Specialty Tier · AWS Certification
AWS Advanced
Networking
Master the ANS-C01 exam — complex VPC architecture, hybrid connectivity with Direct Connect and VPN, Transit Gateway multi-account design, Route 53 advanced routing, CloudFront, and network security at scale.
65
Questions
170
Minutes
750
Pass Score
4
Domains
Domain 1 · 30%
Network Design
The largest ANS-C01 domain. Covers designing complex multi-VPC architectures, scalable hybrid connectivity, and advanced routing strategies using BGP, Transit Gateway, and edge networking services.
01
Network Design — VPC, Hybrid, Routing
VPC architecture · Hybrid connectivity · BGP routing · Edge networking
30%
OF EXAM
🌐 VPC Design Patterns
- Hub-and-spoke with Transit Gateway
- Shared VPC using Resource Access Manager
- VPC peering: non-transitive, inter-region
- Centralized egress via NAT Gateway
- CIDR planning — avoid overlapping ranges
- IPv6 dual-stack VPC design
🔗 Transit Gateway
- Regional router connecting VPCs, VPNs, DX
- Route tables: multiple per TGW for isolation
- Blackhole routes to drop traffic
- TGW peering across regions and accounts
- Multicast support via multicast domain
- Equal-cost multi-path (ECMP) for VPN
📡 BGP Routing
- eBGP for Direct Connect and VPN
- AS_PATH prepending to control route selection
- Local Preference (inbound from on-prem)
- MED: influence path selection to on-prem
- BGP communities for route filtering
- Route summarization to reduce advertisements
🌍 Route 53
- Routing policies: simple, weighted, latency
- Geolocation vs Geoproximity routing
- Failover routing with health checks
- Private hosted zones: associate multiple VPCs
- Resolver inbound/outbound endpoints (hybrid DNS)
- Resolver forwarding rules for on-prem DNS
🚀 CloudFront
- Edge caching at 400+ PoPs worldwide
- Origin groups for primary/failover origins
- Cache behaviors: path-pattern based routing
- Lambda@Edge & CloudFront Functions
- Field-level encryption for sensitive data
- OAC (Origin Access Control) replaces OAI
⚡ Global Accelerator
- Anycast IPs entering AWS backbone at nearest PoP
- Traffic dials per endpoint group (weighted)
- Endpoint groups per AWS Region
- Health checks trigger automatic failover
- TCP/UDP support (unlike CloudFront HTTP only)
- Use for non-HTTP: gaming, IoT, VoIP
VPC Peering vs Transit Gateway: VPC peering is point-to-point and non-transitive — 10 VPCs require 45 peering connections. Transit Gateway acts as a hub, supporting up to 5,000 VPC attachments and transitive routing. Always choose TGW for multi-VPC architectures. RAM shares TGW across accounts within AWS Organizations.
Subnet and CIDR Design
📊 CIDR Best Practices
- RFC 1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
- Use /16 VPC CIDRs; /24 subnets per AZ
- Reserve 5 IPs per subnet (AWS reserved)
- Secondary CIDR blocks: up to 5 per VPC
- Avoid overlapping ranges with on-prem and peered VPCs
🔀 Subnet Types
- Public subnet: route 0.0.0.0/0 → IGW
- Private subnet: route 0.0.0.0/0 → NAT GW/Instance
- Isolated subnet: no internet route at all
- Dedicated subnet per tier per AZ for resilience
- VPC endpoints keep traffic off public internet
🔌 VPC Endpoints
- Gateway endpoints: S3 and DynamoDB (free)
- Interface endpoints: ENI with private IP (PrivateLink)
- Endpoint policies: restrict access to specific resources
- Private DNS for interface endpoints
- Centralized endpoint VPC in hub-spoke model
Route 53 Resolver: For hybrid DNS, deploy inbound endpoints (on-prem → AWS) and outbound endpoints (AWS → on-prem). Forwarding rules route specific domains to on-prem DNS servers. Resolver Rules are shared via RAM to all spoke VPCs in an organization.
Domain 2 · 26%
Network Implementation
Covers provisioning and connecting AWS networking components including Direct Connect for dedicated connectivity, Site-to-Site VPN for encrypted tunnels, and load balancing for high availability.
02
Network Implementation — DX, VPN, LB
Direct Connect · VPN · Load Balancers · PrivateLink · Accelerators
26%
OF EXAM
🔌 AWS Direct Connect
- Dedicated private connection: 1G, 10G, 100G
- Hosted connection: subrate (50Mbps–10G) via partner
- Virtual Interfaces: Private VIF, Public VIF, Transit VIF
- Private VIF → VGW (single VPC) or DXGW
- Transit VIF → Direct Connect Gateway → TGW
- LAG: up to 4 connections bundled (same speed/location)
🌐 DX Resiliency
- Maximum resiliency: 2 DX locations, 2 devices each (4 connections)
- High resiliency: 2 connections at 1 DX location
- Backup VPN over Internet for failover
- BFD (Bidirectional Forwarding Detection) for fast failover
- SLA: 99.99% with maximum resiliency architecture
🔒 Site-to-Site VPN
- Two IPSec tunnels per connection (active/active recommended)
- Attach to VGW (single VPC) or TGW (multiple VPCs)
- Accelerated VPN: routes through AWS Global Accelerator PoPs
- Customer Gateway: config on on-prem device
- ECMP over TGW: aggregate multiple VPN bandwidth
- IKEv2 support; pre-shared key or certificate auth
⚖️ Elastic Load Balancing
- ALB: Layer 7, HTTP/HTTPS, path/host routing, WAF
- NLB: Layer 4, TCP/UDP/TLS, static IP, extreme performance
- GWLB: Layer 3, bump-in-wire for virtual appliances
- NLB preserves source IP; ALB inserts X-Forwarded-For
- Cross-zone load balancing: ALB on by default, NLB optional
- Connection draining (ALB deregistration delay)
🔗 PrivateLink & Endpoint Services
- Expose service from provider VPC via NLB
- Consumer accesses via Interface Endpoint (ENI)
- Traffic never traverses public internet
- Works across accounts and overlapping CIDRs
- Endpoint policies for fine-grained access control
🏗️ DX Gateway
- Connect on-prem to multiple VPCs across regions
- One DXGW attached to multiple VGWs (up to 10)
- DXGW + TGW: single DX connection to many VPCs
- VPCs peered via DXGW must have non-overlapping CIDRs
- Global resource (not region-specific)
| Feature | Private VIF | Public VIF | Transit VIF |
|---|---|---|---|
| Connects to | VGW → single VPC | AWS public endpoints (S3, etc.) | TGW (many VPCs) |
| BGP ASN | Private | Public (or private with DXGW) | Private (via DXGW) |
| Route limit | 100 routes | 1,000 routes | 100 routes |
| Best use | Single VPC access | S3, public services | Enterprise multi-VPC |
GWLB Architecture: Gateway Load Balancer uses GENEVE encapsulation on port 6081 to forward traffic to appliance fleet (firewalls, IDS/IPS). GWLB Endpoint in spoke VPCs sends all traffic to GWLB for inspection before forwarding. Use route tables to insert GWLB between IGW and workload subnets.
Load Balancer Advanced Patterns
🔀 ALB Advanced Routing
- Host-based routing: api.example.com vs www.example.com
- Path-based routing: /api/* → backend TG
- HTTP header & query string conditions
- Authenticate action: Cognito or OIDC IdP
- Redirect HTTP to HTTPS (built-in)
- Fixed response action for maintenance pages
🌐 NLB Advanced Features
- Static IP per AZ; Elastic IP assignable
- TLS termination at NLB (offload from instances)
- Proxy Protocol v2 for source IP preservation
- Target groups: instance, IP, Lambda, ALB
- Zonal DNS for low-latency routing
Domain 3 · 20%
Network Management & Operations
Covers monitoring, logging, and troubleshooting AWS networks using VPC Flow Logs, Reachability Analyzer, Network Access Analyzer, and Traffic Mirroring. Also includes automation with CloudFormation and optimization strategies.
03
Network Management — Monitor, Troubleshoot, Automate
Flow Logs · Reachability Analyzer · Traffic Mirroring · Automation
20%
OF EXAM
📋 VPC Flow Logs
- Captures IP traffic metadata (not packet content)
- Scope: VPC, subnet, or individual ENI
- Destinations: CloudWatch Logs, S3, Kinesis Firehose
- Custom format: select specific fields
- ACCEPT/REJECT records for security analysis
- Traffic Mirror captures actual packet payloads
🔍 Reachability Analyzer
- Logical analysis of path between two endpoints
- No actual traffic sent — uses config analysis
- Identifies blocking: SG, NACL, route table, IGW
- Use for compliance audit and troubleshooting
- Integrates with EventBridge for drift alerts
🔎 Network Access Analyzer
- Identifies unintended network access at scale
- Define network access scope to find violations
- Example: "find paths to port 22 from internet"
- Complements Reachability Analyzer for broad audits
- Integrates with AWS Security Hub findings
🔬 Traffic Mirroring
- Copy network traffic from ENI to monitoring appliance
- Capture full packet content (unlike Flow Logs)
- Mirror source: ENI; target: NLB or another ENI
- Filter by protocol, port, direction (inbound/outbound)
- Supports IDS/IPS, NDR, threat hunting tools
📊 CloudWatch Network Metrics
- DX: ConnectionState, ConnectionBps, ConnectionPps
- VPN: TunnelState, TunnelDataIn/Out
- NAT Gateway: BytesIn/Out, ErrorPortAllocation
- ELB: HealthyHostCount, TargetResponseTime
- Global Accelerator: NewFlowCount, ProcessedBytesIn
⚡ Network Automation
- CloudFormation for VPC, subnets, SG, NACL
- AWS CDK for programmatic network stacks
- EventBridge + Lambda for auto-remediation
- AWS Config rules for network compliance
- Systems Manager for instance network config
Traffic Mirroring vs Flow Logs: Flow Logs capture metadata (IPs, ports, protocol, bytes, ACCEPT/REJECT) but not packet payloads — cheap, always-on. Traffic Mirroring captures full packets for deep inspection (IDS/IPS/forensics) but adds cost and requires an NLB/ENI target. Use Flow Logs for auditing and security analysis; Traffic Mirroring for packet-level investigation.
Troubleshooting Network Connectivity
| Issue | Tool | What to Check |
|---|---|---|
| Instance unreachable | Reachability Analyzer | SG rules, NACLs, route tables, IGW/NAT |
| High latency to on-prem | CloudWatch DX metrics | ConnectionBps, BGP routes, VIF health |
| Packet loss investigation | Traffic Mirroring | Full packet capture to IDS appliance |
| DNS resolution failure | Route 53 Resolver logs | Resolver rules, VPC DHCP options, endpoints |
| VPN tunnel down | CloudWatch VPN metrics | TunnelState, IKE negotiation, dead peer detection |
| Unintended internet exposure | Network Access Analyzer | SG 0.0.0.0/0 inbound, public subnet placement |
NAT Gateway Limits: Each NAT Gateway supports up to 55,000 simultaneous connections per destination IP/port. Error metric
ErrorPortAllocation indicates port exhaustion — scale by deploying multiple NAT Gateways per AZ or use NAT Instances with custom port configurations for very high connection counts.
Domain 4 · 24%
Network Security, Compliance & Governance
Covers designing multi-layer network security using Security Groups, NACLs, Network Firewall, WAF, Shield, and encryption in transit. Includes compliance auditing and DDoS mitigation strategies.
04
Network Security — Firewall, WAF, DDoS, Encryption
Network Firewall · WAF · Shield · TLS · Security Groups · NACLs
24%
OF EXAM
🛡️ Security Groups
- Stateful: return traffic automatically allowed
- Applied at ENI level (not subnet)
- Allow rules only — no explicit deny
- Reference other SGs (source) for service tiers
- Up to 5 SGs per ENI; 60 rules per SG
- Default SG: allow all outbound, deny all inbound
🔒 Network ACLs
- Stateless: must allow inbound AND outbound
- Applied at subnet level
- Ordered rules: processed lowest number first
- Allow and deny rules supported
- Default NACL allows all traffic
- Custom NACL denies all traffic by default
- Ephemeral ports 1024-65535 must be allowed
🔥 AWS Network Firewall
- Stateful and stateless rule groups
- Deploy in dedicated firewall subnet per AZ
- Suricata-compatible IPS/IDS rules
- Domain-based filtering (SNI inspection)
- TLS inspection with decryption capability
- Centralize via TGW in inspection VPC
- Logs to S3, CloudWatch, Kinesis Firehose
🌐 AWS WAF
- Layer 7 firewall for ALB, CloudFront, API GW, AppSync
- Managed rule groups: AWSManagedRulesCommonRuleSet
- Custom rules: IP match, geo match, string match
- Rate-based rules: block IPs exceeding req/5-min window
- Bot Control & Account Takeover Prevention (add-ons)
- Captcha action for suspicious traffic
🛡️ AWS Shield
- Shield Standard: free, always-on L3/L4 DDoS protection
- Shield Advanced: $3,000/month org price
- Advanced: L7 DDoS protection, cost protection, DRT support
- Protects: EC2, ELB, CloudFront, Route 53, Global Accelerator
- SRT (Shield Response Team) proactive engagement
- DDoS cost protection: service credit if scaling due to attack
🔐 Encryption in Transit
- ACM: free TLS certificates for ALB, CloudFront, API GW
- MACsec: Layer 2 encryption on DX dedicated connections
- IPSec: encryption for VPN tunnels (AES-256-GCM)
- TLS between services with ACM Private CA
- VPC Lattice: mTLS for service-to-service
- Enforce HTTPS with S3 bucket policy aws:SecureTransport
| Control | Layer | Stateful | Scope | Key Feature |
|---|---|---|---|---|
| Security Group | L4 | Yes | ENI | Allow only; SG-to-SG references |
| NACL | L3/L4 | No | Subnet | Allow + Deny; ordered rules |
| Network Firewall | L3–L7 | Both | VPC/subnet | Suricata IPS rules; domain filtering |
| WAF | L7 | Yes | ALB/CF/API GW | HTTP inspection; managed rules |
| Shield Advanced | L3–L7 | Yes | Account-wide | DDoS mitigation + cost protection |
Network Firewall Deployment Patterns: Centralized inspection via TGW — all spoke VPC traffic routes to TGW, then to inspection VPC hosting Network Firewall. East-west and north-south traffic inspected. Distributed model: deploy Network Firewall in each VPC for independent control. Centralized is preferred for operational simplicity at scale.
Compliance & Governance
📋 AWS Config for Networking
- restricted-ssh / restricted-rdp managed rules
- vpc-sg-open-only-to-authorized-ports
- nacl-no-unrestricted-ssh-rdp
- vpc-flow-logs-enabled: ensure Flow Logs active
- Auto-remediation via SSM Automation on NON_COMPLIANT
🔍 Firewall Manager
- Centrally manage WAF, Shield, SG, Network Firewall policies
- Enforce policies across entire AWS Organization
- Auto-remediate non-compliant resources
- Requires AWS Organizations and Security Hub
- Delegate admin from management account
🌐 PrivateLink + Endpoint Policy
- VPC endpoint policy restricts S3 bucket access
- Prevent data exfiltration via endpoint conditions
- SCP: deny s3:* unless from specific VPC endpoints
- Interface endpoint private DNS prevents public access
- CloudTrail logs API calls via endpoints
ANS-C01 Mock Exam
100 scenario-based questions · Select your answer · Use "Explain" for detailed rationale
0/100