The AWS Certified Advanced Networking - Specialty (ANS-C01) is one of the most technically demanding AWS certifications. It requires deep knowledge of networking fundamentals — routing protocols, BGP, TCP/IP, DNS, and load balancing — applied to AWS infrastructure. Passing this exam requires more than AWS knowledge; you must understand how networks actually work.
This guide covers all exam domains with depth on the topics that require the most technical precision.
Exam Overview
The ANS-C01 exam contains 65 questions (50 scored, 15 unscored) with a 170-minute time limit. The passing score is 750 out of 1000.
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: Network Design | 30% |
| Domain 2: Network Implementation | 26% |
| Domain 3: Network Management and Operations | 20% |
| Domain 4: Network Security, Compliance, and Governance | 24% |
Domain 1: Network Design (30%)
VPC Architecture Deep Dive
A VPC is a logically isolated network in AWS. Every design decision has cost and capability implications.
CIDR block selection:
- VPC CIDR must be between /16 and /28
- Subnets must be within the VPC CIDR range
- AWS reserves 5 IP addresses per subnet: network address (.0), VPC router (.1), DNS server (.2), future use (.3), broadcast (.255)
- Plan for peering: peering VPCs cannot have overlapping CIDR ranges
- Reserve address space for future growth; expanding a VPC CIDR is possible by adding secondary CIDRs
Subnet design:
| Subnet Type | Route Table Destination |
|---|---|
| Public | 0.0.0.0/0 → Internet Gateway |
| Private (with internet access) | 0.0.0.0/0 → NAT Gateway (in public subnet) |
| Private (isolated) | No default route; routes only to VPC CIDR |
Highly available NAT Gateway: Deploy one NAT Gateway per Availability Zone. Each private subnet's route table points to the NAT Gateway in the same AZ. This prevents a single AZ failure from blocking outbound internet access for all private subnets.
Transit Gateway Architecture
Transit Gateway (TGW) is a network transit hub connecting VPCs and on-premises networks through a hub-and-spoke model.
TGW route tables:
A single TGW can have multiple route tables. Attachments (VPCs, VPNs, Direct Connect gateways) are associated with one route table and can propagate routes to one or more route tables.
Segmentation use case:
TGW Route Table: Production
- Routes to: Production VPCs only
TGW Route Table: Shared Services
- Routes to: Production + Non-production + Shared Services VPCs
TGW Route Table: Non-Production
- Routes to: Non-production VPCs + Shared Services only
This prevents direct connectivity between production and non-production while allowing both to access shared services (DNS, monitoring).
TGW inter-region peering: Connect TGWs in different regions. Traffic routes over the AWS backbone. Routing is static (no route propagation across peering connections).
TGW Connect: Supports GRE tunnels over TGW for connecting SD-WAN appliances. Uses BGP over the GRE tunnel for dynamic routing.
AWS Direct Connect
Direct Connect provides dedicated private connectivity from on-premises to AWS.
Connection types:
| Type | Speed | Provider |
|---|---|---|
| Dedicated connection | 1 Gbps, 10 Gbps, 100 Gbps | Customer connects directly to AWS Direct Connect location |
| Hosted connection | 50 Mbps to 10 Gbps | AWS Direct Connect Partner provides the connection |
Virtual interfaces (VIFs):
| VIF Type | Connects To |
|---|---|
| Private VIF | VPC via Virtual Private Gateway or Direct Connect Gateway |
| Public VIF | AWS public services (S3, DynamoDB, EC2 public IPs) over private network |
| Transit VIF | Transit Gateway via Direct Connect Gateway |
Direct Connect Gateway: Connects one Direct Connect connection to VPCs across multiple regions and accounts. A single DXGW can connect to up to 20 VGWs.
BGP configuration:
Private VIFs use BGP to exchange routes:
- Customer advertises on-premises prefixes to AWS
- AWS advertises VPC CIDR blocks to the customer router
- Use BGP community tags to control which routes are preferred over Direct Connect vs. VPN
Resiliency models:
| Model | Configuration | Use Case |
|---|---|---|
| Non-redundant | Single connection | Development, testing |
| High resiliency | Two connections at separate locations | Production workloads |
| Maximum resiliency | Two connections at each of two locations (4 total) | Mission-critical workloads |
Site-to-Site VPN
AWS Site-to-Site VPN creates IPsec tunnels over the internet to a VPC.
Key components:
- Virtual Private Gateway (VGW): AWS-side endpoint; attached to a VPC
- Customer Gateway (CGW): Represents the on-premises device configuration in AWS
- VPN Connection: Two tunnels for redundancy; each tunnel terminates in a different AZ
Routing options:
- Static routing: Customer manually specifies on-premises CIDR ranges
- Dynamic routing: Uses BGP to advertise routes; enables automatic failover
VPN over Direct Connect: Route VPN traffic over a Direct Connect public VIF for added security and to get Direct Connect latency without a private VIF. The VPN provides encryption that Direct Connect does not provide natively.
Domain 2: Network Implementation (26%)
Elastic Load Balancing Configuration
Application Load Balancer:
ALB operates at L7. Key features:
- Path-based routing:
/api/*routes to one target group,/*to another - Host-based routing:
api.example.comroutes differently thanwww.example.com - Weighted target groups: Distribute traffic between versions (canary deployments)
- Authenticate users: Integrate with Cognito or OIDC providers at the load balancer
- Fixed response: Return a static response for certain paths (maintenance mode)
Network Load Balancer:
NLB operates at L4. Key features:
- Preserves source IP address (ALB rewrites source IP to its own; NLB preserves client IP)
- Static IP address per AZ (useful for firewall whitelisting)
- Ultra-low latency with TLS termination
- PrivateLink endpoints must use NLB as the service endpoint
Connection draining / deregistration delay: When removing an instance from a target group, existing connections are allowed to complete for the configured period (default 300 seconds) before the instance is terminated.
Route 53 Advanced Routing
Routing policies:
| Policy | Use Case |
|---|---|
| Simple | One record, one or multiple values |
| Weighted | A/B testing, gradual traffic migration |
| Latency | Route to region with lowest latency for the user |
| Failover | Active/passive DR; health check required on primary |
| Geolocation | Route by country or continent |
| Geoproximity | Route by geographic proximity; adjustable bias |
| Multivalue answer | Return up to 8 healthy records |
Route 53 health checks:
- Endpoint health checks: Check HTTP, HTTPS, or TCP to an IP or domain
- Calculated health checks: Combine multiple health checks with AND/OR logic
- CloudWatch alarm health checks: Declare a resource unhealthy based on a CloudWatch alarm
Route 53 Resolver:
Within a VPC, Route 53 Resolver handles DNS for .amazonaws.com and private hosted zones. For hybrid environments:
- Inbound endpoints: On-premises resolvers forward AWS-domain queries to an inbound endpoint in the VPC
- Outbound endpoints: Route 53 Resolver forwards queries for on-premises domains to on-premises DNS servers via forwarding rules
VPC Connectivity Patterns
VPC Peering:
- Direct connection between two VPCs (same or different accounts/regions)
- Not transitive: VPC A peers with B and C; B and C cannot communicate through A
- No bandwidth limit or gateway device required
- Route tables in both VPCs must be configured
AWS PrivateLink:
- Expose a service privately without VPC peering or internet
- Requires a Network Load Balancer in the provider VPC
- Consumers create an interface endpoint (ENI) in their VPC
- Traffic never traverses the public internet
- Scales to thousands of consumers
Domain 3: Network Management and Operations (20%)
VPC Flow Logs
Flow Logs capture IP traffic metadata for VPC, subnet, or ENI:
version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
2 123456789012 eni-abc12345 10.0.1.5 172.16.0.10 34567 443 6 20 4000 1620000000 1620000060 ACCEPT OK
Filters:
ACCEPT: Log only accepted trafficREJECT: Log only rejected traffic (security group/NACL denials)ALL: Log all traffic
Flow Logs are delivered to CloudWatch Logs or S3. For network troubleshooting, use Logs Insights to query specific source/destination pairs.
AWS Network Manager
Network Manager provides a global view of Transit Gateway networks:
- Visualizes all TGW attachments on a map
- Monitors BGP route changes and connectivity
- Route Analyzer: Simulates route paths between resources without sending actual traffic
Reachability Analyzer
Reachability Analyzer verifies network path connectivity between two endpoints without sending traffic:
- Tests connectivity between EC2 instances, load balancers, ENIs
- Identifies the blocking component if connectivity fails (security group, NACL, route table, missing peering connection)
- Does not test application-layer connectivity; only network-layer paths
Domain 4: Network Security, Compliance, and Governance (24%)
Security Group vs. NACL Reference Summary
| Feature | Security Group | NACL |
|---|---|---|
| Applies to | ENI (instance level) | Subnet |
| Stateful | Yes | No |
| Allow/Deny | Allow only | Allow and Deny |
| Rule evaluation | All rules evaluated | Rules evaluated by order (lowest number first) |
| Default behavior | Deny all inbound | Allow all (default NACL) |
AWS Gateway Load Balancer
GWLB enables deploying, scaling, and managing third-party virtual appliances (firewalls, IDS/IPS). It uses the GENEVE protocol to encapsulate traffic.
Inspection architecture:
Ingress traffic → GWLB Endpoint → GWLB → Firewall Appliance → GWLB → Application
All traffic passes through the appliance transparently. If the appliance fails, GWLB routes to a healthy appliance. Used for centralized inspection of all traffic entering or leaving a VPC.
DNS Security
DNSSEC for Route 53:
- Enable DNSSEC signing on public hosted zones
- Route 53 signs DNS responses with an asymmetric key pair
- Resolvers that validate DNSSEC will reject unsigned or incorrectly signed responses
Route 53 Resolver DNS Firewall:
- Block DNS resolution for known malicious domains
- Use AWS managed rule groups or custom block/allow lists
- Integrates with Route 53 Resolver for all DNS queries from VPC resources
"The ANS-C01 separates AWS professionals from AWS operators. You are not being tested on which service to click — you are being tested on whether you understand routing, BGP communities, and how packets actually move between your data center and AWS. Networking fundamentals are not optional for this exam." — Todd Lammle, author of the AWS Certified Advanced Networking Study Guide (Sybex, 2020)
Study Timeline
Recommended: 12-16 weeks. Requires networking fundamentals (BGP, TCP/IP, subnetting).
| Week | Focus |
|---|---|
| 1-2 | VPC design, subnetting, routing tables, NACLs, security groups |
| 3-4 | Transit Gateway architecture, route tables, segmentation |
| 5-6 | Direct Connect, BGP, resiliency models |
| 7-8 | Site-to-Site VPN, CloudHub, VPN over Direct Connect |
| 9-10 | ELB (ALB, NLB, GWLB), Route 53 advanced routing |
| 11-12 | PrivateLink, VPC endpoints, flow logs, Reachability Analyzer |
| 13-14 | Network security: WAF, Network Firewall, DNS Firewall |
| 15-16 | Practice exams, weak area review |
See also: AWS Solutions Architect Associate (SAA-C03) Study Guide: Domains, Services, and Scenarios
References
- AWS. "AWS Certified Advanced Networking - Specialty Exam Guide (ANS-C01)." https://d1.awsstatic.com/training-and-certification/docs-advnetworking-spec/AWS-Certified-Advanced-Networking-Specialty_Exam-Guide.pdf
- AWS. "Amazon VPC User Guide." https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
- AWS. "AWS Direct Connect User Guide." https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
- AWS. "AWS Transit Gateway Documentation." https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html
- AWS. "Amazon Route 53 Developer Guide." https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Welcome.html
- Lammle, Todd. "AWS Certified Advanced Networking Study Guide." Sybex, 2020.
- AWS. "AWS Site-to-Site VPN User Guide." https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html
- AWS. "Elastic Load Balancing Documentation." https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/what-is-load-balancing.html
Frequently Asked Questions
What networking prerequisites are required before studying for ANS-C01?
You should have solid knowledge of TCP/IP, subnetting, routing protocols (especially BGP), DNS, and load balancing fundamentals before starting ANS-C01 preparation. The exam tests networking concepts applied to AWS, not just AWS service features.
What is the difference between a Private VIF and a Transit VIF on Direct Connect?
A Private VIF connects directly to a VPC via a Virtual Private Gateway. A Transit VIF connects to a Direct Connect Gateway associated with a Transit Gateway, allowing a single Direct Connect connection to reach multiple VPCs across regions.
Why do you need one NAT Gateway per Availability Zone?
If you use a single NAT Gateway and that AZ fails, private subnets in other AZs lose outbound internet access. Deploying one NAT Gateway per AZ and pointing each AZ's private subnets to their local NAT Gateway prevents this single point of failure.
What is AWS PrivateLink and when should you use it?
PrivateLink exposes a service privately to VPC consumers without VPC peering or internet access. The provider deploys a Network Load Balancer; consumers create interface endpoints (ENIs). Use it when you need to share services across many accounts without complex VPC peering.
What does Route 53 Reachability Analyzer do?
Reachability Analyzer verifies network-layer connectivity between two endpoints without sending actual traffic. It identifies blocking components (security groups, NACLs, missing routes) when connectivity fails, making it a fast troubleshooting tool.