🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
ANS-C01
ANS-C01 Amazon Web Services

Advanced Networking Specialty

Advanced teaches learners to design, implement, secure, and operate complex, globally distributed AWS network architectures, covering design, implementation, management, security, compliance, and governance at specialty depth.

170
Minutes
65
Questions
750/1000
Passing Score
$300
Exam Cost
4
Languages

Who Should Take This

Network engineers, solutions architects, and cloud operations specialists with at least five years of networking experience and two years of hands‑on AWS networking work benefit most. They seek to validate expertise in building resilient, secure, multi‑region AWS networks and to lead enterprise‑scale deployments aligned with compliance and governance standards.

What's Covered

1 Design edge network architectures, DNS solutions, load balancing strategies, and hybrid connectivity patterns using Direct Connect and VPN.
2 Implement routing, switching, and connectivity solutions including Transit Gateway, VPC peering, PrivateLink, and multi-region network architectures.
3 Maintain and optimize network architectures, monitor network performance using VPC Flow Logs and Traffic Mirroring, and troubleshoot connectivity issues.
4 Implement network security controls using Security Groups, NACLs, Network Firewall, and WAF, and ensure compliance with governance requirements.

Exam Structure

Question Types

  • Multiple Choice
  • Multiple Response

Scoring Method

Scaled scoring from 100 to 1000, minimum passing score of 750

Delivery Method

Pearson VUE testing center or online proctored

Recertification

Recertify every 3 years by passing the current exam or earning a higher-level AWS certification.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

70 learning goals
1 Domain 1: Network Design
5 topics

Design hybrid connectivity architectures

  • Design AWS Direct Connect architectures including dedicated and hosted connections, public and private virtual interfaces, and LAG aggregation for high-bandwidth hybrid connectivity.
  • Design Direct Connect resiliency models including single-connection, dual-connection, dual-location, and maximum-resiliency topologies with failover path validation.
  • Design Site-to-Site VPN architectures including single-tunnel, redundant-tunnel, accelerated VPN using Global Accelerator, and VPN as Direct Connect backup with route prioritization.
  • Analyze hybrid connectivity tradeoffs among Direct Connect, VPN, and Transit Gateway to select architectures that satisfy bandwidth, latency, encryption, cost, and failover objectives.
  • Formulate enterprise hybrid connectivity strategy that sequences Direct Connect provisioning, VPN fallback, BGP route engineering, and multi-region failover to achieve target SLA objectives.

Design transit and multi-account network architectures

  • Design Transit Gateway architectures with route tables, attachment types (VPC, VPN, Direct Connect, peering), and route propagation for centralized multi-account network connectivity.
  • Design Transit Gateway inter-region peering and multi-region transit architectures with segmented route domains and traffic isolation across organizational units.
  • Design VPC peering topologies and evaluate peering limitations including non-transitive routing, CIDR overlap restrictions, and cross-region peering bandwidth considerations.
  • Analyze transit architecture tradeoffs between Transit Gateway, VPC peering, PrivateLink, and full-mesh approaches based on scale, cost, latency, and operational complexity.

Design VPC and subnet architectures

  • Design VPC CIDR allocation strategies including primary and secondary CIDR blocks, IPv6 addressing, and IP address management for multi-account environments with non-overlapping address space.
  • Design subnet architectures with public, private, and isolated tiers, NAT gateway placement, route table associations, and Availability Zone distribution for workload isolation and resilience.
  • Design VPC endpoint strategies using gateway endpoints for S3 and DynamoDB, interface endpoints via PrivateLink for other services, and endpoint policies to enforce least-privilege service access.
  • Analyze VPC design decisions to balance address space efficiency, subnet tier isolation, endpoint cost, and cross-account access requirements for scalable multi-workload environments.

Design global and edge network architectures

  • Design CloudFront distribution architectures including origin groups, origin failover, cache behaviors, Lambda@Edge and CloudFront Functions placement, and custom origin configurations.
  • Design Global Accelerator architectures with endpoint groups, listener configurations, endpoint weights, and client IP preservation for latency-optimized global traffic distribution.
  • Analyze edge and global network service tradeoffs between CloudFront, Global Accelerator, and regional load balancers to select architectures that meet latency, throughput, and availability targets.
  • Formulate global network architecture strategy that integrates edge acceleration, multi-region transit, and DNS-based traffic management to achieve worldwide performance and resilience objectives.

Design BGP routing and path selection

  • Design BGP peering configurations for Direct Connect and VPN including ASN assignment, route advertisement, prefix filtering, and community tags for path selection.
  • Design BGP route engineering strategies using AS-path prepending, MED attributes, local preference, and longest-prefix match to control inbound and outbound traffic paths across hybrid links.
  • Analyze BGP convergence behavior and route selection outcomes to diagnose asymmetric routing, suboptimal path selection, and failover timing issues in hybrid network topologies.
2 Domain 2: Network Implementation
4 topics

Implement DNS and name resolution services

  • Implement Route 53 public hosted zones with routing policies (simple, weighted, latency, geolocation, geoproximity, failover, multivalue) and health checks for DNS-based traffic management.
  • Implement Route 53 private hosted zones with VPC associations, split-horizon DNS configurations, and cross-account private zone sharing via RAM for internal name resolution.
  • Implement Route 53 Resolver endpoints (inbound and outbound) with forwarding rules to enable bidirectional DNS resolution between on-premises networks and AWS VPCs.
  • Implement Route 53 DNSSEC signing for public hosted zones and configure DNS Firewall rules to filter outbound DNS queries for domain-level threat protection.
  • Analyze DNS resolution failures and routing policy outcomes to diagnose health check misconfigurations, propagation delays, and hybrid DNS forwarding chain issues.

Implement hybrid and site-to-site connectivity

  • Implement Direct Connect connections including LOA-CFA processing, cross-connect provisioning, VLAN tagging, virtual interface creation, and BGP session establishment.
  • Implement Direct Connect Gateway associations with Transit Gateway and virtual private gateways for multi-VPC and multi-region hybrid connectivity over a single physical connection.
  • Implement Site-to-Site VPN connections with customer gateway configurations, IKE/IPsec tunnel parameters, dead peer detection, and NAT-Traversal for encrypted hybrid connectivity.
  • Implement AWS Client VPN endpoints with certificate-based and Active Directory authentication, authorization rules, split-tunnel routing, and connection logging for remote user access.
  • Analyze hybrid connectivity implementation outcomes to identify tunnel instability, BGP session flapping, MTU-related packet loss, and asymmetric routing between Direct Connect and VPN paths.

Implement load balancing and traffic distribution

  • Implement Application Load Balancer configurations with listener rules, target group routing, path-based and host-based routing, TLS termination, and sticky sessions.
  • Implement Network Load Balancer configurations with TCP/UDP/TLS listeners, static IP per AZ, cross-zone load balancing, TLS passthrough, and proxy protocol for connection metadata.
  • Implement Gateway Load Balancer with GENEVE encapsulation, transparent network appliance insertion, and health check configurations for inline traffic inspection architectures.
  • Analyze load balancer type selection and configuration tradeoffs based on protocol requirements, connection persistence, IP preservation, performance characteristics, and inspection needs.

Implement edge and content delivery services

  • Implement CloudFront distributions with S3, ALB, and custom origins, cache policies, origin request policies, response headers policies, and cache invalidation workflows.
  • Implement CloudFront edge computing using Lambda@Edge for viewer/origin request/response events and CloudFront Functions for lightweight header manipulation and URL rewriting.
  • Implement Global Accelerator with endpoint groups, traffic dials, endpoint weights, and custom routing accelerators for non-HTTP workload acceleration.
  • Formulate edge architecture implementation strategy that sequences CDN deployment, edge compute placement, and global accelerator configuration to meet performance SLAs and cost constraints.
3 Domain 3: Network Management and Operation
3 topics

Monitor and troubleshoot network resources

  • Implement VPC Flow Logs with custom log formats, S3 and CloudWatch Logs destinations, and Athena query patterns for network traffic visibility and forensic analysis.
  • Implement Traffic Mirroring sessions with mirror targets (NLB, ENI), mirror filters, and packet capture analysis for deep packet inspection and network diagnostics.
  • Implement CloudWatch metrics, alarms, and dashboards for network service health monitoring including Direct Connect connection state, VPN tunnel status, and load balancer performance metrics.
  • Implement Reachability Analyzer and Network Access Analyzer to validate network path connectivity, identify unintended access paths, and verify security group and NACL configurations.
  • Analyze network monitoring telemetry from Flow Logs, Traffic Mirroring, and CloudWatch to isolate root cause of connectivity failures, packet loss, and performance degradation across hybrid topologies.

Manage network operations and automation

  • Implement network infrastructure-as-code using CloudFormation and Terraform for VPC, Transit Gateway, Direct Connect, and VPN resource provisioning with change sets and drift detection.
  • Implement AWS Network Manager with global network definitions, site and device registrations, and Transit Gateway network topology visualization for centralized operations.
  • Implement automated network change management using AWS Config rules, CloudTrail event-driven Lambda functions, and Systems Manager Automation for network drift remediation.
  • Formulate network operations strategy that integrates infrastructure-as-code, automated compliance checks, centralized visibility, and change approval workflows for operational maturity.

Optimize network performance and costs

  • Implement network performance optimization through MTU/jumbo frame configuration, enhanced networking (ENA), placement groups, and bandwidth allocation for compute-intensive workloads.
  • Implement data transfer cost optimization strategies including VPC endpoint usage, NAT gateway consolidation, Direct Connect data transfer pricing tiers, and regional data path selection.
  • Analyze network throughput bottlenecks and transfer cost patterns to identify optimization opportunities across VPC, hybrid, and edge network paths.
  • Formulate network cost and performance optimization strategy using traffic analysis, capacity planning forecasts, and service limit monitoring to sustain performance efficiency at scale.
4 Domain 4: Network Security, Compliance, and Governance
5 topics

Implement VPC and subnet-level security controls

  • Implement security group rule sets with protocol, port range, and source/destination restrictions using least-privilege principles for stateful inbound and outbound traffic filtering.
  • Implement network ACL rules with ordered allow/deny entries, ephemeral port handling, and stateless filtering for subnet-boundary traffic control and defense-in-depth layering.
  • Analyze security group and NACL interaction patterns to diagnose connectivity failures caused by rule conflicts, ephemeral port blocking, and stateful versus stateless filtering mismatches.

Implement network inspection and filtering services

  • Implement AWS Network Firewall with stateless rule groups, stateful rule groups (5-tuple, domain list, Suricata-compatible IPS), rule ordering, and centralized inspection VPC architectures.
  • Implement Gateway Load Balancer-based inspection architectures with third-party virtual appliances, GENEVE tunnel routing, and return-path configuration for transparent east-west and north-south inspection.
  • Implement Route 53 DNS Firewall with managed and custom domain lists, firewall rule group associations, and alert/block actions for DNS exfiltration prevention.
  • Analyze network inspection architecture tradeoffs among Network Firewall, Gateway Load Balancer appliances, and DNS Firewall to select layered controls that match threat model and performance requirements.

Implement edge and application-layer protection

  • Implement AWS WAF web ACLs with managed rule groups, custom rules, rate-based rules, IP set conditions, and logging to CloudWatch and S3 for application-layer threat mitigation.
  • Implement AWS Shield Standard and Shield Advanced with DDoS protection groups, automatic application-layer mitigations, health-based detection, and cost protection for volumetric attack defense.
  • Implement TLS/SSL certificate management using ACM for ALB, CloudFront, and API Gateway with automated renewal, certificate pinning considerations, and custom domain HTTPS enforcement.
  • Analyze edge protection effectiveness by evaluating WAF rule match rates, Shield event metrics, and false-positive rates to tune protection configurations without blocking legitimate traffic.

Implement network encryption and private connectivity

  • Implement encryption in transit using MACsec on Direct Connect, IPsec on Site-to-Site VPN, and TLS termination at load balancers for end-to-end data protection across network paths.
  • Implement PrivateLink service endpoints and consumer configurations to expose and consume services across accounts and VPCs without traversing the public internet.
  • Analyze private connectivity and encryption decisions to determine the correct combination of PrivateLink, VPC endpoints, MACsec, and IPsec based on compliance, performance, and operational requirements.

Implement network compliance and governance

  • Implement AWS Firewall Manager policies to enforce WAF rules, security group baselines, Network Firewall policies, and Shield Advanced protections across multi-account Organizations deployments.
  • Implement AWS Config rules and conformance packs for network resource compliance validation including security group openness, VPC flow log enablement, and encryption enforcement.
  • Implement network audit logging using CloudTrail for API-level network changes, VPC Flow Logs for traffic records, and centralized log aggregation for compliance evidence collection.
  • Analyze compliance posture by mapping regulatory requirements (PCI DSS, HIPAA, SOC 2) to implemented network controls and identifying remediation gaps in segmentation, encryption, and audit coverage.
  • Formulate network governance strategy that integrates Firewall Manager policies, Config conformance packs, Organizations SCPs, and automated remediation to maintain continuous compliance across the enterprise network.

Hands-On Labs

20 labs ~490 min total Console Simulator

Practice in a simulated cloud console or Python code sandbox — no account needed. Each lab runs entirely in your browser.

Certification Benefits

Salary Impact

$158,000
Average Salary

Related Job Roles

Network Architect Network Engineer Cloud Network Engineer Infrastructure Architect Network Operations Engineer

Industry Recognition

The AWS Advanced Networking Specialty is a niche but high-value certification validating deep expertise in cloud networking. As enterprises build complex hybrid and multi-cloud network architectures, certified networking specialists are essential for designing secure, high-performance connectivity.

Scope

Included Topics

  • All domains and task statements in the AWS Certified Advanced Networking - Specialty (ANS-C01) exam guide: Domain 1 Network Design (30%), Domain 2 Network Implementation (26%), Domain 3 Network Management and Operation (20%), and Domain 4 Network Security, Compliance, and Governance (24%).
  • Specialty-level AWS networking architecture for hybrid connectivity, global networks, transit design, edge routing, network operations, and governance-aligned security controls.
  • Scenario-based decisions requiring integration of multiple AWS networking services to satisfy latency, resilience, segmentation, compliance, and operational constraints.
  • Key AWS networking services: VPC, Transit Gateway, Direct Connect, Site-to-Site VPN, Client VPN, Route 53, CloudFront, Global Accelerator, Elastic Load Balancing (ALB/NLB/GWLB), PrivateLink, VPC Peering, Network Firewall, AWS WAF, Shield, Firewall Manager, Network Manager, CloudWatch, VPC Flow Logs, Traffic Mirroring, Route 53 Resolver, AWS RAM, Organizations, Config, CloudTrail.

Not Covered

  • General application development topics that do not directly affect network design, implementation, or operations objectives in ANS-C01.
  • Non-AWS vendor product administration details that are not required to satisfy AWS networking task statements.
  • Pure theoretical network protocol derivations without practical AWS architecture or operations relevance.
  • Volatile service pricing values and commercial terms that are not stable inputs for durable domain specifications.
  • AWS CLI command-level syntax memorization and SDK version-specific API signatures.

Official Exam Page

Learn more at Amazon Web Services

Visit

Ready to master ANS-C01?

Adaptive learning that maps your knowledge and closes your gaps.

Subscribe to Access

Trademark Notice

AWS, Amazon Web Services, and all related names, logos, product and service names, designs and slogans are trademarks of Amazon.com, Inc. or its affiliates. Amazon does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.