The AWS Certified Advanced Networking – Specialty (ANS-C01) certification is designed for professionals with significant experience in architecting and managing complex networking solutions within the AWS ecosystem. This certification validates advanced knowledge in building and securing scalable network architectures on AWS and hybrid environments.

– Target Audience

This certification is ideal for individuals in a networking specialist role who are responsible for the design, implementation, and maintenance of large-scale network infrastructures. It is recommended that candidates have a minimum of five years of hands-on experience working with AWS networking solutions.

– Skills Validated

Earning the ANS-C01 certification demonstrates a candidate’s ability to:

• Design and implement hybrid and cloud-based networking architectures using AWS technologies.
• Utilize AWS core networking services in alignment with AWS best practices.
• Manage and maintain scalable and resilient network infrastructures across hybrid environments.
• Apply automation tools and services for network deployment and operations.
• Secure AWS networks using built-in AWS security services such as AWS WAF, IDS/IPS, and DDoS mitigation tools.
• Configure and operate advanced network features such as IP VPN, MPLS, and multi-region connectivity.
• Understand and apply routing protocols, network segmentation, and high availability architectures in enterprise environments.

– Exam Focus Areas

The exam measures proficiency across the following key domains:

• Hybrid Network Design: Develop networking solutions that bridge on-premises and cloud environments.
• Network Implementation: Configure AWS networking components like VPC, Direct Connect, and Transit Gateway.
• Operational Excellence: Monitor and optimize networks for performance, scalability, and cost-efficiency.
• Security and Compliance: Deploy secure network architectures that comply with AWS security standards and enterprise policies.
• Automation and Monitoring: Use infrastructure as code and monitoring tools to automate and manage networking tasks efficiently.

Exam Details

• The AWS Certified Advanced Networking – Specialty (ANS-C01) certification falls under the Specialty category of AWS certifications. It is designed to validate advanced expertise in networking within the AWS environment.
• The exam has a total duration of 170 minutes and consists of 65 questions presented in either multiple-choice or multiple-response formats.
• Candidates can choose to take the exam either at an authorized Pearson VUE testing center or through an online proctored environment, depending on their convenience.
• The ANS-C01 exam is available in multiple languages, including English, Japanese, Korean, and Simplified Chinese, to support a global audience.
• Exam results are reported on a scaled score ranging from 100 to 1,000, with a minimum passing score of 750 required to earn the certification.

Course outline

The exam covers the following topics:

1. Understand the Network Design (30%)

Task Statement 1.1: Designing a solution that incorporates edge network services to optimize user performance and traffic management for global architectures.

Knowledge of:

• Designing patterns for the usage of content distribution networks (for example, Amazon CloudFront) (AWS Documentation: Working with Content Delivery Networks (CDNs))
• Designing patterns for global traffic management (for example, AWS Global Accelerator) (AWS Documentation: Getting started with AWS Global Accelerator, Traffic management with AWS Global Accelerator)
• Integration patterns for content distribution networks and global traffic management with other services (for example, Elastic Load Balancing, Amazon API Gateway) (AWS Documentation: Networking and Content Delivery, Introduction to Network Transformation on AWS)

Skills in:

• Evaluating requirements of global inbound and outbound traffic from the internet to design an appropriate content distribution solution (AWS Documentation: Infrastructure OU – Network account, Routing traffic to an Amazon CloudFront distribution)

Task Statement 1.2: Designing DNS solutions that meet public, private, and hybrid requirements.

Knowledge of:

• DNS protocol (for example, DNS records, timers, DNSSEC, DNS delegation, zones) (AWS Documentation: Configuring DNSSEC for a domain, Supported DNS record types, Amazon Route 53 concepts)
• DNS logging and monitoring (AWS Documentation: Logging and monitoring in Amazon Route 53)
• Amazon Route 53 features (for example, alias records, traffic policies, resolvers, health checks) (AWS Documentation: Creating Amazon Route 53 health checks and configuring DNS failover, Amazon Route 53 chooses records when health checking, Amazon Route 53 FAQs)
• Integration of Route 53 with other AWS networking services (for example, Amazon VPC) (AWS Documentation: Integration with other services, Resolving DNS queries between VPCs and your network)
• Integration of Route 53 with hybrid, multi-account, and multi-Region options (AWS Documentation: Using Route 53 Private Hosted Zones for Cross-account Multi-region Architectures, Simplify DNS management in a multi-account environment)
• Domain Registration (AWS Documentation: Registering a new domain)

Skills in:

• Using Route 53 public hosted zones (AWS Documentation: Creating a public hosted zone)
• Using Route 53 private hosted zones (AWS Documentation: Working with private hosted zones)
• Using Route 53 Resolver endpoints in hybrid and AWS architectures (AWS Documentation: Set up integrated DNS resolution for hybrid networks in Amazon Route 53)
• Using Route 53 for global traffic management (AWS Documentation: Amazon Route 53)
• Creating and managing domain registrations (AWS Documentation: Registering a new domain)

Task Statement 1.3: Designing solutions that integrate load balancing to meet high availability, scalability,
and security requirements.

Knowledge of:

• How load balancing works at layer 3, layer 4, and layer 7 of the OSI model (AWS Documentation: Load balancer types, Elastic Load Balancing features)
• Different types of load balancers and how they meet requirements for network design, high availability, and security (AWS Documentation: Load balancer types)
• Connectivity patterns that apply to load balancing based on the use case (for example, internal load balancers, external load balancers) (AWS Documentation: Application Load Balancers, Elastic Load Balancing features)
• Scaling factors for load balancers
• Integrations of load balancers and other AWS services (for example, Global Accelerator, CloudFront, AWS WAF, Route 53, Amazon Elastic Kubernetes Service [Amazon EKS], AWS Certificate Manager [ACM]) (AWS Documentation: Supported Resource Types, AWS::EKS::Cluster, AWS::GlobalAccelerator::Accelerator)
• Configuration options for load balancers (for example, proxy protocol, cross-zone load balancing, session affinity [sticky sessions], routing algorithms) (AWS Documentation: Target groups for your Network Load Balancers, Configure sticky sessions for your Classic Load Balancer, Sticky sessions for your Application Load Balancer)
• Configuration options for load balancer target groups (for example, TCP, GENEVE, IP compared with instance) (AWS Documentation: CreateTargetGroup, Target groups for your Network Load Balancers)
• AWS Load Balancer Controller for Kubernetes clusters (AWS Documentation: Installing the AWS Load Balancer Controller add-on, Application load balancing on Amazon EKS)
• Considerations for encryption and authentication with load balancers (for example, TLS termination, TLS passthrough) (AWS Documentation: TLS listeners for your Network Load Balancer, Create an HTTPS listener for your Application Load Balancer)

Skills in:

• Selecting an appropriate load balancer based on the use case (AWS Documentation: Application Load Balancers)
• Integrating auto-scaling with load balancing solutions (AWS Documentation: Attach a load balancer to your Auto Scaling group)
• Integrating load balancers with existing application deployments (AWS Documentation: Integrating CodeDeploy with Elastic Load Balancing)

Task Statement 1.4: Defining logging and monitoring requirements across AWS and hybrid networks.
Knowledge of:

• Amazon CloudWatch metrics, agents, logs, alarms, dashboards, and insights in AWS architectures to provide visibility (AWS Documentation: Amazon CloudWatch, How Amazon CloudWatch works)
• AWS Transit Gateway Network Manager in architectures to provide visibility (AWS Documentation: AWS Network Manager for Transit Gateway networks)
• VPC Reachability Analyzer in architectures to provide visibility (AWS Documentation: VPC Reachability Analyzer)
• Flow logs and traffic mirroring in architecture to provide visibility (AWS Documentation: Traffic Mirroring, Using VPC Traffic Mirroring to monitor and secure your AWS infrastructure)
• Access logging (for example, load balancers, CloudFront) (AWS Documentation: Access logs for your Application Load Balancer)

Skills in:

• Identifying the logging and monitoring requirements (AWS Documentation: Designing and implementing logging and monitoring with Amazon CloudWatch)
• Recommending appropriate metrics to provide visibility of the network status (AWS Documentation: List the available CloudWatch metrics for your instances)
• Capturing baseline network performance (AWS Documentation: Amazon EC2 instance network bandwidth)

Task Statement 1.5: Designing a routing strategy and connectivity architecture between on-premises
networks and the AWS Cloud.

Knowledge of:

• Routing fundamentals (for example, dynamic compared with static, BGP) (AWS Documentation: Site-to-Site VPN routing options, customer gateway device configurations for dynamic routing (BGP))
• Layer 1 and layer 2 concepts for physical interconnects (for example, VLAN, link aggregation group [LAG], optics, jumbo frames) (AWS Documentation: Link aggregation groups)
• Encapsulation and encryption technologies (for example, Generic Routing Encapsulation [GRE], IPsec) (AWS Documentation: Simplify SD-WAN connectivity with AWS Transit Gateway Connect, Your customer gateway device)
• Resource sharing across AWS accounts (AWS Documentation: Sharing your AWS resources)
• Overlay networks (AWS Documentation: Overlay IP Routing using AWS Transit Gateway)

Skills in:

• Identifying the requirements for hybrid connectivity (AWS Documentation: Connectivity models)
• Designing a redundant hybrid connectivity model with AWS services (for example, AWS Direct Connect, AWS Site-to-Site VPN) (AWS Documentation: Hybrid connectivity, VPN connection as a backup)
• Designing BGP routing with BGP attributes to influence the traffic flows based on the desired traffic patterns (load sharing, active/passive) (AWS Documentation: Routing policies and BGP communities, Creating active/passive BGP connections over AWS Direct Connect)
• Designing for integration of a software-defined wide area network (SD-WAN) with AWS (for example, Transit Gateway Connect, overlay networks) (AWS Documentation: Simplify SD-WAN connectivity with AWS Transit Gateway Connect)

Task Statement 1.6: Designing a routing strategy and connectivity architecture that includes multiple AWS
accounts, AWS Regions, and VPCs to support different connectivity patterns.

Knowledge of:

• Different connectivity patterns and use cases (for example, VPC peering, Transit Gateway, AWS PrivateLink) (AWS Documentation: AWS PrivateLink, Connect VPCs using VPC peering)
• Capabilities and advantages of VPC sharing (AWS Documentation: Share your VPC with other accounts, VPC sharing)
• IP subnets and solutions accounting for IP address overlaps

Skills in:

• Connecting multiple VPCs by using the most appropriate services based on requirements (for example, using VPC peering, Transit Gateway, PrivateLink) (AWS Documentation: VPC to VPC connectivity, Connect VPCs using VPC peering)
• Using VPC sharing in a multi-account setup (AWS Documentation: Share your VPC with other accounts)
• Managing IP overlaps by using different available services and options (for example, NAT, PrivateLink, Transit Gateway routing) (AWS Documentation: AWS PrivateLink)

2. Understand Network Implementation (26%)

Task Statement 2.1: Implementing routing and connectivity between on-premises networks and the AWS Cloud.

Knowledge of:

• Routing protocols (for example, static, dynamic) (AWS Documentation: Site-to-Site VPN routing options)
• VPNs (for example, security, accelerated VPN) (AWS Documentation: Accelerated Site-to-Site VPN connections)
• Layer 1 and types of hardware to use (for example, Letter of Authorization [LOA] documents, colocation facilities, Direct Connect) (AWS Documentation: Classic, Requesting cross connects at AWS Direct Connect locations)
• Layer 2 and layer 3 (for example, VLANs, IP addressing, gateways, routing, switching) (AWS Documentation: Amazon VPC for On-Premises Network Engineers, Example routing options)
• Traffic management and SD-WAN (for example, Transit Gateway Connect) (AWS Documentation: Simplify SD-WAN connectivity with AWS Transit Gateway Connect)
• DNS (for example, conditional forwarding, hosted zones, resolvers) (AWS Documentation: Resolving DNS queries between VPCs and your network, Managing forwarding rules)
• Security appliances (for example, firewalls) (AWS Documentation: AWS Network Firewall)
• Load balancing (for example, layer 4 compared with layer 7, reverse proxies, layer 3) (AWS Documentation: Elastic Load Balancing features)
• Infrastructure automation (AWS Documentation: Infrastructure Automation)
• AWS Organizations and AWS Resource Access Manager (AWS RAM) (for example, multiaccount Transit Gateway, Direct Connect, Amazon VPC, Route 53) (AWS Documentation: Shareable AWS resources)
• Test connectivity (for example, Route Analyzer, Reachability Analyzer) (AWS Documentation: VPC Reachability Analyzer)
• Networking services of VPCs (AWS Documentation: Amazon VPC)

Skills in:

• Configuring the physical network requirements for hybrid connectivity solutions (AWS Documentation: Hybrid network connection)
• Configuring static or dynamic routing protocols to work with hybrid connectivity solutions (AWS Documentation: Simplify SD-WAN connectivity with AWS Transit Gateway Connect)
• Configuring existing on-premises networks to connect with the AWS Cloud (AWS Documentation: Access to an on-premises network)
• Configuring existing on-premises name resolution with the AWS Cloud (AWS Documentation: Set up integrated DNS resolution for hybrid networks in Amazon Route 53)
• Configuring and implementing load balancing solutions (AWS Documentation: Create an Application Load Balancer)
• Configuring network monitoring and logging for AWS services (AWS Documentation: Logging and monitoring in AWS Network Firewall)
• Testing and validating connectivity between environments (AWS Documentation: Testing and validating your applications)

Task Statement 2.2: Implementing routing and connectivity across multiple AWS accounts, Regions, and VPCs to support different connectivity patterns.

Knowledge of:

• Inter-VPC and multi-account connectivity (for example, VPC peering, Transit Gateway, VPN, third-party vendors, SD-WAN, multiprotocol label switching [MPLS]) (AWS Documentation: Amazon VPC-to-Amazon VPC connectivity options, Simplify SD-WAN connectivity with AWS Transit Gateway Connect)
• Private application connectivity (for example, PrivateLink) (AWS Documentation: Connect your VPC to services using AWS PrivateLink)
• Methods of expanding AWS networking connectivity (for example, Organizations, AWS RAM) (AWS Documentation: AWS Resource Access Manager and AWS Organizations)
• Host and service name resolution for applications and clients (for example, DNS) (AWS Documentation: Resolving DNS queries between VPCs and your network)
• Infrastructure automation (AWS Documentation: Infrastructure Automation)
• Authentication and authorization (for example, SAML, Active Directory) (AWS Documentation: About SAML 2.0-based federation, Integrating third-party SAML solution providers with AWS)
• Security (for example, security groups, network ACLs, AWS Network Firewall) (AWS Documentation: Control traffic to subnets using Network ACLs, Control traffic to resources using security groups)
• Test connectivity (for example, Route Analyzer, Reachability Analyzer, tooling) (AWS Documentation: VPC Reachability Analyzer)

Skills in:

• Configuring network connectivity architectures by using AWS services in a single-VPC or multiVPC design (for example, DHCP, routing, security groups) (AWS Documentation: Architecture, Control traffic to resources using security groups)
• Configuring hybrid connectivity with existing third-party vendor solutions (AWS Documentation: Available third-party partner product integrations, Hybrid connectivity)
• Configuring a hub-and-spoke network architecture (for example, Transit Gateway, transit VPC) (AWS Documentation: Transit VPC solution)
• Configuring a DNS solution to make hybrid connectivity possible (AWS Documentation: Set up integrated DNS resolution for hybrid networks in Amazon Route 53)
• Implementing security between network boundaries
• Configuring network monitoring and logging by using AWS solutions (AWS Documentation: Logging and Monitoring in AWS Config)

Task Statement 2.3: Implementing complex hybrid and multi-account DNS architectures.

Knowledge of:

• When to use private hosted zones and public hosted zones (AWS Documentation: Working with private hosted zones)
• Methods to alter traffic management (for example, based on latency, geography, weighting) (AWS Documentation: Choosing a routing policy, Using latency and weighted records in Amazon Route 53)
• DNS delegation and forwarding (for example, conditional forwarding) (AWS Documentation: Managing forwarding rules)
• Different DNS record types (for example, A, AAAA, TXT, pointer records, alias records) (AWS Documentation: Supported DNS record types)
• DNSSEC
• How to share DNS services between accounts (for example, AWS RAM) (AWS Documentation: Shareable AWS resources)
• Requirements and implementation options for outbound and inbound endpoints (AWS Documentation: Getting started with Route 53 Resolver)

Skills in:

• Configuring DNS zones and conditional forwarding (AWS Documentation: Configure the conditional forwarder)
• Configuring traffic management by using DNS solutions (AWS Documentation: Using traffic flow to route DNS traffic)
• Configuring DNS for hybrid networks (AWS Documentation: Set up integrated DNS resolution for hybrid networks in Amazon Route 53)
• Configuring appropriate DNS records (AWS Documentation: Supported DNS record types)
• Configuring DNSSEC on Route 53 (AWS Documentation: Configuring DNSSEC for a domain, Configuring DNSSEC signing in Amazon Route 53)
• Configuring DNS within a centralized or distributed network architecture (AWS Documentation: Set up integrated DNS resolution for hybrid networks in Amazon Route 53)
• Configuring DNS monitoring and logging on Route 53 (AWS Documentation: Logging and monitoring in Amazon Route 53)

Task Statement 2.4: Automating and configuring network infrastructure.

Knowledge of:

• Infrastructure as code (IaC) (for example, AWS Cloud Development Kit [AWS CDK], AWS CloudFormation, AWS CLI, AWS SDK, APIs) (AWS Documentation: AWS CDK)
• Event-driven network automation (AWS Documentation: Getting Started with Event-Driven Architecture)
• Common problems of using hardcoded instructions in IaC templates when provisioning cloud networking resources (AWS Documentation: AWS CloudFormation best practices)

Skills in:

• Creating and managing repeatable network configurations (AWS Documentation: Best practices for configuring network interfaces)
• Integrating event-driven networking functions (AWS Documentation: Getting Started with Event-Driven Architecture)
• Integrating hybrid network automation options with AWS native IaC
• Eliminating risk and achieving efficiency in a cloud networking environment while maintaining the lowest possible cost
• Automating the process of optimizing cloud network resources with IaC (AWS Documentation: Cloud automation areas)

3. Learn About Network Management and Operations (20%)

Task Statement 3.1: Maintaining routing and connectivity on AWS and hybrid networks.

Knowledge of:

• Industry-standard routing protocols that are used in AWS hybrid networks (for example, BGP over Direct Connect) (AWS Documentation: Routing policies and BGP communities)
• Connectivity methods for AWS and hybrid networks (for example, Direct Connect gateway, Transit Gateway, VIFs) (AWS Documentation: AWS Direct Connect , Transit gateway associations)
• How limits and quotas affect AWS networking services (for example, bandwidth limits, route limits) (AWS Documentation: Quotas for your transit gateways, Amazon VPC quotas)
• Available private and public access methods for custom services (for example, PrivateLink, VPC peering) (AWS Documentation: Connect VPCs using VPC peering, Connect your VPC to services using AWS PrivateLink)
• Available inter-Regional and intra-Regional communication patterns (AWS Documentation: Automate the setup of inter-Region peering with AWS Transit Gateway)

Skills in:

• Managing routing protocols for AWS and hybrid connectivity options (for example, over a Direct Connect connection, VPN) (AWS Documentation: Connect your VPC to remote networks using AWS Virtual Private Network)
• Maintaining private access to custom services (for example, PrivateLink, VPC peering) (AWS Documentation: Connect VPCs using VPC peering, Connect your VPC to services using AWS PrivateLink)
• Using route tables to direct traffic appropriately (for example, automatic propagation, BGP) (AWS Documentation: Configure route tables)
• Setting up private access or public access to AWS services (for example, Direct Connect, VPN) (AWS Documentation: Connect your VPC to remote networks using AWS Virtual Private Network)
• Optimizing routing over dynamic and static routing protocols (for example, summarizing routes, CIDR overlap)

Task Statement 3.2: Monitoring and analyzing network traffic to troubleshoot and optimize connectivity patterns.

Knowledge of:

• Network performance metrics and reachability constraints (for example, routing, packet size) (AWS Documentation: Monitor network performance for your EC2 instance)
• Appropriate logs and metrics to assess network performance and reachability issues (for example, packet loss) (AWS Documentation: troubleshoot packet loss on my VPN, troubleshoot network performance issues)
• Tools to collect and analyze logs and metrics (for example, CloudWatch, VPC Flow Logs, VPC Traffic Mirroring) (AWS Documentation: Logging IP traffic using VPC Flow Logs, Traffic Mirroring)
• Tools to analyze routing patterns and issues (for example, Reachability Analyzer, Transit Gateway Network Manager) (AWS Documentation: Route Analyzer)

Skills in:

• Analyzing tool output to assess network performance and troubleshoot connectivity (for example, VPC Flow Logs, Amazon CloudWatch Logs) (AWS Documentation: Logging IP traffic using VPC Flow Logs)
• Mapping or understanding network topology (for example, Transit Gateway Network Manager) (AWS Documentation: Network Manager, AWS Network Manager for Transit Gateway networks)
• Analyzing packets to identify issues in packet shaping (for example, VPC Traffic Mirroring) (AWS Documentation: Using VPC Traffic Mirroring to monitor and secure your AWS infrastructure, Traffic Mirroring)
• Troubleshooting connectivity issues that are caused by network misconfiguration (for example, Reachability Analyzer) (AWS Documentation: VPC Reachability Analyzer)
• Verifying that a network configuration meets network design requirements (for example, Reachability Analyzer) (AWS Documentation: Getting started with VPC Reachability Analyzer)
• Automating the verification of connectivity intent as a network configuration changes (for example, Reachability Analyzer)
• Troubleshooting packet size mismatches in a VPC to restore network connectivity (AWS Documentation: troubleshoot network performance issues)

Task Statement 3.3: Optimizing AWS networks for performance, reliability, and cost-effectiveness.

Knowledge of:

• Situations in which a VPC peer or a transit gateway are appropriate (AWS Documentation: transit gateway, Transit gateway peering attachments)
• Different methods to reduce bandwidth utilization (for example, unicast compared with multicast, CloudFront) (AWS Documentation: CloudFront usage reports, CloudFront use cases)
• Cost-effective connectivity options for data transfer between a VPC and on-premises environments (AWS Documentation: Cost optimization pillar)
• Different types of network interfaces on AWS (AWS Documentation: Elastic network interfaces)
• High-availability features in Route 53 (for example, DNS load balancing using health checks with latency and weighted record sets) (AWS Documentation: Creating Amazon Route 53 health checks and configuring DNS failover)
• Availability of options from Route 53 that provide reliability (AWS Documentation: Amazon Route 53 FAQs)
• Load balancing and traffic distribution patterns (AWS Documentation: Elastic Load Balancing features, Use Elastic Load Balancing to distribute traffic)
• VPC subnet optimization (AWS Documentation: Subnets for your VPC)
• Frame size optimization for bandwidth across different connection types (AWS Documentation: Amazon EC2 Instance Types)

Skills in:

• Optimizing for network throughput (AWS Documentation: Amazon EC2 instance network bandwidth)
• Selecting the right network interface for the best performance (for example, elastic network interface, Elastic Network Adapter [ENA], Elastic Fabric Adapter [EFA]) (AWS Documentation: Elastic Fabric Adapter)
• Choosing between VPC peering, proxy patterns, or a transit gateway connection based on analysis of the network requirements provided (AWS Documentation: Transit gateway design best practices, Automate the setup of inter-Region peering)
• Implementing a solution on an appropriate network connectivity service (for example, VPC peering, Transit Gateway, VPN connection) to meet network requirements (AWS Documentation: Transit VPC solution)
• Implementing a multicast capability within a VPC and on-premises environments (AWS Documentation: Working with multicast)
• Creating Route 53 public hosted zones and private hosted zones and records to optimize application availability (for example, private zonal DNS entry to route traffic to multiple Availability Zones)
• Updating and optimizing subnets for auto-scaling configurations to support the increased application load (AWS Documentation: UpdateAutoScalingGroup)
• Updating and optimizing subnets to prevent the depletion of available IP addresses within a VPC (for example, secondary CIDR) (AWS Documentation: Subnets for your VPC)
• Configuring jumbo frame support across connection types (AWS Documentation: Network maximum transmission unit (MTU) for your EC2 instance)
• Optimizing network connectivity by using Global Accelerator to improve network performance and application availability (AWS Documentation: AWS Global Accelerator)

4. Learn About Network Security, Compliance, and Governance (24%)

Task Statement 4.1: Implementing and maintaining network features to meet security and compliance needs and requirements.

Knowledge of:

• Different threat models based on application architecture
• Common security threats (AWS Documentation: Security and compliance)
• Mechanisms to secure different application flows
• AWS network architecture that meets security and compliance requirements

Skills in:

• Securing inbound traffic flows into AWS (for example, AWS WAF, AWS Shield, Network Firewall) (AWS Documentation: AWS WAF, AWS Shield, and AWS Firewall Manager)
• Securing outbound traffic flows from AWS (for example, Network Firewall, proxies, Gateway Load Balancers) (AWS Documentation: AWS Network Firewall example architectures with routing)
• Securing inter-VPC traffic within an account or across multiple accounts (for example, security groups, network ACLs, VPC endpoint policies) (AWS Documentation: Internetwork traffic privacy in Amazon VPC)
• Implementing an AWS network architecture to meet security and compliance requirements (for example, untrusted network, perimeter VPC, three-tier architecture) (AWS Documentation: Architecture)
• Developing a threat model and identifying appropriate mitigation strategies for a given network architecture
• Testing compliance with the initial requirements (for example, failover test, resiliency) (AWS Documentation: AWS Direct Connect Failover Test)
• Automating security incident reporting and alerting using AWS (AWS Documentation: Automating Incident Response)

Task Statement 4.2: Validating and auditing security by using network monitoring and logging services.

Knowledge of:

• Network monitoring and logging services that are available in AWS (for example, CloudWatch, AWS CloudTrail, VPC Traffic Mirroring, VPC Flow Logs, Transit Gateway Network Manager) (AWS Documentation: Logging IP traffic using VPC Flow Logs)
• Alert mechanisms (for example, CloudWatch alarms) (AWS Documentation: Using Amazon CloudWatch alarms)
• Log creation in different AWS services (for example, VPC flow logs, load balancer access logs, CloudFront access logs) (AWS Documentation: Configuring and using standard logs (access logs))
• Log delivery mechanisms (for example, Amazon Kinesis, Route 53, CloudWatch) (AWS Documentation: Logging and monitoring in Amazon Route 53, Writing to Kinesis Data Firehose Using CloudWatch Logs)
• Mechanisms to audit network security configurations (for example, security groups, AWS Firewall Manager, AWS Trusted Advisor) (AWS Documentation: Security group policies)

Skills in:

• Creating and analyzing a VPC flow log (including base and extended fields of flow logs) (AWS Documentation: Logging IP traffic using VPC Flow Logs, Flow log record examples)
• Creating and analyzing network traffic mirroring (for example, using VPC Traffic Mirroring) (AWS Documentation: Using VPC Traffic Mirroring to monitor and secure your AWS infrastructure, Traffic Mirroring)
• Implementing automated alarms by using CloudWatch (AWS Documentation: Create a CloudWatch alarm for an instance)
• Implementing customized metrics by using CloudWatch (AWS Documentation: Publishing custom metrics, Creating custom CloudWatch metrics and alarms)
• Correlating and analyzing information across single or multiple AWS log sources (AWS Documentation: Searching and analyzing logs in CloudWatch)
• Implementing log delivery solutions (AWS Documentation: Enabling logging from certain AWS services)
• Implementing a network audit strategy across single or multiple AWS network services and accounts (for example, Firewall Manager, security groups, network ACLs) (AWS Documentation: Security group policies)

Task Statement 4.3: Implementing and maintaining the confidentiality of data and communications of the network.

Knowledge of:

• Network encryption options that are available on AWS (AWS Documentation: Protecting data using encryption)
• VPN connectivity over Direct Connect (AWS Documentation: AWS Direct Connect + VPN)
• Encryption methods for data in transit (for example, IPsec) (AWS Documentation: Encrypting Data-at-Rest and -in-Transit)
• Network encryption under the AWS shared responsibility model Network encryption under the AWS (AWS Documentation: shared responsibility model)
• Security methods for DNS communications (for example, DNSSEC) (AWS Documentation: Configuring DNSSEC for a domain)

Skills in:

• Implementing network encryption methods to meet application compliance requirements (for example, IPsec, TLS) (AWS Documentation: Protecting Data in Transit)
• Implementing encryption solutions to secure data in transit (for example, CloudFront, Application Load Balancers and Network Load Balancers, VPN over Direct Connect, AWS managed databases, Amazon S3, custom solutions on Amazon EC2, Transit Gateway) (AWS Documentation: AWS Foundational Security Best Practices controls, Networking and Content Delivery, Connect to Application Migration Service data)
• Implementing a certificate management solution by using a certificate authority (for example, ACM, AWS Certificate Manager Private Certificate Authority [ACM PCA]) (AWS Documentation: ACM Private CA)
• Implementing secure DNS communications (AWS Documentation: DNS)

AWS Certified Advanced Networking Specialty Exam FAQs

Check here for FAQs!

AWS Certification Exam Policy

Amazon Web Services (AWS) has implemented a robust set of certification policies aimed at ensuring a secure, fair, and consistent testing experience for all candidates. These policies are designed to maintain the integrity and credibility of the AWS Certification Program and cover key aspects such as exam retake rules, scoring methodology, and the use of unscored questions for research and quality assurance.

– Exam Retake Policy

Candidates who do not achieve a passing score on an AWS certification exam must observe a mandatory waiting period of 14 days before retaking the same exam. While there is no limit to the number of retakes, each attempt requires payment of the full exam fee. This policy is intended to encourage adequate preparation and to preserve the professional value of AWS certifications.

– Scoring and Results

The AWS Certified Advanced Networking – Specialty (ANS-C01) exam is graded on a pass/fail basis. The final result is determined by comparing a candidate’s performance against a predefined standard established by AWS experts, in accordance with industry-recognized certification guidelines. Scores are reported as scaled values ranging from 100 to 1,000, with a minimum passing score of 750. Scaled scoring is used to account for slight variations in difficulty across different versions of the exam, ensuring fairness and consistency.

While candidates are not required to pass each individual section of the exam, AWS uses a compensatory scoring model, meaning that strong performance in one area can offset weaker performance in another. The score report may include a breakdown of your performance across different sections, helping you identify areas for improvement in case of a retake.

AWS Certified Advanced Networking Specialty Exam Study Guide

Step 1: Understand the Exam Objectives

Begin your preparation by thoroughly reviewing the official exam guide and blueprint provided by AWS. This document outlines the key domains and objectives that will be tested, including hybrid networking, network security, automation, and core AWS networking services. Gaining a clear understanding of the knowledge areas and the relative weight of each domain will help you create a structured and prioritized study plan.

Step 2: Use Official AWS Training Resources

Leverage the official AWS training resources, which are specifically designed to align with the ANS-C01 exam content. These trainings provide in-depth coverage of complex networking topics, such as AWS Direct Connect, Transit Gateway, BGP configurations, and VPN architectures. The materials are curated by AWS experts to ensure accuracy and relevance, making them an essential part of your study journey.

Step 3: Learn with AWS Skill Builder

The AWS Skill Builder platform offers a wide range of interactive learning paths tailored to AWS certifications. Enroll in the Advanced Networking – Specialty learning plan to gain structured access to relevant courses, technical deep dives, and scenario-based learning. This platform also allows you to track your progress, assess your readiness, and revisit areas where further improvement is needed.

Step 5: Practice Hands-On with AWS Builder Labs

Apply what you’ve learned through AWS Builder Labs, which offer practical, scenario-based exercises in a real AWS environment. These labs give you hands-on experience in configuring, troubleshooting, and optimizing AWS networking components. Active engagement with real-world configurations will solidify your skills and increase your confidence in managing complex architectures.

Step 6: Explore AWS Cloud Quest and AWS Jam

To take your learning to a more interactive level, consider exploring AWS Cloud Quest and AWS Jam events. Cloud Quest combines gamified learning with real AWS challenges, while AWS Jam provides team-based, time-bound problem-solving scenarios. Both are excellent tools for reinforcing practical skills and developing agility in handling unexpected technical challenges.

Step 7: Join Study Groups and Online Communities

Participate in study groups and online forums where other AWS aspirants and certified professionals share resources, tips, and insights. Engaging in group discussions can expose you to different perspectives, clarify difficult concepts, and provide motivation throughout your preparation. Platforms like LinkedIn groups, Reddit, and AWS community Slack channels are great places to start.

Step 8: Take Practice Exams to Assess Readiness

Finally, assess your exam readiness by taking realistic practice tests that simulate the actual ANS-C01 exam environment. These mock exams help familiarize you with the question format, pacing, and difficulty level. Analyze your results to identify areas that need further study and fine-tune your preparation strategy accordingly. Taking multiple practice tests can significantly boost your confidence and improve time management skills.