What networking prerequisites are required before studying for ANS-C01?
You should have solid knowledge of TCP/IP, subnetting, routing protocols (especially BGP), DNS, and load balancing fundamentals before starting ANS-C01 preparation. The exam tests networking concepts applied to AWS, not just AWS service features. A Private VIF connects directly to a VPC via a Virtual Private Gateway.
The AWS Certified Advanced Networking - Specialty (ANS-C01) is one of the most technically demanding AWS certifications. It requires deep knowledge of networking fundamentals — routing protocols, BGP, TCP/IP, DNS, and load balancing — applied to AWS infrastructure. Passing this exam requires more than AWS knowledge; you must understand how networks actually work.
This guide covers all exam domains with depth on the topics that require the most technical precision.
Exam Overview
The ANS-C01 exam contains 65 questions (50 scored, 15 unscored) with a 170-minute time limit. The passing score is 750 out of 1000.
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: Network Design | 30% |
| Domain 2: Network Implementation | 26% |
| Domain 3: Network Management and Operations | 20% |
| Domain 4: Network Security, Compliance, and Governance | 24% |
Domain 1: Network Design (30%)
VPC Architecture Deep Dive
A VPC is a logically isolated network in AWS. Every design decision has cost and capability implications.
CIDR block selection:
VPC CIDR must be between /16 and /28
Subnets must be within the VPC CIDR range
AWS reserves 5 IP addresses per subnet: network address (.0), VPC router (.1), DNS server (.2), future use (.3), broadcast (.255)
Plan for peering: peering VPCs cannot have overlapping CIDR ranges
Reserve address space for future growth; expanding a VPC CIDR is possible by adding secondary CIDRs
Subnet design:
| Subnet Type | Route Table Destination |
|---|---|
| Public | 0.0.0.0/0 → Internet Gateway |
| Private (with internet access) | 0.0.0.0/0 → NAT Gateway (in public subnet) |
| Private (isolated) | No default route; routes only to VPC CIDR |
Highly available NAT Gateway: Deploy one NAT Gateway per Availability Zone. Each private subnet's route table points to the NAT Gateway in the same AZ. This prevents a single AZ failure from blocking outbound internet access for all private subnets.
Transit Gateway Architecture
Transit Gateway (TGW) is a network transit hub connecting VPCs and on-premises networks through a hub-and-spoke model.
TGW route tables:
A single TGW can have multiple route tables. Attachments (VPCs, VPNs, Direct Connect gateways) are associated with one route table and can propagate routes to one or more route tables.
Segmentation use case:
TGW Route Table: Production
- Routes to: Production VPCs only
TGW Route Table: Shared Services
- Routes to: Production + Non-production + Shared Services VPCs
TGW Route Table: Non-Production
- Routes to: Non-production VPCs + Shared Services only
This prevents direct connectivity between production and non-production while allowing both to access shared services (DNS, monitoring).
TGW inter-region peering: Connect TGWs in different regions. Traffic routes over the AWS backbone. Routing is static (no route propagation across peering connections).
TGW Connect: Supports GRE tunnels over TGW for connecting SD-WAN appliances. Uses BGP over the GRE tunnel for dynamic routing.
AWS Direct Connect
Direct Connect provides dedicated private connectivity from on-premises to AWS.
Connection types:
| Type | Speed | Provider |
|---|---|---|
| Dedicated connection | 1 Gbps, 10 Gbps, 100 Gbps | Customer connects directly to AWS Direct Connect location |
| Hosted connection | 50 Mbps to 10 Gbps | AWS Direct Connect Partner provides the connection |
Virtual interfaces (VIFs):
| VIF Type | Connects To |
|---|---|
| Private VIF | VPC via Virtual Private Gateway or Direct Connect Gateway |
| Public VIF | AWS public services (S3, DynamoDB, EC2 public IPs) over private network |
| Transit VIF | Transit Gateway via Direct Connect Gateway |
Direct Connect Gateway: Connects one Direct Connect connection to VPCs across multiple regions and accounts. A single DXGW can connect to up to 20 VGWs.
BGP configuration:
Private VIFs use BGP to exchange routes:
Customer advertises on-premises prefixes to AWS
AWS advertises VPC CIDR blocks to the customer router
Use BGP community tags to control which routes are preferred over Direct Connect vs. VPN
Resiliency models:
| Model | Configuration | Use Case |
|---|---|---|
| Non-redundant | Single connection | Development, testing |
| High resiliency | Two connections at separate locations | Production workloads |
| Maximum resiliency | Two connections at each of two locations (4 total) | Mission-critical workloads |
Site-to-Site VPN
AWS Site-to-Site VPN creates IPsec tunnels over the internet to a VPC.
Key components:
Virtual Private Gateway (VGW): AWS-side endpoint; attached to a VPC
Customer Gateway (CGW): Represents the on-premises device configuration in AWS
VPN Connection: Two tunnels for redundancy; each tunnel terminates in a different AZ
Routing options:
Static routing: Customer manually specifies on-premises CIDR ranges
Dynamic routing: Uses BGP to advertise routes; enables automatic failover
VPN over Direct Connect: Route VPN traffic over a Direct Connect public VIF for added security and to get Direct Connect latency without a private VIF. The VPN provides encryption that Direct Connect does not provide natively.
Domain 2: Network Implementation (26%)
Elastic Load Balancing Configuration
Application Load Balancer:
ALB operates at L7. Key features:
Path-based routing:
/api/*routes to one target group,/*to anotherHost-based routing:
api.example.comroutes differently thanwww.example.comWeighted target groups: Distribute traffic between versions (canary deployments)
Authenticate users: Integrate with Cognito or OIDC providers at the load balancer
Fixed response: Return a static response for certain paths (maintenance mode)
Network Load Balancer:
NLB operates at L4. Key features:
Preserves source IP address (ALB rewrites source IP to its own; NLB preserves client IP)
Static IP address per AZ (useful for firewall whitelisting)
Ultra-low latency with TLS termination
PrivateLink endpoints must use NLB as the service endpoint
Connection draining / deregistration delay: When removing an instance from a target group, existing connections are allowed to complete for the configured period (default 300 seconds) before the instance is terminated.
Route 53 Advanced Routing
Routing policies:
| Policy | Use Case |
|---|---|
| Simple | One record, one or multiple values |
| Weighted | A/B testing, gradual traffic migration |
| Latency | Route to region with lowest latency for the user |
| Failover | Active/passive DR; health check required on primary |
| Geolocation | Route by country or continent |
| Geoproximity | Route by geographic proximity; adjustable bias |
| Multivalue answer | Return up to 8 healthy records |
Route 53 health checks:
Endpoint health checks: Check HTTP, HTTPS, or TCP to an IP or domain
Calculated health checks: Combine multiple health checks with AND/OR logic
CloudWatch alarm health checks: Declare a resource unhealthy based on a CloudWatch alarm
Route 53 Resolver:
Within a VPC, Route 53 Resolver handles DNS for .amazonaws.com and private hosted zones. For hybrid environments:
Inbound endpoints: On-premises resolvers forward AWS-domain queries to an inbound endpoint in the VPC
Outbound endpoints: Route 53 Resolver forwards queries for on-premises domains to on-premises DNS servers via forwarding rules
VPC Connectivity Patterns
VPC Peering:
Direct connection between two VPCs (same or different accounts/regions)
Not transitive: VPC A peers with B and C; B and C cannot communicate through A
No bandwidth limit or gateway device required
Route tables in both VPCs must be configured
AWS PrivateLink:
Expose a service privately without VPC peering or internet
Requires a Network Load Balancer in the provider VPC
Consumers create an interface endpoint (ENI) in their VPC
Traffic never traverses the public internet
Scales to thousands of consumers
Domain 3: Network Management and Operations (20%)
VPC Flow Logs
Flow Logs capture IP traffic metadata for VPC, subnet, or ENI:
version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
2 123456789012 eni-abc12345 10.0.1.5 172.16.0.10 34567 443 6 20 4000 1620000000 1620000060 ACCEPT OK
Filters:
ACCEPT: Log only accepted trafficREJECT: Log only rejected traffic (security group/NACL denials)ALL: Log all traffic
Flow Logs are delivered to CloudWatch Logs or S3. For network troubleshooting, use Logs Insights to query specific source/destination pairs.
AWS Network Manager
Network Manager provides a global view of Transit Gateway networks:
Visualizes all TGW attachments on a map
Monitors BGP route changes and connectivity
Route Analyzer: Simulates route paths between resources without sending actual traffic
Reachability Analyzer
Reachability Analyzer verifies network path connectivity between two endpoints without sending traffic:
Tests connectivity between EC2 instances, load balancers, ENIs
Identifies the blocking component if connectivity fails (security group, NACL, route table, missing peering connection)
Does not test application-layer connectivity; only network-layer paths
Domain 4: Network Security, Compliance, and Governance (24%)
Security Group vs. NACL Reference Summary
| Feature | Security Group | NACL |
|---|---|---|
| Applies to | ENI (instance level) | Subnet |
| Stateful | Yes | No |
| Allow/Deny | Allow only | Allow and Deny |
| Rule evaluation | All rules evaluated | Rules evaluated by order (lowest number first) |
| Default behavior | Deny all inbound | Allow all (default NACL) |
AWS Gateway Load Balancer
GWLB enables deploying, scaling, and managing third-party virtual appliances (firewalls, IDS/IPS). It uses the GENEVE protocol to encapsulate traffic.
Inspection architecture:
Ingress traffic → GWLB Endpoint → GWLB → Firewall Appliance → GWLB → Application
All traffic passes through the appliance transparently. If the appliance fails, GWLB routes to a healthy appliance. Used for centralized inspection of all traffic entering or leaving a VPC.
DNS Security
DNSSEC for Route 53:
Enable DNSSEC signing on public hosted zones
Route 53 signs DNS responses with an asymmetric key pair
Resolvers that validate DNSSEC will reject unsigned or incorrectly signed responses
Route 53 Resolver DNS Firewall:
Block DNS resolution for known malicious domains
Use AWS managed rule groups or custom block/allow lists
Integrates with Route 53 Resolver for all DNS queries from VPC resources
"The ANS-C01 separates AWS professionals from AWS operators. You are not being tested on which service to click — you are being tested on whether you understand routing, BGP communities, and how packets actually move between your data center and AWS. Networking fundamentals are not optional for this exam." — Todd Lammle, author of the AWS Certified Advanced Networking Study Guide (Sybex, 2020)
Study Timeline
Recommended: 12-16 weeks. Requires networking fundamentals (BGP, TCP/IP, subnetting).
| Week | Focus |
|---|---|
| 1-2 | VPC design, subnetting, routing tables, NACLs, security groups |
| 3-4 | Transit Gateway architecture, route tables, segmentation |
| 5-6 | Direct Connect, BGP, resiliency models |
| 7-8 | Site-to-Site VPN, CloudHub, VPN over Direct Connect |
| 9-10 | ELB (ALB, NLB, GWLB), Route 53 advanced routing |
| 11-12 | PrivateLink, VPC endpoints, flow logs, Reachability Analyzer |
| 13-14 | Network security: WAF, Network Firewall, DNS Firewall |
| 15-16 | Practice exams, weak area review |
See also: AWS Solutions Architect Associate (SAA-C03) Study Guide: Domains, Services, and Scenarios
ANS-C01 career positioning and compensation
The AWS Advanced Networking Specialty is priced at $300 with 170-minute duration and 65 questions. It targets senior network engineers and architects designing large-scale AWS networks.
| Role | Seniority | US salary range (2024-2025) [1] | ANS-C01 impact |
|---|---|---|---|
| Cloud Network Engineer | Mid | $120,000-$170,000 | $8,000-$15,000 uplift |
| Senior Cloud Network Engineer | Senior | $155,000-$215,000 | $10,000-$20,000 uplift |
| Network Architect | Senior | $170,000-$240,000 | Near-required credential |
| Cloud Network Security Engineer | Senior | $155,000-$215,000 | Strong signal |
| Principal Cloud Architect | Staff | $200,000-$285,000 | Baseline expectation |
Adjacent AWS and vendor certifications
| Certification | Current exam code | Fee | Overlap with ANS-C01 |
|---|---|---|---|
| AWS SAA-C03 | SAA-C03 | $150 | Foundational VPC knowledge |
| AWS SAP-C02 | SAP-C02 | $300 | Architecture-tier overlap |
| AWS Security Specialty | SCS-C02 | $300 | WAF, Network Firewall, KMS overlap |
| Cisco CCIE Routing & Switching | Various | $1,600 + written | Deep networking foundation |
| Cisco CCNP Enterprise | 350-401 | $400 | Networking fundamentals |
| Azure Network Engineer | AZ-700 | $165 | Cross-cloud networking signal |
"The Advanced Networking Specialty is one of the most demanding AWS certifications because it requires genuine networking fluency - BGP communities, routing policy, AS path prepending, MED - on top of deep AWS-specific knowledge of Direct Connect, Transit Gateway, and VPC architectures. Candidates without prior enterprise networking experience often find it the hardest AWS specialty to prepare for." - Todd Lammle, author of the AWS Certified Advanced Networking Study Guide, Sybex 2020 [2].
Transit Gateway patterns and scaling considerations
Transit Gateway is the central fabric for modern AWS network architecture. The ANS-C01 tests deep TGW knowledge including:
Route table segmentation - creating separate TGW route tables for different security zones (prod, dev, shared services).
Inter-region TGW peering - connecting TGWs across regions for global network architecture.
Direct Connect integration - attaching Direct Connect gateway to TGW for on-premises connectivity.
VPN ECMP (equal-cost multi-path) over TGW - aggregating multiple VPN tunnels for higher bandwidth.
Blackhole routes - explicit deny routes for network segmentation.
TGW Network Manager - centralized visibility for multi-region, multi-account TGW topologies.
Resource Access Manager (RAM) sharing - sharing a TGW across accounts in an organization.
Bandwidth and scaling characteristics
| Component | Bandwidth limit | Scaling |
|---|---|---|
| TGW attachment to VPC | 50 Gbps per attachment | Per-attachment |
| TGW attachment to VPN | 1.25 Gbps per tunnel | Use ECMP across multiple tunnels |
| TGW attachment to Direct Connect Gateway | 50 Gbps per connection | Multiple connections for higher aggregate |
| Inter-region TGW peering | 50 Gbps | Per-peering |
| TGW routes per table | 10,000 | Hard limit |
| TGW attachments per TGW | 5,000 | Soft limit; raise via support |
References
[1] Robert Half. (2024). 2024 Technology Salary Guide. https://www.roberthalf.com/us/en/insights/salary-guide/technology
[2] Lammle, Todd. "AWS Certified Advanced Networking Study Guide." Sybex, 2020.
AWS. "AWS Certified Advanced Networking - Specialty Exam Guide (ANS-C01)." https://d1.awsstatic.com/training-and-certification/docs-advnetworking-spec/AWS-Certified-Advanced-Networking-Specialty_Exam-Guide.pdf
AWS. "Amazon VPC User Guide." https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
AWS. "AWS Direct Connect User Guide." https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
AWS. "AWS Transit Gateway Documentation." https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html
AWS. "Amazon Route 53 Developer Guide." https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Welcome.html
Payscale. (2024). AWS Certified Advanced Networking Specialty Salary Data. https://www.payscale.com/research/US/Certification=AWS_Certified_Advanced_Networking_-_Specialty
AWS. "AWS Site-to-Site VPN User Guide." https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html
AWS. "Elastic Load Balancing Documentation." https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/what-is-load-balancing.html
Frequently Asked Questions
What networking prerequisites are required before studying for ANS-C01?
You should have solid knowledge of TCP/IP, subnetting, routing protocols (especially BGP), DNS, and load balancing fundamentals before starting ANS-C01 preparation. The exam tests networking concepts applied to AWS, not just AWS service features.
What is the difference between a Private VIF and a Transit VIF on Direct Connect?
A Private VIF connects directly to a VPC via a Virtual Private Gateway. A Transit VIF connects to a Direct Connect Gateway associated with a Transit Gateway, allowing a single Direct Connect connection to reach multiple VPCs across regions.
Why do you need one NAT Gateway per Availability Zone?
If you use a single NAT Gateway and that AZ fails, private subnets in other AZs lose outbound internet access. Deploying one NAT Gateway per AZ and pointing each AZ's private subnets to their local NAT Gateway prevents this single point of failure.
What is AWS PrivateLink and when should you use it?
PrivateLink exposes a service privately to VPC consumers without VPC peering or internet access. The provider deploys a Network Load Balancer; consumers create interface endpoints (ENIs). Use it when you need to share services across many accounts without complex VPC peering.
What does Route 53 Reachability Analyzer do?
Reachability Analyzer verifies network-layer connectivity between two endpoints without sending actual traffic. It identifies blocking components (security groups, NACLs, missing routes) when connectivity fails, making it a fast troubleshooting tool.