Passing the AWS Advanced Networking Certification (ANS‑C01) in 2023

August 28, 2023 | Collin Smith
Passing the AWS Advanced Networking Certification (ANS-C01) in 2023

This article will emphasize some elements that I feel are important to pass this certification exam and also identify some material in the current training materials that is likely no longer required(or emphasized at least).

I have seen reviews and comments that this is the most difficult AWS Certification. It is indeed a difficult AWS Certification as I can attest to you. A new version ANS-C01 of the exam was released in July of 2022. In addition to it being a difficult exam, the fact that it has recently been updated there is currently a lag between the training materials and the actual exam itself.

The general approach for certifications for myself is to take a course and follow it up with practice questions to test and ensure that you can pass the exam. This is a good way to learn things that are not covered in your day to day work routine.

I started with Stephane Maarek and Chetan Agrawal’s AWS Certified Advanced Networking Specialty course on Udemy. This was a good overview of the material covered. I then followed this up with some practice exams to get familiar with the material. My source of practice exams included the following:

This set of about 391(or so) questions will get you mostly there but I believe all of these question sets require updating to reflect the new material that is part of the latest release of the exam.

I will also mention that you can get 120 additional questions in AWS Certified Advanced Networking Specialty Practice Exams by Neal Davis which I did not use but they might be worth a shot.

I believe that the question sets above definitely need to be improved more to help people get across the finish line more effectively. This is likely the result of 2 things: firstly that the test was recently changed and secondly there is likely less demand for this exam than the others. One could share some thoughts on this. In light of the latest version of this exam, one could believe that the following areas should be focused on:

Load Balancers (Know how Load Balancers work in more detail. This is an area one could definitely emphasize studying)

  • Configuring Load Balancers (Know Load Balancer Target groups including Cross Zone Load Balancing (the target group attributes selection for Cross-zone load balancing must be set as on)and Registering Targets)
  • ALB Listeners are processes that check for connection requests, using the protocol and port that you configure
  • ALB Target Groups are definitely an area to review for this exam. They are used to route requests to one or more registered registered targets. These are very useful in configuring ALBs
  • Learn how to set up encryption end to end for a Load Balancer, configuring the certificates, listeners and target groups
  • For Sticky Sessions, one must update the Target Group attributes and set the Stickiness type to select a Load balancer generated cookie
  • Study that when wanting to use a unique random session key to provide additional safeguards against the eavesdropping of encrypted data for a Load Balancer, this will involve the Perfect Forward Secrecy
  • With respect to Network Load Balancer or a Application Load Balancer, a security policy update involves the their listeners. This might involve creating an ALB https listener or an NLB TLS listener
  • Understand the actual use of Gateway Load Balancers which enable you to deploy, scale, and manage virtual appliances, such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems
  • Path-based and host-based routing capabilities can only be handled by Application Load Balancers (not Network Load Balancers)
  • A load balancer should be configured to use TCP so the SSL/TLS connection can be passed through and terminated to the underlying EC2 instances. This ensures end to end encryption
  • SSL/TLS automatically terminates

Transit Gateways

Understand Multicast Groups, especially with respect to IGMP(Internet Group Management Protocol) Multicast and static (API-based) sources. IGMP Multicast groups utilize UDP only and can be managed dynamically managed and members can send and receive data. Static groups utilize TCP and UDP but members can only receive traffic. If you are (Also see AWS re:Invent 2020: Using AWS Transit Gateway for your multicast workloads )

                                                          Unicast vs Multicast Groups

Network Analysis Services:

  • Reachability Analyzer is a configuration analysis tool that enables you to perform connectivity testing between a source resource and a destination resource in your virtual private clouds (VPCs). If the destination is not reachable, Reachability Analyzer identifies the blocking component. The source and destination resources must be in the same Region. (supports only resources with an IPv4 address)Transit gateway Connect attachments are not supportedReachability Analyzer can find paths through at most two transit gateway route tables. To analyze paths through additional transit gateway route tables, use Route Analyzer.
  • The Reachability Analyzer can also be used in automating connectivity checks that are triggered by security group changes. See Automating connectivity assessments with VPC Reachability Analyzer :

                        Reachability Analyzer to detect problems with security group changes

Route Analyzer can perform an analysis of the routes in your transit gateway route tables. The source and destination must be transit gateway attachments. The Route Analyzer analyzes the routing path between a specified source and destination, and returns information about the connectivity between components. (IPv4 or IPv6). The Route Analyzer analyzes routes in transit gateway route tables only. It does not analyze routes in VPC route tables or in your customer gateway devices.

                                     Route analysis for peered transit gateways

  • Network Access Analyzer identifies unintended network access to your resources on AWS. You can use it to specify your network access requirements and identify potential network paths that do not meet your specified requirements. Possibly ensuring that production and development VPCs are isolated or which resources can be accessed by internet gateways.
  • Transit Gateway Network Analyzer provides a single global view of your private network.

Additional Topics:

  • AWS Global Accelerator is a networking service that provides static public IPs to act as a fixed entry point helping those devices that do not have access to dns resolution
  • The Route 53 Resolver DNS Firewall has some configurations such as firewall-fail-open Route53 configuration to know the concept of favoring availability over security
  • Know that access to SQS from ECS or EC2 does not require any networking tasks such as route table configuration but simply the right IAM role, interface endpoint and security group
  • If you had an application (with a complex networking design) which was going into production in a matter of days and it needed to be integrated with a new webservice. It might be connecting to the web service via an interface VPC endpoint
  • Possibly you might have a customer that has a Direct Connect connection to Region A and Region B. There might be a Transit Gateway A in Region A that the on-premises location has access to and a VPC B in Region B connected to a Transit Gateway B. There could be a Direct Connect Gateway. Explore the ways to connect the on-premises location to VPC B. One could connect Transit Gateway A to Transit Gateway B or one could connect the customer’s Direct Connect Gateway to Transit Gateway B directly for connectivity to VPC B.

Understand that one way to capture traffic between Kubernetes Nodes could be to have the node flow log data sent to S3 and have the data queried with Athena. See Using VPC Flow Logs to capture and query EKS network communications

           Capturing VPC Flow Logs of Kubernetes nodes with S3 & Athena

AWS Direct Connect Connection metrics:
ConnectionPpsEgress — measures the packet rate for outbound data from the AWS side of the connection ) (Packets per second)
ConnectionPpsIngress — measures the packet rate for inbound data to the AWS side of the connection (Packets per second)
ConnectionBpsEgress — measures the bitrate(bits/second) for outbound data (Bits per second)
ConnectionBpsIngress — measures the bitrate(bits/second) for inbound data (Bits per second)

AWS Direct Connect virtual interface metrics:
VirtualInterfaceBpsEgressVirtualInterfaceBpsIngressVirtualInterfacePpsEgressVirtualInterfacePpsIngress

Practice questions which are less relevant to the current exam

Practice questions that involve the following topics can be given less focus in my opinion with respect to the current exam content. They may have been relevant previously but I don’t think so now. However, one could place the caveat that this material can still be beneficial if still on the AWS Certified Advanced Networking — Specialty (ANS-C01) Exam Guide They do provide content that is probably part of the networking specialty but maybe not as important now. These include questions involving:

  • MED vs AS PATH VPN preferences
  • WaveLength Zones or Outposts
  • DNS addressing, TimeSync Service or ENA Linux Kernel Drivers
  • Port hours or Data Transfer Out
  • Squid Proxy
  • Match Viewer
  • Url of retrieving Metadata http://169.254.169.254/latest/
  • email-smtp.ap-southeast-2.amazonaws.com:587
  • Transparent Data Encryption(TDE)
  • MINIMUM_IP_TARGET
  • Fragmented TCP Packets
  • Domain Name System Security Extensions (DNSSEC)
  • Nat Gateway charges
  • Network Time Protocol (NTP)/Amazon Time Sync Service
  • Cloud Map
  • Bidirectional Forwarding Detection (BFD)

As well, one could take note that some distractor or eliminatory words can be utilized to try and eliminate options from consideration to improve your chances of selecting the right response. These include:

  • automatically (indicates glossing over a concept)
  • cloud-init
  • VPC Proxy (proxy in general)
  • Transit VPC
  • Opworks Chef
  • Mention of VPN usually
  • Cron job

All in all, there is plenty to learn with the AWS Advanced Networking Certification. It requires quite a bit of work but the learning is a reward.