AWS Study Guide

AWS ANS-C01: Advanced Networking Specialty Study Guide

The AWS Certified Advanced Networking - Specialty (ANS-C01) validates deep expertise in designing, implementing, operating, and securing complex AWS and hybrid network architectures. It targets networking professionals with at least five years of experience and a strong command of VPC design, Transit Gateway, Direct Connect, DNS, load balancing, and network security. The exam is 170 minutes, contains 65 scored questions plus unscored items, and requires a scaled score of 750 out of 1000 to pass.

Domain 1 Domain 2 Domain 3 Domain 4

Practice AWS ANS-C01 questions free Create free account

Domain 1: Network Design

Key concepts you must know · 184 practice questions

A VPC is a Regional construct that spans all Availability Zones in one Region but never crosses Regions; each subnet is bound to exactly one AZ, which is how AZ-level fault isolation is achieved.
Transit Gateway is a Regional hub providing transitive routing between thousands of VPCs and on-premises networks; it scales linearly versus VPC peering, which needs N*(N-1)/2 connections and has no transitive routing.
VPC peering and Transit Gateway both require non-overlapping CIDRs because routing is IP-based; remediate overlaps by re-IPing one VPC or exposing specific services through AWS PrivateLink or NAT.
Gateway VPC endpoints are free route-table entries that reach only Amazon S3 and DynamoDB; Interface endpoints (PrivateLink) place ENIs with private IPs in your subnets and support hundreds of services.
The only technical difference between a public and private subnet is the route table: a public subnet has a 0.0.0.0/0 route to an internet gateway, a private subnet does not.
Deploy one NAT gateway per AZ and route each AZ's private subnets to the NAT gateway in the same AZ; this avoids cross-AZ data charges and removes the NAT gateway as a single point of failure.
A private NAT gateway (--connectivity-type private) provides no internet egress; it is used for traffic between VPCs or to on-premises through Transit Gateway or VPN while preserving the private NAT function.
Direct Connect provides a dedicated private physical connection at a DX location; traffic never traverses the public internet, giving consistent low latency and predictable bandwidth.
AWS Global Accelerator uses anycast IPs from AWS edge locations to route users onto the AWS global backbone at the nearest edge, improving global performance and providing two static anycast IPs.
DX resiliency best practice is multiple connections at separate Direct Connect locations or devices, with a Site-to-Site VPN as a BGP-driven automatic failover backup path.
AWS Cloud WAN provides a managed, policy-driven global wide-area network with a central dashboard, building global segments across Regions and on-premises instead of stitching Transit Gateways manually.
A VPC can have a primary CIDR plus secondary CIDRs added with aws ec2 associate-vpc-cidr-block; aws ec2 create-vpc --cidr-block 10.0.0.0/16 creates the VPC and you cannot shrink an allocated CIDR later.
aws ec2 modify-vpc-attribute --enable-dns-hostnames (and --enable-dns-support) controls DNS for the VPC; both must be enabled for Interface endpoint private DNS and many resolution scenarios to work.
PrivateLink (Interface endpoint to an endpoint service fronted by an NLB) exposes a single service privately across VPCs or accounts even when CIDRs overlap, since the consumer reaches it via a private IP ENI.

Domain 2: Network Implementation

Key concepts you must know · 137 practice questions

Network Load Balancer operates at Layer 4 (TCP/UDP/TLS), offers ultra-low latency, preserves the client source IP, and supports one static Elastic IP per AZ for firewall allowlisting.
Application Load Balancer operates at Layer 7, routing HTTP/HTTPS by host header and URL path, and supports advanced features like redirects, fixed responses, OIDC/Cognito authentication, and WebSocket.
Gateway Load Balancer uses the GENEVE protocol on port 6081 to transparently insert and scale third-party virtual firewalls and IDS/IPS appliances in the traffic path via GWLB endpoints.
Direct Connect VIF types: a Private VIF reaches VPC resources over private IPs, a Public VIF reaches AWS public service endpoints over public IPs, and a Transit VIF connects to a Direct Connect gateway and Transit Gateway.
BGP is required for dynamic routing on both Direct Connect and Site-to-Site VPN; AWS uses BGP ASNs to identify the customer and AWS sides, and you can influence path selection with AS-path prepending and local preference.
A Transit Gateway VPC attachment places ENIs in one subnet per chosen AZ; the TGW can only route to resources in AZs where the attachment has a subnet.
Route 53 routing policies include simple, weighted, latency-based, failover, geolocation, geoproximity (with bias), and multivalue answer; weighted enables blue/green and gradual shifts.
aws elbv2 create-load-balancer --type network with --subnet-mappings SubnetId=...,AllocationId=... assigns an Elastic IP to an NLB; --type application creates an ALB.
To register on-premises or external servers as NLB targets, use target type ip and register-targets by IP address rather than instance ID.
aws ec2 create-transit-gateway-vpc-attachment with --subnet-ids creates the attachment; associate-transit-gateway-route-table associates it to a route table, and create-transit-gateway-route adds static routes.
VPC peering requires create-vpc-peering-connection then accept-vpc-peering-connection on the peer side, and both VPCs must add routes pointing to the peering connection; peering is not transitive.
aws ec2 create-vpn-connection --options StaticRoutesOnly=false creates a dynamic BGP VPN; StaticRoutesOnly=true requires manually defined static routes per tunnel.
Each Site-to-Site VPN connection provides two tunnels for redundancy terminating on separate AWS endpoints; for higher aggregate throughput use Transit Gateway ECMP across multiple VPN connections.
A Direct Connect gateway lets a single Private VIF reach multiple VPCs across Regions and accounts and can attach to multiple Transit Gateways, but DX gateway does not allow transitive routing between attached VPCs.

Domain 3: Network Management and Operations

Key concepts you must know · 173 practice questions

VPC Flow Logs capture metadata only (source/destination IP, ports, protocol, packet and byte counts, ACCEPT or REJECT) to CloudWatch Logs, S3, or Kinesis Data Firehose; they never capture packet payloads.
VPC Traffic Mirroring copies raw packet payloads from a source ENI, NLB, or GWLB to a target ENI or NLB, enabling deep packet inspection and IDS analysis that Flow Logs cannot provide.
VPC Reachability Analyzer (Network Insights) statically traces the hop-by-hop path between a source and destination and identifies the exact component (SG, NACL, route table) that blocks connectivity, without sending live packets.
A Route 53 private hosted zone is associated with one or more VPCs and only answers queries originating inside those VPCs, providing internal domain resolution not exposed to the public internet.
Route 53 Resolver inbound endpoints accept DNS queries from on-premises resolvers (over DX or VPN) for AWS-hosted zones; outbound endpoints with forwarding rules send VPC queries for on-prem domains to on-prem resolvers.
Latency-based routing returns the Region with the lowest measured network latency to the user, which differs from geolocation routing that selects purely by the user's geographic location.
Failover routing pairs a primary and secondary record and uses Route 53 health checks to reroute automatically when the primary is unhealthy; geoproximity routing uses a bias to expand or shrink a Region's traffic area.
aws ec2 create-flow-logs requires a destination (CloudWatch Logs log group plus an IAM role ARN, or an S3 ARN) and a traffic-type filter of ACCEPT, REJECT, or ALL.
aws ec2 enable-vgw-route-propagation propagates BGP-learned routes from a virtual private gateway into a VPC route table so VPN/DX routes appear automatically.
aws route53 change-resource-record-sets applies record changes via a change-batch JSON file; aws route53 create-health-check needs a caller-reference and a health-check-config.
Centralizing Flow Logs into an S3 bucket and querying with Amazon Athena enables cost-effective, ad-hoc SQL analysis of traffic across many accounts and VPCs.
CloudWatch publishes Direct Connect metrics (ConnectionState, ConnectionBpsEgress/Ingress, ConnectionLightLevel) and VIF metrics; set alarms on these plus VPN TunnelState to detect link degradation.
aws ec2 start-network-insights-analysis runs a Reachability Analyzer path analysis after a network-insights-path is created with the source and destination resources defined.
Resolver Query Logging records the DNS queries made from a VPC and can be sent to CloudWatch Logs, S3, or Firehose for auditing and troubleshooting name-resolution issues.

Domain 4: Network Security, Compliance, and Governance

Key concepts you must know · 158 practice questions

Security Groups are stateful and applied at the ENI level: allowing inbound traffic automatically permits the return traffic; they support allow rules only, and you can reference another security group as a source.
Network ACLs are stateless and applied at the subnet level: both inbound and outbound directions must be explicitly allowed, rules are evaluated in numbered order, and they support both allow and deny rules.
AWS Network Firewall is a managed stateful firewall and IPS supporting Suricata-compatible rules and domain/FQDN filtering (matching TLS SNI and HTTP Host headers), commonly deployed in a centralized inspection VPC behind a Transit Gateway.
AWS WAF inspects HTTP/HTTPS requests and integrates with CloudFront, ALB, API Gateway, and AppSync; rate-based rules throttle abusive sources and managed rule groups block common exploits like SQLi and XSS.
AWS Firewall Manager, built on AWS Organizations, centrally enforces WAF web ACLs, Shield Advanced, Network Firewall, and security group policies and automatically applies them to new accounts and resources.
Place backend instances in private subnets behind a public-facing load balancer and scope their security group to allow only the load balancer's security group, never the open internet.
MACsec provides Layer 2 line-rate encryption on supported Direct Connect connections (dedicated 10/100 Gbps); for VPN and most hybrid links, IPsec encrypts traffic at Layer 3.
IMDSv2 hardening uses --metadata-options HttpTokens=required to force session-token requests, and lowering the hop limit to 1 prevents SSRF exploits from reaching the 169.254.169.254 metadata endpoint.
aws ec2 authorize-security-group-ingress uses --protocol, --port, and --cidr (or --source-group); aws ec2 create-network-acl-entry needs --ingress/--egress, --rule-number, --rule-action allow or deny, and a CIDR.
A gateway endpoint policy plus an S3 bucket policy using the aws:sourceVpce condition key restricts bucket access to traffic arriving only through a specific VPC endpoint.
aws network-firewall create-rule-group --type STATEFUL with a RulesSource RulesString defines Suricata IPS rules; stateless rule groups handle high-throughput packet-level allow/deny decisions.
aws wafv2 associate-web-acl attaches a web ACL to a resource using --web-acl-arn and --resource-arn (the ALB, API Gateway, or AppSync ARN); CloudFront associations are set on the distribution itself.
AWS Shield Standard is automatic and free for all customers; Shield Advanced adds enhanced DDoS protection, cost-protection credits, and 24/7 access to the Shield Response Team for layer 3/4 and layer 7 attacks.
Centralized egress inspection routes all VPC outbound traffic through an inspection VPC running Network Firewall via Transit Gateway, with appliance-mode enabled on the attachment to keep flows symmetric across AZs.

AWS ANS-C01 exam tips

Read each scenario for the deciding constraint first - keywords like 'overlapping CIDRs', 'lowest latency', 'preserve source IP', 'no internet traversal', or 'centralized inspection' usually map directly to one correct service.
Know the decision boundaries cold: NLB (L4, static IP, source IP) vs ALB (L7, host/path) vs GWLB (GENEVE appliances); Gateway endpoint (S3/DynamoDB only, free) vs Interface endpoint (PrivateLink, ENI, paid).
For hybrid connectivity questions, separate the access type (Private VIF, Public VIF, Transit VIF), the routing protocol (always BGP for dynamic), and the resiliency pattern (multi-location DX plus VPN failover).
Be precise about stateful vs stateless and where it applies: Security Groups are stateful per-ENI with allow-only rules; NACLs are stateless per-subnet with ordered allow and deny rules requiring both directions.
Manage the 170 minutes by flagging long multi-requirement design questions and answering shorter CLI and concept questions first; eliminate options that violate a hard constraint before comparing the survivors.

Study guide FAQ

How hard is ANS-C01 and how much hands-on experience do I need?

It is one of the more demanding AWS specialty exams. AWS recommends at least five years of networking experience plus two years on AWS. Real hands-on work with VPC routing, Transit Gateway, Direct Connect, and Route 53 Resolver matters far more than memorization, since most questions are scenario-based design and troubleshooting.

What is the passing score and exam format?

You need a scaled score of 750 out of 1000. The exam has 65 scored questions (plus a number of unscored pretest items) delivered as multiple choice and multiple response, with 170 minutes to complete it. There is no penalty for wrong answers, so answer every question.

Which topics carry the most weight?

Network Design is the largest area, followed closely by Network Management and Operations and by Network Security, Compliance, and Governance, with Network Implementation rounding it out. In practice, deep VPC, Transit Gateway, Direct Connect, DNS, and security knowledge appears across all four domains, so master the connectivity and routing fundamentals first.

Do I need to memorize AWS CLI commands and BGP details?

Yes for the common ones. Expect questions that hinge on specific CLI flags (for example create-nat-gateway --connectivity-type private, create-vpn-connection --options StaticRoutesOnly, or run-instances --metadata-options HttpTokens=required) and on BGP behaviors like route propagation, AS-path prepending, and ECMP. You will not need to write full configs, but you must recognize correct command usage and routing outcomes.

Test yourself: 652 AWS ANS-C01 practice questions