AWS Certified Advanced Networking – Specialty Exam Study Path

The AWS Certified Advanced Networking – Specialty certification exam is a part of the AWS Specialty learning path and is a highly in-demand certificate among AWS Specialty certifications. The Advanced Networking path focuses on designing and maintaining network architectures in AWS, and using core AWS services to perform networking tasks. You are also tested on your technical skills in implementing hybrid network solutions that span multiple locations for both on-premises and in AWS. Since networking in AWS is quite intricate, companies need individuals like you who meet the competency level in designing complex network solutions.

Primarily, this certification exam is recommended for people who have experience with AWS networking. A Specialty exam can be as difficult as a Professional-level exam, so ample preparation is needed. You can know more about your exam through the official exam guide here. It breaks down the different domains that you can expect from the exam, with each domain discussing the different scenarios and services that you should have knowledge of.

Study Materials

The best things in life are free. With that said, the primary study materials we recommend for the AWS Certified Advanced Networking Specialty exam are:

  1. Exam Readiness: AWS Certified Advanced Networking – Specialty – This is a 9-hour course that is FREE to take in the aws.training portal. It is a great way to get started on your review.
  2. AWS Whitepapers – This will be listed below
  3. AWS Documentation and FAQs
  4. AWS Blogs – This is also important since blogs often contain scenarios or architecture diagrams that might appear as questions in your exam.
  5. AWS Re:Invent videos – The same goes with Re:Invent videos. AWS usually features sample architectures for new features or services to give a better idea of how to use them.

There are also some paid content that are worth checking out if you are eager to pass the exam confidently:

  1. AWS Certified Advanced Networking Official Study Guide: Specialty Exam – There is a kindle version of this and a paperback version.
  2. Advanced Architecting on the AWS training site – A classroom-type setting that discusses architectures using multiple AWS networking services such as Direct Connect and Storage Gateway.

Whitepapers:

  1. AWS Direct Connect Deep Dive
  2. Amazon Virtual Private Cloud Connectivity Options
  3. Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
  4. Hybrid Cloud DNS Options for Amazon VPC
  5. Integrating AWS with Multiprotocol Label Switching

Blogs:

  1. Reviewing DNS Mechanisms for Routing Traffic and Enabling Failover for AWS PrivateLink Deployments
  2. Connecting a Single Customer Router to Multiple VPCs
  3. How to Set Up DNS Resolution Between On-Premises Networks and AWS by Using Unbound

Core AWS Services to Focus On

For this exam, you should have a thorough understanding of the following services:

1. Amazon VPC

  • AWS Regions and Availability Zones
  • IT Certification Category (English)728x90
  • IPv4 and IPv6 operations and supported service
  • Elastic IP
  • Amazon PrivateLink, VPC Endpoints
  • VPC Peering and other VPC connectivity options
  • DHCP Options Set
  • Secondary CIDR Blocks
  • IPv4 CIDR block association restrictions
  • NAT Gateway Troubleshooting
  • Ephemeral ports
  • Managed prefix list for VPC Endpoints
  • VPC Flow Logs
  • Transit VPC

2. VPN on AWS

  • VPN termination in AWS
  • VPN + Direct Connect, Routing preferences
  • VPN high availability, fault-tolerance and scalability
  • Site-to-Site VPN tunnel options
  • Customer gateway options

3. AWS Direct Connect

  • Direct Connect Provisioning
  • Virtual Interface Types (Public, Private, Transit and Hosted)
  • Link Aggregation Group
  • Direct Connect Gateway
  • AWS Direct Connect Resiliency Types

4. AWS Transit Gateway

5. Route 53

  • DNS management
  • Traffic routing policies with health checks
  • Subdomain Delegation
  • Public vs Private Hosted Zone

6. Elastic Load Balancers

  • ALB, NLB and CLB
  • TCP Passthrough
  • Request Headers (X-Forwarded-For, Proxy Protocol v2)
  • ALB Listener Rule condition types

7. Amazon CloudFront

  • Components of a CloudFront distribution
  • CloudFront for caching, CloudFront for streaming
  • Lambda@Edge

8. AWS VPN CloudHub

9. Amazon GuardDuty

  • How to automate monitoring of potential network threats

10. AWS Shield (Advanced)

  • How to guard against DDoS and other infrastructure layer attacks

11. AWS WAF

  • How to guard against network layer DDoS, SQL injection, XSS, and other common security exploits
  • IP-based and Geo-based Blocking

12. AWS Firewall Manager

  • How to centrally manage firewall rules across multiple accounts

13. Amazon Workspaces

Important networking topics

  1. OSI model
  2. Traffic encryption
  3. IP VPN, MPLS (multi-protocol label switching), VPLS (virtual private LAN service)
  4. Transitioning from IPv4 to IPv6
  5. Maximum Transmission Unit (MTU)
  6. Types of Scope BGP community tags
  7. Types of Local preference BGP community tags
  8. Multi-exit discriminators (MEDs)
  9. Autonomous System (AS) prepending
  10. Public and Private Autonomous System Number (ASN)
  11.  IP Protocol 50 – Encapsulating Security Payload (ESP)
  12. BGP routing and static routing
  13. DHCP in VPC
  14. IPS/IDS, WAF, DDoS protection, EDoS protection
  15. Hybrid architectures involving private networks and AWS network
  16. How to troubleshoot network issues

Validate Your Knowledge

The first resource that you should check after you’ve reviewed the materials above is the FREE AWS sample questions for Advanced Networking specialty. It has 10 questions that are patterned similarly to the real exam, and AWS has provided the answers with great explanations for each item at the end of the file. Be sure to check this sample questionnaire often since AWS may upload a new version of it at any time.

For a full-on practice test course, you can use Tutorials Dojo’s high-quality AWS Certified Advanced Networking Specialty practice exams to get you prepared. Our practice exams contain multiple sets of questions that cover almost every area you can expect from the real certification exam. We also include detailed explanations after each item to help you understand why one choice is better than the others, which is the value that you get from our course. Practice exams are a great way to know which AWS topics you need to focus on and they also highlight the important information that you might have missed during your reviews.

AWS Certified Advanced Networking Specialty Practice Exams

Sample Practice Test Questions:

Question 1

Tutorials Dojo Study Guide and Cheatsheet

The company’s on-premises network has an established AWS Direct Connect connection to its VPC in AWS. A Network Engineer is designing the network infrastructure of a multitier application hosted in an Auto Scaling group of EC2 instances. The application will be accessed by the employees from the on-premises network as well as from the public Internet. The network configuration must automatically update routes in your route table based on your dynamic BGP route advertisement.

What should the Engineer do to implement this network setup?

  1. Enable route propagation in the route table of the VPC and add a specific route to the on-premises network. Specify the virtual private gateway as the target.
  2. Set up two different route tables in the VPC. The first route table must have a default route to the Internet Gateway and the second table has a route to the virtual private gateway.
  3. Disable the default route propagation option in the route table of the VPC and add a specific route to the on-premises network. Choose the virtual private gateway as the target. Enable the route propagation option in the customer gateway.
  4. Modify the main route table of the VPC to have two default routes. The first route goes to the public Internet via the Internet Gateway while the second route goes to the on-premises network via the virtual private gateway.

Correct Answer: 1

Route tables determine where network traffic is directed. In your VPC route table, you must add a route for your remote network and specify the virtual private gateway as the target. This enables traffic from your VPC that’s destined for your remote network to route via the virtual private gateway and over one of the VPN tunnels. You can enable route propagation for your route table to automatically propagate your network routes to the table for you.

AWS uses the most specific route in your route table that matches the traffic to determine how to route the traffic (longest prefix match). If your route table has overlapping or matching routes, the following rules apply:

  • If propagated routes from a Site-to-Site VPN connection or AWS Direct Connect connection overlap with the local route for your VPC, the local route is most preferred even if the propagated routes are more specific.
  • If propagated routes from a Site-to-Site VPN connection or AWS Direct Connect connection have the same destination CIDR block as other existing static routes (longest prefix match cannot be applied), AWS prioritizes the static routes whose targets are an internet gateway, a virtual private gateway, a network interface, an instance ID, a VPC peering connection, a NAT gateway, a transit gateway, or a gateway VPC endpoint.

Hence, the correct answer is: Enable route propagation in the route table of the VPC and add a specific route to the on-premises network. Specify the virtual private gateway as the target.

The option that says: Set up two different route tables in the VPC. The first route table must have a default route to the Internet Gateway and the second table has a route to the virtual private gateway is incorrect because using two route tables is not required in this scenario. You can use a single route table with a specific route to the on-premises network and enable route propagation.

The option that says: Disable the default route propagation option in the route table of the VPC and add a specific route to the on-premises network. Choose the virtual private gateway as the target. Enable the route propagation option in the customer gateway is incorrect because you have to enable route propagation for the route table to automatically propagate the network routes to the on-premises network. You have to enable this in the Amazon VPC and not in the customer gateway. Moreover, this option is not enabled by default.

The option that says: Modify the main route table of the VPC to have two default routes. The first route goes to the public Internet via the Internet Gateway while the second route goes to the on-premises network via the virtual private gateway is incorrect because a route table cannot have two default routes. Route propagation should also be enabled in order to satisfy the requirements.

References:
https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html
https://docs.aws.amazon.com/directconnect/latest/UserGuide/Troubleshooting.html
https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html

Check out these Cheat Sheets: 
https://tutorialsdojo.com/aws-direct-connect/
https://tutorialsdojo.com/amazon-vpc/
https://tutorialsdojo.com/vpc-peering/

Longest Prefix Match: Understanding Advanced Concepts in VPC Peering:
https://tutorialsdojo.com/longest-prefix-match-understanding-advanced-concepts-in-vpc-peering/

Question 2

A company needs to establish network connectivity between its Amazon VPCs and on-premises network using multiple AWS Managed VPN connections that are associated with a Transit Gateway. The Network Engineer has been assigned to increase the traffic bandwidth over multiple paths and get a higher VPN bandwidth beyond the default 1.25 Gbps limit.

What must the Engineer do to accomplish this task?

  1. Set up a private Multiprotocol Label Switching (MPLS) network in your on-premises data center.
  2. Use Jumbo Frames by setting the MTU to 9001.
  3. Set up Equal-Cost Multi-Path (ECMP) routing. Ensure that VPN ECMP Support and Dynamic VPN options are enabled in the Transit Gateway.
  4. Implement Q-in-Q Tunnels by adding a second 802.1Q tag to an already tagged frame.

Correct Answer: 3

AWS Site-to-Site VPN offers customizable tunnel options including inside tunnel IP address, pre-shared key, and Border Gateway Protocol Autonomous System Number (BGP ASN). In this way, you can set up multiple secure VPN tunnels to increase the bandwidth for your applications or for resiliency in case of downtime.

Equal-cost multi-path routing (ECMP) is available with AWS Site-to-Site VPN on AWS Transit Gateway to help increase the traffic bandwidth over multiple paths. You can use ECMP to get higher VPN bandwidth, than the default VPN bandwidth limit of 1.25 Gbps,  by aggregating multiple VPN connections.

You have to confirm that your customer gateway is configured to perform ECMP for traffic going out to AWS for all VPN tunnels. If necessary, configure your customer gateway BGP to accept the route from AWS so that the customer gateway installs all the routes with the same metric. You will also have to verify that your customer gateway is advertising the on-premises prefix to AWS with the same BGP AS PATH attribute. For AWS to choose all the available ECMP paths, the AS Path and AS Number must match.

For ECMP to function properly, Dynamic VPN and VPN ECMP Support must be enabled on the transit gateway. The VPN ECMP Support option can only be enabled or disabled when you create a transit gateway.

Hence, the correct answer is: Set up Equal-Cost Multi-Path (ECMP) routing. Ensure that VPN ECMP Support and Dynamic VPN options are enabled in the Transit Gateway

The option that says: Set up a private Multiprotocol Label Switching (MPLS) network in your on-premises data center is incorrect because MPLS doesn’t increase the traffic bandwidth of the VPN connection over multiple paths nor provide a higher VPN bandwidth beyond the default 1.25 Gbps limit. In the MPLS forwarding paradigm, once a packet is assigned to an FEC (Forwarding Equivalence Classes), no further header analysis is done by subsequent routers; all forwarding is driven by the labels. This is the MPLS advantage over conventional network layer forwarding but not to the connection bandwidth.

The option that says: Use Jumbo Frames by setting the MTU to 9001 is incorrect because AWS Managed VPN doesn’t support jumbo frames. If the same route is advertised over DX and AWS Managed VPN then 1500 MTU is used.

The option that says: Implement Q-in-Q Tunnels by adding a second 802.1Q tag to an already tagged frame is incorrect because a Q-in-Q Tunnel simply enables a service provider to segregate the traffic of different customers in their infrastructure while still giving the customer a full range of VLANs for their internal use.

References:
https://aws.amazon.com/blogs/networking-and-content-delivery/scaling-vpn-throughput-using-aws-transit-gateway/
https://aws.amazon.com/vpn/features/
https://aws.amazon.com/premiumsupport/knowledge-center/transit-gateway-ecmp-multiple-tunnels/

Check out this AWS Transit Gateway Cheat Sheet:
https://tutorialsdojo.com/aws-transit-gateway/

Click here for more AWS Certified Advanced Networking Specialty practice exam questions.

Check out our other AWS practice test courses here:Tutorials Dojo AWS Practice Tests

Unfortunately, for this Specialty certification exam, as of writing this guide, AWS has yet to release an official practice exam in the aws.training portal. If you have purchased the AWS Certified Advanced Networking Official Study Guide: Specialty Exam book, it includes two sets of practice questions that you can read through and answer, as well as sample exercises that you can implement in your AWS account.

Final Remarks

In a real-world setting, it can be difficult to gain hands-on experience with deep, technical, network-related AWS tasks. Not everyone uses a Direct Connect or links multiple VPCs together, and these situations are not easily doable on a personal account. This is also why some exam takers consider the AWS Advanced Networking exam to be more difficult than both the Solutions Architect Professional exam and the DevOps Professional exam. If you are also in a similar situation, the next best way to study is to “simulate” using these services via pen and paper. List down the steps and details you need to provision a resource, for example, and create a diagram of how your network should look like at the end. This way, you’ll at least have the theoretical experience needed in designing and troubleshooting complex network systems, which will really help you out in your actual exam.

Pass your AWS and Azure Certifications with the Tutorials Dojo Portal

Tutorials Dojo portal

Our Bestselling AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate Practice Exams

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

Tutorials Dojo Study Guide and Cheat Sheets-2

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers
error: Content is protected !!