The AWS Certified Advanced Networking Specialty certification is widely recognized and confirms the proficiency of network architects and engineers in creating and deploying advanced networking solutions within the Amazon Web Services (AWS) environment. The exam covers a wide range of networking topics such as routing, security, connectivity, and performance optimization. Passing this certification exam requires a thorough understanding of AWS networking concepts, services, and best practices.
Getting ready for the AWS Certified Advanced Networking Specialty exam requires a substantial commitment of time and dedication to studying and hands-on practice with different networking scenarios on AWS. Despite the variety of online study materials, it can be overwhelming to get through all the available content and resources. This is where a cheat sheet can be incredibly useful.
In this blog post, we’ll provide a comprehensive AWS Certified Advanced Networking Specialty cheat sheet that covers the most important networking concepts and services that you need to know to pass the exam. We’ll also share tips and tricks to help you prepare effectively for the exam and boost your chances of success. Whether you’re a seasoned network engineer or just getting started with AWS networking, this cheat sheet will help you streamline your preparation and focus on the most critical topics. So let’s get started!
AWS Certified Advanced Networking Specialty: Overview
AWS Certified Advanced Networking Specialty exam is designed for candidates who have knowledge and skills to perform complex networking tasks. This exam validates candidates abilities in:
- To begin with, Designing, developing, and deploying cloud-based solutions using AWS
- Then, Implementing AWS core services with basic architecture best practices
- Also, Maintaining and designing network architecture for all AWS services
- Finally, Leveraging tools to automate AWS networking tasks
Glossary for AWS Certified Advanced Networking Terminology
- AWS Direct Connect: A dedicated network connection service that allows customers to connect their data centers to AWS.
- AWS Global Accelerator: A service that enhances the availability and performance of applications through the utilization of static IP addresses and a worldwide network.
- AWS Transit Gateway: A service that simplifies network connectivity between VPCs and on-premises networks.
- Elastic Load Balancing (ELB): A service that distributes incoming traffic across multiple instances or services to improve performance and availability.
- Amazon Route 53: A scalable domain name system (DNS) web service that translates domain names into IP addresses.
- Amazon VPC: A virtual private cloud (VPC) that allows customers to launch AWS resources into a virtual network that they define.
- Network Address Translation (NAT) Gateway: A service that enables instances in a private subnet to connect to the internet or other AWS services.
- Virtual Private Network (VPN): A secure and encrypted connection between two networks, typically used to connect a customer’s on-premises data center to AWS.
- AWS PrivateLink: A service that enables customers to access AWS services over a private connection, rather than over the internet.
- AWS Site-to-Site VPN: A service that allows customers to create secure connections between their on-premises data center and their VPCs in AWS.
- AWS VPN CloudHub: A service that allows customers to create multiple site-to-site VPN connections to a single VPC.
- Elastic Network Interface (ENI): A virtual network interface that customers can attach to an instance in a VPC to enable connectivity.
- Border Gateway Protocol (BGP): A routing protocol that enables the exchange of routing information between different networks.
- Amazon CloudFront: A content delivery network (CDN) service designed to accelerate the delivery of both static and dynamic content to users.
- AWS Global Transit Network: A service that enables customers to create a global network backbone that connects their VPCs, data centers, and remote offices.
Exam preparation resources for the AWS Certified Advanced Networking Specialty exam
Here are some official exam preparation resources with website links for the AWS Certified Advanced Networking Specialty exam:
- AWS Certified Advanced Networking Specialty Exam Guide: This official exam guide covers all the topics and skills you need to know to pass the AWS Certified Advanced Networking Specialty exam. You can find it on the AWS website at https://aws.amazon.com/certification/certified-advanced-networking-specialty/.
- AWS Certified Advanced Networking Specialty Sample Questions: These sample questions provide you with an idea of what to expect on the exam and help you assess your readiness for the exam. You can find them on the AWS website at https://aws.amazon.com/certification/certified-advanced-networking-specialty/.
- AWS Certified Advanced Networking Specialty Practice Exam: This practice exam helps you prepare for the real exam by simulating the actual exam environment. You can purchase it on the AWS website at https://www.aws.training/certification?src=advanced-networking.
- AWS Certified Advanced Networking Specialty Training: This training course provides you with in-depth knowledge and hands-on experience with AWS networking services. You can find it on the AWS website at https://aws.amazon.com/training/course-descriptions/advanced-networking-specialty/.
- AWS Certified Advanced Networking Specialty Exam Readiness Workshop: This workshop helps you prepare for the exam by providing you with an overview of the exam and tips for passing it. You can find it on the AWS website at https://aws.amazon.com/events/aws-certified-advanced-networking-specialty-exam-readiness-workshop/.
Note that the above resources are official AWS resources, and there may be other third-party resources available online that can also help you prepare for the exam.
Prerequisite for the exam
Before you start preparing for exam it is important to check the recommended knowledge and experience to take the exam. The AWS Certified Advanced Networking – Specialty prerequisites are as follows:
- Firstly, candidates are recommended to hold an AWS Certified Cloud Practitioner or a current Associate-level certification: AWS Certified Solutions Architect – Associate, AWS Certified Developer – Associate or AWS Certified SysOps Administrator – Associate.
- They must have advanced knowledge of AWS networking concepts and technologies.
- Furthermore, candidates should possess at least five years of practical experience in designing and executing network solutions.
- Further, they should know about advanced networking architectures and interconnectivity options (e.g., IP VPN, MPLS/VPLS) including networking technologies within the OSI model, and how they affect implementation decisions.
- Moreover, it is necessary to have knowledge of CIDR and subnetting (IPv4 and IPv6) with an understanding of IPv6 transition challenges.
- Next, candidates must have a solid understanding of standard network security solutions, encompassing features like WAF, IDS, IPS, DDoS protection, and Economic Denial of Service/Sustainability (EDoS).
- Lastly, they should be proficient in creating automation scripts and tools, including routing architectures (such as static and dynamic routing), multi-region strategies for global enterprises, and highly resilient connectivity solutions (e.g., DX, VPN).
Cheat Sheet: AWS Certified Advanced Networking Specialty
The AWS Certified Advanced Networking Specialty Cheat Sheet is your ideal instrument to have an overview of the exam before venturing. It will keep you loaded with the right resources and bridge the gap for your dream job. Furthermore, we will be adding a few quick links to ease your preparation process. We suggest you to a quick glance at this cheat sheet before you appear for the exam.
Review the Exam Objectives
The first step is to always have a denser look at each and every domain of the exam. Therefore, you must review the exam objectives and familiarise with the exam course. A thorough analysis will help you to gain the required command to earn your desired certification. This exam covers the following domains:
Updated AWS Certified Advanced Networking – Specialty (ANS-C01) Course outline
Domain 1: Network Design (30%)
Task Statement 1.1: Design a solution that incorporates edge network services to optimize user performance and traffic management for global architectures.
Knowledge of:
- Design patterns for the usage of content distribution networks (for example, Amazon CloudFront) (AWS Documentation: Working with Content Delivery Networks (CDNs))
- Design patterns for global traffic management (for example, AWS Global Accelerator) (AWS Documentation: Getting started with AWS Global Accelerator, Traffic management with AWS Global Accelerator)
- Integration patterns for content distribution networks and global traffic management with other services (for example, Elastic Load Balancing, Amazon API Gateway) (AWS Documentation: Networking and Content Delivery, Introduction to Network Transformation on AWS)
Skills in:
- Evaluating requirements of global inbound and outbound traffic from the internet to design an appropriate content distribution solution (AWS Documentation: Infrastructure OU – Network account, Routing traffic to an Amazon CloudFront distribution)
Task Statement 1.2: Design DNS solutions that meet public, private, and hybrid requirements.
Knowledge of:
- DNS protocol (for example, DNS records, timers, DNSSEC, DNS delegation, zones) (AWS Documentation: Configuring DNSSEC for a domain, Supported DNS record types, Amazon Route 53 concepts)
- DNS logging and monitoring (AWS Documentation: Logging and monitoring in Amazon Route 53)
- Amazon Route 53 features (for example, alias records, traffic policies, resolvers, health checks) (AWS Documentation: Creating Amazon Route 53 health checks and configuring DNS failover, Amazon Route 53 chooses records when health checking, Amazon Route 53 FAQs)
- Integration of Route 53 with other AWS networking services (for example, Amazon VPC) (AWS Documentation: Integration with other services, Resolving DNS queries between VPCs and your network)
- Integration of Route 53 with hybrid, multi-account, and multi-Region options (AWS Documentation: Using Route 53 Private Hosted Zones for Cross-account Multi-region Architectures, Simplify DNS management in a multi-account environment)
- Domain Registration (AWS Documentation: Registering a new domain)
Skills in:
- Using Route 53 public hosted zones (AWS Documentation: Creating a public hosted zone)
- Using Route 53 private hosted zones (AWS Documentation: Working with private hosted zones)
- Using Route 53 Resolver endpoints in hybrid and AWS architectures (AWS Documentation: Set up integrated DNS resolution for hybrid networks in Amazon Route 53)
- Using Route 53 for global traffic management (AWS Documentation: Amazon Route 53)
- Creating and managing domain registrations (AWS Documentation: Registering a new domain)
Task Statement 1.3: Design solutions that integrate load balancing to meet high availability, scalability,
and security requirements.
Knowledge of:
- How load balancing works at layer 3, layer 4, and layer 7 of the OSI model (AWS Documentation: Load balancer types, Elastic Load Balancing features)
- Different types of load balancers and how they meet requirements for network design, high availability, and security (AWS Documentation: Load balancer types)
- Connectivity patterns that apply to load balancing based on the use case (for example, internal load balancers, external load balancers) (AWS Documentation: Application Load Balancers, Elastic Load Balancing features)
- Scaling factors for load balancers
- Integrations of load balancers and other AWS services (for example, Global Accelerator, CloudFront, AWS WAF, Route 53, Amazon Elastic Kubernetes Service [Amazon EKS], AWS Certificate Manager [ACM]) (AWS Documentation: Supported Resource Types, AWS::EKS::Cluster, AWS::GlobalAccelerator::Accelerator)
- Configuration options for load balancers (for example, proxy protocol, cross-zone load balancing, session affinity [sticky sessions], routing algorithms) (AWS Documentation: Target groups for your Network Load Balancers, Configure sticky sessions for your Classic Load Balancer, Sticky sessions for your Application Load Balancer)
- Configuration options for load balancer target groups (for example, TCP, GENEVE, IP compared with instance) (AWS Documentation: CreateTargetGroup, Target groups for your Network Load Balancers)
- AWS Load Balancer Controller for Kubernetes clusters (AWS Documentation: Installing the AWS Load Balancer Controller add-on, Application load balancing on Amazon EKS)
- Considerations for encryption and authentication with load balancers (for example, TLS termination, TLS passthrough) (AWS Documentation: TLS listeners for your Network Load Balancer, Create an HTTPS listener for your Application Load Balancer)
Skills in:
- Selecting an appropriate load balancer based on the use case (AWS Documentation: Application Load Balancers)
- Integrating auto-scaling with load balancing solutions (AWS Documentation: Attach a load balancer to your Auto Scaling group)
- Integrating load balancers with existing application deployments (AWS Documentation: Integrating CodeDeploy with Elastic Load Balancing)
Task Statement 1.4: Define logging and monitoring requirements across AWS and hybrid networks.
Knowledge of:
- Amazon CloudWatch metrics, agents, logs, alarms, dashboards, and insights in AWS architectures to provide visibility (AWS Documentation: Amazon CloudWatch, How Amazon CloudWatch works)
- AWS Transit Gateway Network Manager in architectures to provide visibility (AWS Documentation: AWS Network Manager for Transit Gateway networks)
- VPC Reachability Analyzer in architectures to provide visibility (AWS Documentation: VPC Reachability Analyzer)
- Flow logs and traffic mirroring in architecture to provide visibility (AWS Documentation: Traffic Mirroring, Using VPC Traffic Mirroring to monitor and secure your AWS infrastructure)
- Access logging (for example, load balancers, CloudFront) (AWS Documentation: Access logs for your Application Load Balancer)
Skills in:
- Identifying the logging and monitoring requirements (AWS Documentation: Designing and implementing logging and monitoring with Amazon CloudWatch)
- Recommending appropriate metrics to provide visibility of the network status (AWS Documentation: List the available CloudWatch metrics for your instances)
- Capturing baseline network performance (AWS Documentation: Amazon EC2 instance network bandwidth)
Task Statement 1.5: Design a routing strategy and connectivity architecture between on-premises
networks and the AWS Cloud.
Knowledge of:
- Routing fundamentals (for example, dynamic compared with static, BGP) (AWS Documentation: Site-to-Site VPN routing options, customer gateway device configurations for dynamic routing (BGP))
- Layer 1 and layer 2 concepts for physical interconnects (for example, VLAN, link aggregation group [LAG], optics, jumbo frames) (AWS Documentation: Link aggregation groups)
- Encapsulation and encryption technologies (for example, Generic Routing Encapsulation [GRE], IPsec) (AWS Documentation: Simplify SD-WAN connectivity with AWS Transit Gateway Connect, Your customer gateway device)
- Resource sharing across AWS accounts (AWS Documentation: Sharing your AWS resources)
- Overlay networks (AWS Documentation: Overlay IP Routing using AWS Transit Gateway)
Skills in:
- Identifying the requirements for hybrid connectivity (AWS Documentation: Connectivity models)
- Designing a redundant hybrid connectivity model with AWS services (for example, AWS Direct Connect, AWS Site-to-Site VPN) (AWS Documentation: Hybrid connectivity, VPN connection as a backup)
- Designing BGP routing with BGP attributes to influence the traffic flows based on the desired traffic patterns (load sharing, active/passive) (AWS Documentation: Routing policies and BGP communities, Creating active/passive BGP connections over AWS Direct Connect)
- Designing for integration of a software-defined wide area network (SD-WAN) with AWS (for example, Transit Gateway Connect, overlay networks) (AWS Documentation: Simplify SD-WAN connectivity with AWS Transit Gateway Connect)
Task Statement 1.6: Design a routing strategy and connectivity architecture that includes multiple AWS
accounts, AWS Regions, and VPCs to support different connectivity patterns.
Knowledge of:
- Different connectivity patterns and use cases (for example, VPC peering, Transit Gateway, AWS PrivateLink) (AWS Documentation: AWS PrivateLink, Connect VPCs using VPC peering)
- Capabilities and advantages of VPC sharing (AWS Documentation: Share your VPC with other accounts, VPC sharing)
- IP subnets and solutions accounting for IP address overlaps
Skills in:
- Connecting multiple VPCs by using the most appropriate services based on requirements (for example, using VPC peering, Transit Gateway, PrivateLink) (AWS Documentation: VPC to VPC connectivity, Connect VPCs using VPC peering)
- Using VPC sharing in a multi-account setup (AWS Documentation: Share your VPC with other accounts)
- Managing IP overlaps by using different available services and options (for example, NAT, PrivateLink, Transit Gateway routing) (AWS Documentation: AWS PrivateLink)
Domain 2: Network Implementation (26%)
Task Statement 2.1: Implement routing and connectivity between on-premises networks and the AWS Cloud.
Knowledge of:
- Routing protocols (for example, static, dynamic) (AWS Documentation: Site-to-Site VPN routing options)
- VPNs (for example, security, accelerated VPN) (AWS Documentation: Accelerated Site-to-Site VPN connections)
- Layer 1 and types of hardware to use (for example, Letter of Authorization [LOA] documents, colocation facilities, Direct Connect) (AWS Documentation: Classic, Requesting cross connects at AWS Direct Connect locations)
- Layer 2 and layer 3 (for example, VLANs, IP addressing, gateways, routing, switching) (AWS Documentation: Amazon VPC for On-Premises Network Engineers, Example routing options)
- Traffic management and SD-WAN (for example, Transit Gateway Connect) (AWS Documentation: Simplify SD-WAN connectivity with AWS Transit Gateway Connect)
- DNS (for example, conditional forwarding, hosted zones, resolvers) (AWS Documentation: Resolving DNS queries between VPCs and your network, Managing forwarding rules)
- Security appliances (for example, firewalls) (AWS Documentation: AWS Network Firewall)
- Load balancing (for example, layer 4 compared with layer 7, reverse proxies, layer 3) (AWS Documentation: Elastic Load Balancing features)
- Infrastructure automation (AWS Documentation: Infrastructure Automation)
- AWS Organizations and AWS Resource Access Manager (AWS RAM) (for example, multiaccount Transit Gateway, Direct Connect, Amazon VPC, Route 53) (AWS Documentation: Shareable AWS resources)
- Test connectivity (for example, Route Analyzer, Reachability Analyzer) (AWS Documentation: VPC Reachability Analyzer)
- Networking services of VPCs (AWS Documentation: Amazon VPC)
Skills in:
- Configuring the physical network requirements for hybrid connectivity solutions (AWS Documentation: Hybrid network connection)
- Configuring static or dynamic routing protocols to work with hybrid connectivity solutions (AWS Documentation: Simplify SD-WAN connectivity with AWS Transit Gateway Connect)
- Configuring existing on-premises networks to connect with the AWS Cloud (AWS Documentation: Access to an on-premises network)
- Configuring existing on-premises name resolution with the AWS Cloud (AWS Documentation: Set up integrated DNS resolution for hybrid networks in Amazon Route 53)
- Configuring and implementing load balancing solutions (AWS Documentation: Create an Application Load Balancer)
- Configuring network monitoring and logging for AWS services (AWS Documentation: Logging and monitoring in AWS Network Firewall)
- Testing and validating connectivity between environments (AWS Documentation: Testing and validating your applications)
Task Statement 2.2: Implement routing and connectivity across multiple AWS accounts, Regions, and VPCs to support different connectivity patterns.
Knowledge of:
- Inter-VPC and multi-account connectivity (for example, VPC peering, Transit Gateway, VPN, third-party vendors, SD-WAN, multiprotocol label switching [MPLS]) (AWS Documentation: Amazon VPC-to-Amazon VPC connectivity options, Simplify SD-WAN connectivity with AWS Transit Gateway Connect)
- Private application connectivity (for example, PrivateLink) (AWS Documentation: Connect your VPC to services using AWS PrivateLink)
- Methods of expanding AWS networking connectivity (for example, Organizations, AWS RAM) (AWS Documentation: AWS Resource Access Manager and AWS Organizations)
- Host and service name resolution for applications and clients (for example, DNS) (AWS Documentation: Resolving DNS queries between VPCs and your network)
- Infrastructure automation (AWS Documentation: Infrastructure Automation)
- Authentication and authorization (for example, SAML, Active Directory) (AWS Documentation: About SAML 2.0-based federation, Integrating third-party SAML solution providers with AWS)
- Security (for example, security groups, network ACLs, AWS Network Firewall) (AWS Documentation: Control traffic to subnets using Network ACLs, Control traffic to resources using security groups)
- Test connectivity (for example, Route Analyzer, Reachability Analyzer, tooling) (AWS Documentation: VPC Reachability Analyzer)
Skills in:
- Configuring network connectivity architectures by using AWS services in a single-VPC or multiVPC design (for example, DHCP, routing, security groups) (AWS Documentation: Architecture, Control traffic to resources using security groups)
- Configuring hybrid connectivity with existing third-party vendor solutions (AWS Documentation: Available third-party partner product integrations, Hybrid connectivity)
- Configuring a hub-and-spoke network architecture (for example, Transit Gateway, transit VPC) (AWS Documentation: Transit VPC solution)
- Configuring a DNS solution to make hybrid connectivity possible (AWS Documentation: Set up integrated DNS resolution for hybrid networks in Amazon Route 53)
- Implementing security between network boundaries
- Configuring network monitoring and logging by using AWS solutions (AWS Documentation: Logging and Monitoring in AWS Config)
Task Statement 2.3: Implement complex hybrid and multi-account DNS architectures.
Knowledge of:
- When to use private hosted zones and public hosted zones (AWS Documentation: Working with private hosted zones)
- Methods to alter traffic management (for example, based on latency, geography, weighting) (AWS Documentation: Choosing a routing policy, Using latency and weighted records in Amazon Route 53)
- DNS delegation and forwarding (for example, conditional forwarding) (AWS Documentation: Managing forwarding rules)
- Different DNS record types (for example, A, AAAA, TXT, pointer records, alias records) (AWS Documentation: Supported DNS record types)
- DNSSEC
- How to share DNS services between accounts (for example, AWS RAM) (AWS Documentation: Shareable AWS resources)
- Requirements and implementation options for outbound and inbound endpoints (AWS Documentation: Getting started with Route 53 Resolver)
Skills in:
- Configuring DNS zones and conditional forwarding (AWS Documentation: Configure the conditional forwarder)
- Configuring traffic management by using DNS solutions (AWS Documentation: Using traffic flow to route DNS traffic)
- Configuring DNS for hybrid networks (AWS Documentation: Set up integrated DNS resolution for hybrid networks in Amazon Route 53)
- Configuring appropriate DNS records (AWS Documentation: Supported DNS record types)
- Configuring DNSSEC on Route 53 (AWS Documentation: Configuring DNSSEC for a domain, Configuring DNSSEC signing in Amazon Route 53)
- Configuring DNS within a centralized or distributed network architecture (AWS Documentation: Set up integrated DNS resolution for hybrid networks in Amazon Route 53)
- Configuring DNS monitoring and logging on Route 53 (AWS Documentation: Logging and monitoring in Amazon Route 53)
Task Statement 2.4: Automate and configure network infrastructure.
Knowledge of:
- Infrastructure as code (IaC) (for example, AWS Cloud Development Kit [AWS CDK], AWS CloudFormation, AWS CLI, AWS SDK, APIs) (AWS Documentation: AWS CDK)
- Event-driven network automation (AWS Documentation: Getting Started with Event-Driven Architecture)
- Common problems of using hardcoded instructions in IaC templates when provisioning cloud networking resources (AWS Documentation: AWS CloudFormation best practices)
Skills in:
- Creating and managing repeatable network configurations (AWS Documentation: Best practices for configuring network interfaces)
- Integrating event-driven networking functions (AWS Documentation: Getting Started with Event-Driven Architecture)
- Integrating hybrid network automation options with AWS native IaC
- Eliminating risk and achieving efficiency in a cloud networking environment while maintaining the lowest possible cost
- Automating the process of optimizing cloud network resources with IaC (AWS Documentation: Cloud automation areas)
Domain 3: Network Management and Operations (20%)
Task Statement 3.1: Maintain routing and connectivity on AWS and hybrid networks.
Knowledge of:
- Industry-standard routing protocols that are used in AWS hybrid networks (for example, BGP over Direct Connect) (AWS Documentation: Routing policies and BGP communities)
- Connectivity methods for AWS and hybrid networks (for example, Direct Connect gateway, Transit Gateway, VIFs) (AWS Documentation: AWS Direct Connect , Transit gateway associations)
- How limits and quotas affect AWS networking services (for example, bandwidth limits, route limits) (AWS Documentation: Quotas for your transit gateways, Amazon VPC quotas)
- Available private and public access methods for custom services (for example, PrivateLink, VPC peering) (AWS Documentation: Connect VPCs using VPC peering, Connect your VPC to services using AWS PrivateLink)
- Available inter-Regional and intra-Regional communication patterns (AWS Documentation: Automate the setup of inter-Region peering with AWS Transit Gateway)
Skills in:
- Managing routing protocols for AWS and hybrid connectivity options (for example, over a Direct Connect connection, VPN) (AWS Documentation: Connect your VPC to remote networks using AWS Virtual Private Network)
- Maintaining private access to custom services (for example, PrivateLink, VPC peering) (AWS Documentation: Connect VPCs using VPC peering, Connect your VPC to services using AWS PrivateLink)
- Using route tables to direct traffic appropriately (for example, automatic propagation, BGP) (AWS Documentation: Configure route tables)
- Setting up private access or public access to AWS services (for example, Direct Connect, VPN) (AWS Documentation: Connect your VPC to remote networks using AWS Virtual Private Network)
- Optimizing routing over dynamic and static routing protocols (for example, summarizing routes, CIDR overlap)
Task Statement 3.2: Monitor and analyze network traffic to troubleshoot and optimize connectivity patterns.
Knowledge of:
- Network performance metrics and reachability constraints (for example, routing, packet size) (AWS Documentation: Monitor network performance for your EC2 instance)
- Appropriate logs and metrics to assess network performance and reachability issues (for example, packet loss) (AWS Documentation: troubleshoot packet loss on my VPN, troubleshoot network performance issues)
- Tools to collect and analyze logs and metrics (for example, CloudWatch, VPC Flow Logs, VPC Traffic Mirroring) (AWS Documentation: Logging IP traffic using VPC Flow Logs, Traffic Mirroring)
- Tools to analyze routing patterns and issues (for example, Reachability Analyzer, Transit Gateway Network Manager) (AWS Documentation: Route Analyzer)
Skills in:
- Analyzing tool output to assess network performance and troubleshoot connectivity (for example, VPC Flow Logs, Amazon CloudWatch Logs) (AWS Documentation: Logging IP traffic using VPC Flow Logs)
- Mapping or understanding network topology (for example, Transit Gateway Network Manager) (AWS Documentation: Network Manager, AWS Network Manager for Transit Gateway networks)
- Analyzing packets to identify issues in packet shaping (for example, VPC Traffic Mirroring) (AWS Documentation: Using VPC Traffic Mirroring to monitor and secure your AWS infrastructure, Traffic Mirroring)
- Troubleshooting connectivity issues that are caused by network misconfiguration (for example, Reachability Analyzer) (AWS Documentation: VPC Reachability Analyzer)
- Verifying that a network configuration meets network design requirements (for example, Reachability Analyzer) (AWS Documentation: Getting started with VPC Reachability Analyzer)
- Automating the verification of connectivity intent as a network configuration changes (for example, Reachability Analyzer)
- Troubleshooting packet size mismatches in a VPC to restore network connectivity (AWS Documentation: troubleshoot network performance issues)
Task Statement 3.3: Optimize AWS networks for performance, reliability, and cost-effectiveness.
Knowledge of:
- Situations in which a VPC peer or a transit gateway are appropriate (AWS Documentation: transit gateway, Transit gateway peering attachments)
- Different methods to reduce bandwidth utilization (for example, unicast compared with multicast, CloudFront) (AWS Documentation: CloudFront usage reports, CloudFront use cases)
- Cost-effective connectivity options for data transfer between a VPC and on-premises environments (AWS Documentation: Cost optimization pillar)
- Different types of network interfaces on AWS (AWS Documentation: Elastic network interfaces)
- High-availability features in Route 53 (for example, DNS load balancing using health checks with latency and weighted record sets) (AWS Documentation: Creating Amazon Route 53 health checks and configuring DNS failover)
- Availability of options from Route 53 that provide reliability (AWS Documentation: Amazon Route 53 FAQs)
- Load balancing and traffic distribution patterns (AWS Documentation: Elastic Load Balancing features, Use Elastic Load Balancing to distribute traffic)
- VPC subnet optimization (AWS Documentation: Subnets for your VPC)
- Frame size optimization for bandwidth across different connection types (AWS Documentation: Amazon EC2 Instance Types)
Skills in:
- Optimizing for network throughput (AWS Documentation: Amazon EC2 instance network bandwidth)
- Selecting the right network interface for the best performance (for example, elastic network interface, Elastic Network Adapter [ENA], Elastic Fabric Adapter [EFA]) (AWS Documentation: Elastic Fabric Adapter)
- Choosing between VPC peering, proxy patterns, or a transit gateway connection based on analysis of the network requirements provided (AWS Documentation: Transit gateway design best practices, Automate the setup of inter-Region peering)
- Implementing a solution on an appropriate network connectivity service (for example, VPC peering, Transit Gateway, VPN connection) to meet network requirements (AWS Documentation: Transit VPC solution)
- Implementing a multicast capability within a VPC and on-premises environments (AWS Documentation: Working with multicast)
- Creating Route 53 public hosted zones and private hosted zones and records to optimize application availability (for example, private zonal DNS entry to route traffic to multiple Availability Zones)
- Updating and optimizing subnets for auto-scaling configurations to support the increased application load (AWS Documentation: UpdateAutoScalingGroup)
- Updating and optimizing subnets to prevent the depletion of available IP addresses within a VPC (for example, secondary CIDR) (AWS Documentation: Subnets for your VPC)
- Configuring jumbo frame support across connection types (AWS Documentation: Network maximum transmission unit (MTU) for your EC2 instance)
- Optimizing network connectivity by using Global Accelerator to improve network performance and application availability (AWS Documentation: AWS Global Accelerator)
Domain 4: Network Security, Compliance, and Governance (24%)
Task Statement 4.1: Implement and maintain network features to meet security and compliance needs and requirements.
Knowledge of:
- Different threat models based on application architecture
- Common security threats (AWS Documentation: Security and compliance)
- Mechanisms to secure different application flows
- AWS network architecture that meets security and compliance requirements
Skills in:
- Securing inbound traffic flows into AWS (for example, AWS WAF, AWS Shield, Network Firewall) (AWS Documentation: AWS WAF, AWS Shield, and AWS Firewall Manager)
- Securing outbound traffic flows from AWS (for example, Network Firewall, proxies, Gateway Load Balancers) (AWS Documentation: AWS Network Firewall example architectures with routing)
- Securing inter-VPC traffic within an account or across multiple accounts (for example, security groups, network ACLs, VPC endpoint policies) (AWS Documentation: Internetwork traffic privacy in Amazon VPC)
- Implementing an AWS network architecture to meet security and compliance requirements (for example, untrusted network, perimeter VPC, three-tier architecture) (AWS Documentation: Architecture)
- Developing a threat model and identifying appropriate mitigation strategies for a given network architecture
- Testing compliance with the initial requirements (for example, failover test, resiliency) (AWS Documentation: AWS Direct Connect Failover Test)
- Automating security incident reporting and alerting using AWS (AWS Documentation: Automating Incident Response)
Task Statement 4.2: Validate and audit security by using network monitoring and logging services.
Knowledge of:
- Network monitoring and logging services that are available in AWS (for example, CloudWatch, AWS CloudTrail, VPC Traffic Mirroring, VPC Flow Logs, Transit Gateway Network Manager) (AWS Documentation: Logging IP traffic using VPC Flow Logs)
- Alert mechanisms (for example, CloudWatch alarms) (AWS Documentation: Using Amazon CloudWatch alarms)
- Log creation in different AWS services (for example, VPC flow logs, load balancer access logs, CloudFront access logs) (AWS Documentation: Configuring and using standard logs (access logs))
- Log delivery mechanisms (for example, Amazon Kinesis, Route 53, CloudWatch) (AWS Documentation: Logging and monitoring in Amazon Route 53, Writing to Kinesis Data Firehose Using CloudWatch Logs)
- Mechanisms to audit network security configurations (for example, security groups, AWS Firewall Manager, AWS Trusted Advisor) (AWS Documentation: Security group policies)
Skills in:
- Creating and analyzing a VPC flow log (including base and extended fields of flow logs) (AWS Documentation: Logging IP traffic using VPC Flow Logs, Flow log record examples)
- Creating and analyzing network traffic mirroring (for example, using VPC Traffic Mirroring) (AWS Documentation: Using VPC Traffic Mirroring to monitor and secure your AWS infrastructure, Traffic Mirroring)
- Implementing automated alarms by using CloudWatch (AWS Documentation: Create a CloudWatch alarm for an instance)
- Implementing customized metrics by using CloudWatch (AWS Documentation: Publishing custom metrics, Creating custom CloudWatch metrics and alarms)
- Correlating and analyzing information across single or multiple AWS log sources (AWS Documentation: Searching and analyzing logs in CloudWatch)
- Implementing log delivery solutions (AWS Documentation: Enabling logging from certain AWS services)
- Implementing a network audit strategy across single or multiple AWS network services and accounts (for example, Firewall Manager, security groups, network ACLs) (AWS Documentation: Security group policies)
Task Statement 4.3: Implement and maintain the confidentiality of data and communications of the network.
Knowledge of:
- Network encryption options that are available on AWS (AWS Documentation: Protecting data using encryption)
- VPN connectivity over Direct Connect (AWS Documentation: AWS Direct Connect + VPN)
- Encryption methods for data in transit (for example, IPsec) (AWS Documentation: Encrypting Data-at-Rest and -in-Transit)
- Network encryption under the AWS shared responsibility model Network encryption under the AWS (AWS Documentation: shared responsibility model)
- Security methods for DNS communications (for example, DNSSEC) (AWS Documentation: Configuring DNSSEC for a domain)
Skills in:
- Implementing network encryption methods to meet application compliance requirements (for example, IPsec, TLS) (AWS Documentation: Protecting Data in Transit)
- Implementing encryption solutions to secure data in transit (for example, CloudFront, Application Load Balancers and Network Load Balancers, VPN over Direct Connect, AWS managed databases, Amazon S3, custom solutions on Amazon EC2, Transit Gateway) (AWS Documentation: AWS Foundational Security Best Practices controls, Networking and Content Delivery, Connect to Application Migration Service data)
- Implementing a certificate management solution by using a certificate authority (for example, ACM, AWS Certificate Manager Private Certificate Authority [ACM PCA]) (AWS Documentation: ACM Private CA)
- Implementing secure DNS communications (AWS Documentation: DNS)
Quick Links to Learning Resources
Choosing the right resources with reliable content is very important. As a matter of fact, there are various resources to choose from. This makes it difficult to select the authentic and genuine ones. As you have probably been preparing for this exam we hope that you have made a wise choice in terms of your learning resources. However, here area few quick links that will definitely benefit your preparations and help you ace the exam:
AWS Training
AWS offers training opportunities for candidates to develop expertise, self-assurance, and authenticity by acquiring practical cloud skills. Candidates have the option to engage in self-paced online learning or choose to be instructed by certified AWS instructors who are experts in the field. This training is advantageous for individuals at various stages, whether they are beginners looking to build upon their existing IT skills or seasoned professionals with prior cloud knowledge. AWS provides three distinct types of training, which comprise:
- Firstly, the free digital training offers on-demand digital courses that enable candidates to acquire new cloud skills and knowledge at their own convenience.
- Secondly, classroom training features live classes conducted either virtually or in-person, led by accredited AWS instructors. These classes impart sought-after cloud skills and best practices through a blend of presentations, discussions, and hands-on labs.
- Lastly, private training consists of virtual or in-person classes led by accredited AWS instructors, focusing on in-depth AWS Cloud skills within a private learning environment.
Whitepapers
Candidates preparing for the AWS can take the help of AWS whitepapers for preparation. These are the authentic study resources which can help candidates during understanding about the AWS services. Whitepapers not only strengthen your preparation process but also helps you build a strong strategy to lay your focus on. You can refer the following White Papers:
- Best Practices for VPCs and Networking in Amazon WorkSpaces Deployments
- Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
- Amazon Virtual Private Cloud Connectivity Options
- AWS Best Practices for DDoS Resiliency
- High Performance Computing on AWS Redefines What is Possible
- Integrating AWS with Multiprotocol Label Switching
- AWS Certified Advanced Networking Official Study Guide: Specialty Exam
Reference Books
Books can offer a valuable edge when it comes to acquiring a deeper and more precise understanding of various topics. The market offers a wide range of books, and for those pursuing the AWS Certified Advanced Networking – Specialty certification, the essential reference books are as follows:
- Firstly, AWS Certified Advanced Networking Official Study Guide: Specialty Exam
- Secondly, AWS certified advanced networking – specialty Exam Guide for Building knowledge and technical expertise as an AWS-certified networking specialist
Online Tutorials and Study Guide
Online Tutorials enhance your knowledge and provide in depth understanding about the exam concepts. Moreover, AWS certified advanced networking – specialty Study Guides help you stay consistent and determined. They enrich your learning experience.
Attempt Practice Tests
Finally, it is time to check your preparations with the AWS certified advanced networking – specialty practice exam. Self-Evaluation is the key and hence your next step is to attempt practice tests. The more you’re going to practice, the better for you. Further, these tests familiarise you with the real exam environment and also help you analyse areas that need improvement. Strengthening your weaker domains will surely help you pass with flying colours. Also, attempting multiple practice tests is vital to boost your confidence So, outperform yourself with each subsequent test to be fully ready on the exam day. Start practising Now!
