (for example, IPsec, TLS)
    • Implementing encryption solutions to secure data in transit (for example, CloudFront, Application Load Balancers and Network Load Balancers, VPN over Direct Connect, AWS managed databases, Amazon S3, custom solutions on Amazon EC2, Transit Gateway
    • Implementing a certificate management solution by using a certificate authority (for example, ACM, AWS Certificate Manager Private Certificate Authority [ACM PCA])
    • Implementing secure DNS communications

 

AWS Services That Will Appear In The ANS-C01 Exam

The official Exam Guide doesn’t just share the list of exam domains and a detailed description for each domain. It also contains a list of relevant tools, technologies, and concepts that will be covered on the ANS-C01 exam. The following is a non-exhaustive list of relevant AWS services and features that would appear on the ANS-C01 exam, based on the provided information in the exam guide. Take note that this list could change at any time but this information is still helpful in determining the specific AWS services that you should study more.

Application Integration:

    • Amazon EventBridge (Amazon CloudWatch Events)
    • Amazon Simple Notification Service (Amazon SNS)
    • Amazon Simple Queue Service (Amazon SQS)

Compute:

    • Amazon EC2
    • Amazon EC2 Auto Scaling
    • AWS Lambda

Containers:

    • Amazon Elastic Container Registry (Amazon ECR)
    • Amazon Elastic Container Service (Amazon ECS)
    • Amazon Elastic Kubernetes Service (Amazon EKS)
    • AWS Fargate

Cost Management:

    • AWS Cost Explorer

Front-end web and mobile:

    • Amazon API Gateway

Management and governance:

    • AWS Auto Scaling
    • AWS CLI
    • AWS CloudFormation
    • AWS CloudTrail
    • Amazon CloudWatch
    • AWS Config
    • AWS Control Tower
    • AWS Management Console
    • AWS Organizations
    • AWS Personal Health Dashboard
    • AWS Trusted Advisor
    • AWS Well-Architected Tool

Networking and content delivery:

    • Amazon API Gateway
    • AWS App Mesh
    • AWS Client VPN
    • AWS Cloud Map
    • Amazon CloudFront
    • AWS Direct Connect
    • Elastic Load Balancing
    • AWS Global Accelerator
    • AWS PrivateLink
    • Amazon Route 53
    • AWS Site-to-Site VPN
    • AWS Transit Gateway
    • Amazon VPC

Security, identity, and compliance:

    AWS Exam Readiness Courses
    • AWS Firewall Manager
    • AWS Identity and Access Management (IAM)
    • AWS Network Firewall
    • AWS Resource Access Manager (AWS RAM)
    • AWS Shield
    • AWS WAF

Serverless:

    • Amazon API Gateway
    • Amazon EventBridge (Amazon CloudWatch Events)
    • AWS Fargate
    • AWS Lambda
    • Amazon Simple Notification Service (Amazon SNS)
    • Amazon Simple Queue Service (Amazon SQS)
    • Amazon Simple Storage Service (Amazon S3)

Storage:

    • Amazon S3

 

Irrelevant AWS Services That Will NOT Appear In The ANS-C01 Exam

One of my favorite productivity quotes is the one from Peter F. Drucker (the author of The Effective Executive book, many other works), which says:

There is nothing so useless as doing efficiently that which should not be done at all.”

It simply means that we should refrain from doing useless things that should not be worked on in the first place. This is also applicable in your ANS-C01 exam preparation. There are irrelevant AWS services that you shouldn’t cover in your study since these won’t show up in your test.

Analytics:

    • Amazon CloudSearch
    • AWS Data Exchange
    • AWS Data Pipeline
    • Amazon EMR
    • AWS Glue
    • AWS Lake Formation
    • Amazon Managed Streaming for Apache Kafka (Amazon MSK)
    • Amazon OpenSearch Service (Amazon Elasticsearch Service)
    • Amazon QuickSight
    • Amazon Redshift

AR and VR:

    • Amazon Sumerian

Blockchain:

    • Amazon Managed Blockchain
    • Amazon Quantum Ledger Database (Amazon QLDB)

Developer tools:

    • AWS Device Farm
    • AWS X-Ray

Robotics:

    • AWS RoboMaker

Satellite:

    •  AWS Ground Station

 

Important ANS-C01 Networking Topics

  1. OSI model
  2. Traffic encryption
  3. IP VPN, MPLS (multi-protocol label switching), VPLS (virtual private LAN service)
  4. Transitioning from IPv4 to IPv6
  5. Maximum Transmission Unit (MTU)
  6. Types of Scope BGP community tags
  7. Types of Local preference BGP community tags
  8. Multi-exit discriminators (MEDs)
  9. Autonomous System (AS) prepending
  10. Public and Private Autonomous System Number (ASN)
  11.  IP Protocol 50 – Encapsulating Security Payload (ESP)
  12. BGP routing and static routing
  13. DHCP in VPC
  14. IPS/IDS, WAF, DDoS protection, EDoS protection
  15. Hybrid architectures involving private networks and AWS network
  16. How to troubleshoot network issues
  17. Kubernetes Pod Networking

Common Exam Scenarios for ANS-C01 

Scenario

Solution

Domain 1: Network Design

Type of routing to use in Site-to-Site VPN if your Customer Gateway device supports Border Gateway Protocol (BGP)

Dynamic Routing

Type of routing to configure in Site-to-Site VPN if your Customer Gateway device does NOT support Border Gateway Protocol (BGP)

Static Routing

For Customer Gateway devices that support Asymmetric Routing, AWS does NOT recommend using AS PATH Prepending

True

For Customer Gateway devices that support Asymmetric Routing, not implementing the AS PATH Prepending method ensures that the multi-exit discriminator (MED) value, that AWS sets on a tunnel, is used to determine tunnel priority.

True

What optional BGP attribute, that AWS sets on a tunnel during VPN tunnel endpoint updates, is used to determine tunnel priority.

Multi-Exit Discriminator (MED)

The Internet-routable IP address for your Customer Gateway must be static and can be behind a device performing network address translation (NAT).

True

In your VPN connection, you can use an existing public Border Gateway Protocol (BGP) Autonomous System Number (ASN) assigned to your network, with the exception of:

7224 – Reserved in all Regions
9059 – Reserved in the eu-west-1 Region
10124 – Reserved in the ap-northeast-1 Region
17943 – Reserved in the ap-southeast-1 Region

What Autonomous System Number (ASN) is reserved in all AWS Regions if you want to establish a Site-to-Site VPN?

7224

IPv6 traffic is supported for VPN connections on a Virtual Private Gateway.

False

An AWS VPN connection does not support Path MTU Discovery.

True

What is the default Autonomous System Number (ASN) in an AWS VPN connection

65000

If you don’t have a public ASN, you can use a private ASN in the range of 64,512–65,534.

True

The “Enable Acceleration” option in AWS VPN will launch a total of two AWS Global Accelerators for your VPN connection; one for each VPN tunnel.

True

Virtual private gateway Transit gateway

Virtual Private Gateway, Transit Gateway, and Cloud WAN

is the VPN concentrator on the Amazon side of the site-to-site VPN connection.

Virtual Private Gateway

A resource that you create in AWS that represents the physical or software device residing on your on-premises network (your side of the VPN connection)

Customer Gateway

In a certificate-based VPN using AWS Site-to-Site VPN, what type of certificate is associated with the Customer Gateway?

Private Certificate issued from the AWS Certificate Manager (ACM) Private Certificate Authority.

AWS Site-to-Site VPN supports certificate-based authentication by integrating with AWS Certificate Manager Private Certificate Authority.

True

Certificate-based authentication in AWS VPN uses digital certificates instead of pre-shared keys for IKE authentication.

True

Domain 2: Network Implementation

What are the different Transit Gateway attachment types?

VPC, VPN, Connect Peer, and Peering

Which Transit Gateway attachment type uses Generic Routing Encapsulation (GRE) for higher bandwidth performance compared to a VPN connection?

Transit Gateway Connect

A service that provides a global view of your private network, allowing you to manage your AWS and on-premises resources and seamlessly integrate with your SD-WAN solutions

AWS Transit Gateway Network Manager

Transit Gateway Connect is an attachment type in AWS Transit Gateway which uses what type of encapsulation?

Generic Routing Encapsulation (GRE)

The Gateway Load Balancer and its registered virtual appliance instances exchange application traffic using what protocol?

GENEVE (Generic Network Virtualization Encapsulation)

_________ is an optional add-on in an Amazon EKS cluster that manages AWS Elastic Load Balancers for the Kubernetes cluster.

AWS Load Balancer Controller add-on

What type of AWS Load Balancer will the AWS Load Balancer Controller provision to the Amazon EKS cluster if you create a Kubernetes Ingress?

Application Load Balancer

The AWS Load Balancer Controller will provision. what type of load balancer cluster if you create a Kubernetes service of type LoadBalancer?

Network Load Balancer
Domain 3: Network Management and Operation
A configuration analysis tool that enables you to perform connectivity testing between a source resource and a destination resource in your virtual private clouds (VPCs).VPC Reachability Analyzer

Route Analyzer analyzes security group rules or network ACL rules within your Amazon VPC

False

A logical interface that aggregates multiple connections at a single AWS Direct Connect endpoint

Link Aggregation Group (LAG)

The Route Analyzer feature analyzes routes in Transit Gateway route tables only, excluding the ones from your VPS

True

The Link Aggregation Group (LAG) uses what protocol to aggregate multiple connections at a single AWS Direct Connect endpoint?

Link Aggregation Control Protocol (LACP)

 What are the two types of Subnet CIDR reservations in Amazon VPC?

Prefix,  Explicit

Which subnet setting can you use to prevent AWS from automatically assigning IPv4 or IPv6 addresses within a CIDR range you specify?

 CIDR Reservation

A type of endpoint that forwards DNS queries from your on-premises network to an Amazon VPC that you specify

Amazon Route 53 Resolver Inbound Endpoint 

A feature that logs information about the public DNS queries that Route 53 receives

Query Logging

What should you use to forward DNS queries that originate on your Amazon EC2 instances and other resources in one or more VPCs to your on-premises network?

Amazon Route 53 Resolver Outbound Endpoint
Domain 4: Network Security, Compliance, and Governance

Which feature can you enable in Amazon Route 53 that cryptographically signs each record in the hosted zone to ensure that the DNS responses have not been tampered with in transit?

Domain Name System Security Extensions (DNSSEC) 

A networking plugin for pod networking in Amazon EKS clusters that is responsible for allocating VPC IP addresses to Kubernetes nodes and configuring the necessary networking for pods on each node. 

Amazon VPC Container Network Interface (CNI) plugin for Kubernetes 

What are the 3 network modes in Amazon ECS?

Host mode, Bridge mode, and AWSVPC mode 

The Amazon VPC Container Network Interface (CNI) plugin is required for every Amazon Elastic Container Service(ECS) cluster launched.

False

An IEEE 802.1 Layer 2 standard that provides data confidentiality, data integrity, and data origin authenticity for your AWS Direct Connect connection 

MAC Security (MACsec) 

A pre-shared key that establishes the MACsec connectivity between the customer’s on-premises router and the connection port at the AWS Direct Connect location 

MACsec secret key 

What are the key pairs used to generate the MACsec secret key to secure your AWS Direct Connect connection?

Connection Key Name (CKN) and Connectivity Association Key (CAK)

A network service that gives you control and visibility of VPC-to-VPC traffic and creates network rules across your VPCs based on domain, port, protocol, IP addresses, and pattern matching.

AWS Network Firewall 

 

Validate Your ANS-C01 Knowledge

The first resource that you should check after you’ve reviewed the materials above is the FREE AWS sample questions for Advanced Networking specialty. It has 10 questions that are patterned similarly to the real exam, and AWS has provided the answers with great explanations for each item at the end of the file. Be sure to check this sample questionnaire often since AWS may upload a new version of it at any time.

For a full-on practice test course, you can use Tutorials Dojo’s high-quality AWS Certified Advanced Networking Specialty practice exams to get you prepared. Our practice exams contain multiple sets of questions that cover almost every area you can expect from the real certification exam. We also include detailed explanations after each item to help you understand why one choice is better than the others, which is the value that you get from our course. Practice exams are a great way to know which AWS topics you need to focus on and they also highlight the important information that you might have missed during your reviews.

AWS Certified Advanced Networking Specialty Practice Exam ANS-C01

Please take note that our AWS practice exams are not exam dumps or brain dumps so the scenarios/questions that you will see here won’t show up in the actual ANS-C01 exam in verbatim. However, we have crafted our reviewer to cover all of the relevant AWS topics based on the official Exam Guide and provided detailed explanations as to why a particular option is correct or not. We also included relevant AWS reference links so you can verify the provided answers yourself. You can also access the bonus flashcards section as an additional exam prep material.

 

Sample Practice Test Questions:

Question 1

The company’s on-premises network has an established AWS Direct Connect connection to its VPC in AWS. A Network Engineer is designing the network infrastructure of a multitier application hosted in an Auto Scaling group of EC2 instances. The application will be accessed by the employees from the on-premises network as well as from the public Internet. The network configuration must automatically update routes in your route table based on your dynamic BGP route advertisement.

What should the Engineer do to implement this network setup?

  1. Enable route propagation in the route table of the VPC and add a specific route to the on-premises network. Specify the virtual private gateway as the target.
  2. Set up two different route tables in the VPC. The first route table must have a default route to the Internet Gateway and the second table has a route to the virtual private gateway.
  3. Disable the default route propagation option in the route table of the VPC and add a specific route to the on-premises network. Choose the virtual private gateway as the target. Enable the route propagation option in the customer gateway.
  4. Modify the main route table of the VPC to have two default routes. The first route goes to the public Internet via the Internet Gateway while the second route goes to the on-premises network via the virtual private gateway.

Correct Answer: 1

Route tables determine where network traffic is directed. In your VPC route table, you must add a route for your remote network and specify the virtual private gateway as the target. This enables traffic from your VPC that’s destined for your remote network to route via the virtual private gateway and over one of the VPN tunnels. You can enable route propagation for your route table to automatically propagate your network routes to the table for you.

AWS uses the most specific route in your route table that matches the traffic to determine how to route the traffic (longest prefix match). If your route table has overlapping or matching routes, the following rules apply:

  • If propagated routes from a Site-to-Site VPN connection or AWS Direct Connect connection overlap with the local route for your VPC, the local route is most preferred even if the propagated routes are more specific.
  • If propagated routes from a Site-to-Site VPN connection or AWS Direct Connect connection have the same destination CIDR block as other existing static routes (longest prefix match cannot be applied), AWS prioritizes the static routes whose targets are an internet gateway, a virtual private gateway, a network interface, an instance ID, a VPC peering connection, a NAT gateway, a transit gateway, or a gateway VPC endpoint.

Hence, the correct answer is: Enable route propagation in the route table of the VPC and specify the virtual private gateway as the target.

The option that says: Set up two different route tables in the VPC. The first route table must have a default route to the Internet Gateway and the second table has a route to the virtual private gateway is incorrect because using two route tables is not required in this scenario. You can use a single route table with a specific route to the on-premises network and enable route propagation.

The option that says: Disable the default route propagation option in the route table of the VPC and add a specific route to the on-premises network. Choose the virtual private gateway as the target. Enable the route propagation option in the customer gateway is incorrect. You have to enable route propagation for the route table to automatically propagate the network routes to the on-premises network. You have to enable this in the Amazon VPC and not in the customer gateway. Moreover, this option is not enabled by default.

The option that says: Modify the main route table of the VPC to have two default routes. The first route goes to the public Internet via the Internet Gateway while the second route goes to the on-premises network via the virtual private gateway is incorrect because a route table cannot have two default routes. Route propagation should also be enabled in order to satisfy the requirements.

References:

https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html
https://docs.aws.amazon.com/directconnect/latest/UserGuide/Troubleshooting.html
https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html

Check out these Cheat Sheets: 

https://tutorialsdojo.com/aws-direct-connect/
https://tutorialsdojo.com/amazon-vpc/
https://tutorialsdojo.com/vpc-peering/

Longest Prefix Match: Understanding Advanced Concepts in VPC Peering:

https://tutorialsdojo.com/longest-prefix-match-understanding-advanced-concepts-in-vpc-peering/

Longest Prefix Match: Understanding Advanced Concepts in VPC Peering:
https://tutorialsdojo.com/longest-prefix-match-understanding-advanced-concepts-in-vpc-peering/

Question 2

A company needs to establish network connectivity between its Amazon VPCs and on-premises network using multiple AWS Managed VPN connections that are associated with a Transit Gateway. The Network Engineer has been assigned to increase the traffic bandwidth over multiple paths and get a higher VPN bandwidth beyond the default 1.25 Gbps limit.

What must the Engineer do to accomplish this task?

  1. Set up a private Multiprotocol Label Switching (MPLS) network in your on-premises data center.
  2. Use Jumbo Frames by setting the MTU to 9001.
  3. Set up Equal-Cost Multi-Path (ECMP) routing. Ensure that VPN ECMP Support and Dynamic VPN options are enabled in the Transit Gateway.
  4. Implement Q-in-Q Tunnels by adding a second 802.1Q tag to an already tagged frame.

Correct Answer: 3

AWS Site-to-Site VPN offers customizable tunnel options including inside tunnel IP address, pre-shared key, and Border Gateway Protocol Autonomous System Number (BGP ASN). In this way, you can set up multiple secure VPN tunnels to increase the bandwidth for your applications or for resiliency in case of downtime.

Equal-cost multi-path routing (ECMP) is available with AWS Site-to-Site VPN on AWS Transit Gateway to help increase the traffic bandwidth over multiple paths. You can use ECMP to get higher VPN bandwidth, than the default VPN bandwidth limit of 1.25 Gbps,  by aggregating multiple VPN connections.

You have to confirm that your customer gateway is configured to perform ECMP for traffic going out to AWS for all VPN tunnels. If necessary, configure your customer gateway BGP to accept the route from AWS so that the customer gateway installs all the routes with the same metric. You will also have to verify that your customer gateway is advertising the on-premises prefix to AWS with the same BGP AS PATH attribute. For AWS to choose all the available ECMP paths, the AS Path and AS Number must match.

For ECMP to function properly, Dynamic VPN and VPN ECMP Support must be enabled on the transit gateway. The VPN ECMP Support option can only be enabled or disabled when you create a transit gateway.

Hence, the correct answer is: Set up Equal-Cost Multi-Path (ECMP) routing. Ensure that VPN ECMP Support and Dynamic VPN options are enabled in the Transit Gateway

The option that says: Set up a private Multiprotocol Label Switching (MPLS) network in your on-premises data center is incorrect because MPLS doesn’t increase the traffic bandwidth of the VPN connection over multiple paths nor provide a higher VPN bandwidth beyond the default 1.25 Gbps limit. In the MPLS forwarding paradigm, once a packet is assigned to an FEC (Forwarding Equivalence Classes), no further header analysis is done by subsequent routers; all forwarding is driven by the labels. This is the MPLS advantage over conventional network layer forwarding but not to the connection bandwidth.

The option that says: Use Jumbo Frames by setting the MTU to 9001 is incorrect because AWS Managed VPN doesn’t support jumbo frames. If the same route is advertised over DX and AWS Managed VPN then 1500 MTU is used.

The option that says: Implement Q-in-Q Tunnels by adding a second 802.1Q tag to an already tagged frame is incorrect because a Q-in-Q Tunnel simply enables a service provider to segregate the traffic of different customers in their infrastructure while still giving the customer a full range of VLANs for their internal use.

References:
https://aws.amazon.com/blogs/networking-and-content-delivery/scaling-vpn-throughput-using-aws-transit-gateway/
https://aws.amazon.com/vpn/features/
https://aws.amazon.com/premiumsupport/knowledge-center/transit-gateway-ecmp-multiple-tunnels/

Check out this AWS Transit Gateway Cheat Sheet:
https://tutorialsdojo.com/aws-transit-gateway/

Click here for more AWS Certified Advanced Networking Specialty practice exam questions.

Check out our other AWS practice test courses here:

 

Unfortunately, for this Specialty certification exam, as of writing this guide, AWS has yet to release an official practice exam in the aws.training portal. If you have purchased the AWS Certified Advanced Networking Official Study Guide: Specialty Exam book, it includes two sets of practice questions that you can read through and answer, as well as sample exercises that you can implement in your AWS account.

 

Notes on the New ANS-C01 AWS Certified Networking Specialty Exam 

The previous AWS Certified Advanced Networking – Specialty exam, which has an exam code of ANS-C00, has been updated on July 11, 2022. Its next exam code is ANS-C01 since the last digit is usually iterated on every new exam version release. The new AWS Certified Advanced Networking – Specialty ANS-C01 exam version has been made public on July 12, 2022 and the previous version has been completely decommissioned.
Our AWS Certified Advanced Networking Specialty ANS-C01 practice exam reviewer has been updated and will be regularly updated to cover the new ANS-C01 topics.

Final Remarks

In a real-world setting, it can be difficult to gain hands-on experience with deep, technical, network-related AWS tasks. Not everyone uses a Direct Connect or links multiple VPCs together, and these situations are not easily doable on a personal account. This is also why some exam takers consider the AWS Advanced Networking exam to be more difficult than both the Solutions Architect Professional exam and the DevOps Professional exam. If you are also in a similar situation, the next best way to study is to “simulate” using these services via pen and paper. List down the steps and details you need to provision a resource, for example, and create a diagram of how your network should look like at the end. This way, you’ll at least have the theoretical experience needed in designing and troubleshooting complex network systems, which will really help you out in your actual exam.

 

 

All Video Courses at $9.99 ONLY!

Tutorials Dojo portal

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

FREE AWS Exam Readiness Digital Courses

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?