AWS Certified Advanced Networking – Specialty (ANS-C01)

A documentation-first study guide. AWS writes the exam from its own documentation, so reading the docs is the highest-leverage thing you can do. This guide is a curated index into the canonical references, FAQs, and a selection of whitepapers — organised around the four exam domains, not around services.

Maps to the published AWS Certified Advanced Networking — Specialty (ANS-C01) exam guide. Domain weights and task statements are quoted from that PDF.

About the exam

Current exam code: ANS-C01 (first released July 2022, exam guide v2.0). No C02 announcement as of April 2026.

Format: 65 questions (50 scored + 15 unscored) · 170 minutes · $300 USD · scaled score 100–1000, pass at 750.

The four domains:

  • Domain 1 — Network Design — 30%
  • Domain 2 — Network Implementation — 26%
  • Domain 3 — Network Management and Operation — 20%
  • Domain 4 — Network Security, Compliance, and Governance — 24%

Primary official sources (bookmark these):

Whitepapers worth reviewing:

Priority tiers: The published domain weights (30/26/20/24) tell you how the exam is balanced across the four domains, but they don’t tell you that within each domain a handful of services account for most of the questions. Every section in this guide carries a tier badge based on triangulating the AWS exam guide, the experience reports of recent test takers, and the patterns that appear in the practice-exam community:

  • ★★★ Core Heavily tested. Multiple questions will lean on this. Spend hours, not minutes — if you don’t know it well, you fail.
  • ★★ Important Reliably tested, usually one or two questions. Read every linked page in the section, do the FAQ, understand the comparison points. A few hours per topic.
  • ★ Light Known to appear, but typically as one distinguishing question or as wrong-answer distractors. Skim the docs, learn the one-line distinction, move on. Twenty minutes to an hour.

For an 8–12 week prep cycle the rough split that the data supports is about 60% of your time on Core topics, 30% on Important, and 10% on Light. The biggest single concentration of questions across the whole exam is the cluster around VPC + Transit Gateway + Direct Connect + Route 53 + CloudFront + Network Firewall — know those six cold and you have the foundation of a pass.

How to use this guide:

  • Each section opens with a one-paragraph summary explaining what to focus on, then has up to three link sections: Core docs (user/developer guides — the canonical reference), FAQ (exam writers love edge cases from FAQs — do not skip), and Deeper reading (whitepapers, blog posts, re:Post articles).
  • If a link 404s, AWS has reorganised the docs. Search the page title to find the new location — the content almost always still exists.
  • The What’s New feed is worth a weekly scan in the last month before your exam; the exam lags new features by ~12 months but recent launches are a good prompt to revisit older chapters.

Part I — Domain 1: Network Design (30%)

Chapter 1 — Edge networking: CloudFront, Global Accelerator, and the edge

Maps to Task Statement 1.1 — Design a solution that incorporates edge network services to optimize user performance and traffic management for global architectures

Knowledge of:

  • Design patterns for the usage of content distribution networks (for example, Amazon CloudFront)
  • Design patterns for global traffic management (for example, AWS Global Accelerator)
  • Integration patterns for content distribution networks and global traffic management with other services (for example, Elastic Load Balancing, Amazon API Gateway)

Skills in:

  • Evaluating requirements of global inbound and outbound traffic from the internet to design an appropriate content distribution solution
  • Optimizing data transfer costs using Amazon CloudFront
  • Designing patterns and architectures for global traffic management
  • Securing content at the edge using encryption and access control
  • Integrating edge services with DDoS mitigation solutions

1.1 Amazon CloudFront ★★★ Core

CloudFront is heavily tested. Know origin types (S3, ALB, custom), cache behaviours, OAC vs OAI, signed URLs/cookies, and the CloudFront Functions vs Lambda@Edge decision. Expect 3-5 questions.

Core docs

FAQ

1.2 AWS Global Accelerator ★★★ Core

Know when to choose Global Accelerator over CloudFront: static anycast IPs, TCP/UDP (not just HTTP), client IP preservation, and instant failover. Understand traffic dials and endpoint weights.

Core docs

FAQ

1.3 Choosing between CloudFront and Global Accelerator ★★ Important

A frequent exam pattern: “HTTP caching at edge” → CloudFront; “TCP/UDP with static IPs or instant failover” → Global Accelerator. Both use the AWS backbone; the use case determines the choice.

Chapter 2 — DNS design with Amazon Route 53

Maps to Task Statement 1.2 — Design DNS solutions that meet public, private, and hybrid requirements

Knowledge of:

  • DNS protocol (for example, DNS records, timers, DNSSEC, DNS delegation, zones)
  • DNS logging and monitoring
  • Amazon Route 53 features (for example, alias records, traffic policies, resolvers, health checks)
  • Integration of DNS with other AWS services (for example, Amazon VPC)
  • Integration of DNS with hybrid, multi-account, and multi-Region options
  • Domain registration

Skills in:

  • Using Route 53 public hosted zones
  • Using Route 53 private hosted zones
  • Using Route 53 Resolver endpoints in hybrid and AWS architectures
  • Using Route 53 for global traffic management
  • Creating and managing domain registrations

2.1 Route 53 core concepts ★★★ Core

Foundation for every DNS question. Know public vs private hosted zones, alias vs CNAME (alias works at zone apex, no charge for alias to AWS resources), and the full list of routing policies.

Core docs

2.2 Routing policies (traffic management) ★★★ Core

Memorise all eight routing policies and when to use each. Weighted for blue/green, latency for performance, geolocation for compliance, failover with health checks for HA. Traffic flow for complex chaining.

2.3 Route 53 Resolver (hybrid DNS) ★★★ Core

The most-tested DNS topic for hybrid scenarios. Inbound endpoints let on-prem resolve AWS names; outbound endpoints let VPCs resolve on-prem names. Resolver rules are shared via RAM. DNS Firewall blocks malicious domains.

2.4 DNSSEC ★ Light

Light coverage. Know that Route 53 supports DNSSEC signing for public hosted zones and validation for domains registered elsewhere. Understand it protects against DNS spoofing.

2.5 Application Recovery Controller (zonal and routing controls) ★ Light

Occasional questions on ARC for multi-region failover. Know that routing controls let you manually or automatically shift traffic, and readiness checks validate replica readiness before failover.

FAQ

Deeper reading

Chapter 3 — Load balancing design

Maps to Task Statement 1.3 — Design solutions that integrate load balancing to meet high availability, scalability, and security requirements

Knowledge of:

  • How load balancing works at layer 3, layer 4, and layer 7 of the OSI model
  • Different types of load balancers and how they meet requirements for network design, high availability, and security
  • Connectivity patterns that apply to load balancing based on the use case (for example, internal, external, multi-Region)
  • Scaling factors for load balancers
  • Integrations with AWS services (for example, Global Accelerator, CloudFront, AWS WAF, Route 53, Amazon EKS, AWS Config, AWS PrivateLink)
  • Configuration options for load balancer health checks

Skills in:

  • Selecting an appropriate load balancer based on the use case
  • Integrating auto scaling with load balancing solutions
  • Integrating load balancers with existing application deployments
  • Configuring load balancer targets and target groups
  • Configuring listener rules
  • Designing target group health checks

3.1 The ELB family ★★ Important

Know the four load balancer types and when to use each. ALB for HTTP/HTTPS with path/host routing; NLB for TCP/UDP with static IPs; GWLB for inline security appliances; CLB is legacy.

Core docs

3.2 Application Load Balancer (Layer 7) ★★ Important

Know listener rules, target types (instance, IP, Lambda), routing algorithms, sticky sessions, and authentication with Cognito/OIDC. Mutual TLS (mTLS) is a newer feature worth knowing.

3.3 Network Load Balancer (Layer 4) ★★★ Core

Heavily tested. Know static IPs per AZ, client IP preservation options, TLS termination vs passthrough, cross-zone behaviour and its cost implications, and zonal DNS affinity for latency-sensitive apps.

3.4 Gateway Load Balancer (security-appliance insertion) ★★ Important

GWLB is the answer whenever a question mentions “third-party firewall appliances” or “inline inspection.” Know GENEVE encapsulation (port 6081), GWLB endpoints, and the traffic flow for centralised inspection.

3.5 Proxy protocol and cross-zone ★★ Important

Proxy Protocol v2 passes client IP when targets can’t see it natively. Cross-zone load balancing distributes traffic evenly across all AZs but has data transfer cost implications on NLB.

3.6 Load Balancer Controller for Kubernetes ★ Light

Light coverage. Know that the AWS Load Balancer Controller provisions ALB/NLB for Kubernetes Ingress and Service resources. Annotations control target type (IP vs instance) and other settings.

FAQ

Chapter 4 — Logging and monitoring design

Maps to Task Statement 1.4 — Define logging and monitoring requirements across AWS and hybrid networks

Knowledge of:

  • Amazon CloudWatch metrics, agents, logs, alarms, dashboards, and Insights in architectures with hybrid connectivity
  • AWS Transit Gateway Network Manager in architectures with hybrid connectivity
  • VPC Reachability Analyzer, Transit Gateway Route Analyzer, VPC flow logs, and Traffic Mirroring in architectures with hybrid connectivity
  • Access logging (for example, load balancers, CloudFront)

Skills in:

  • Identifying the logging and monitoring requirements
  • Recommending appropriate metrics to provide visibility of the network status
  • Capturing baseline network performance

4.1 Amazon CloudWatch ★★ Important

Know CloudWatch metrics for networking (NetworkIn/Out, connections), Logs Insights for querying flow logs, and alarms for automated response. Contributor Insights surfaces top talkers.

4.2 VPC Flow Logs ★★★ Core

Core troubleshooting tool. Know the record fields (srcaddr, dstaddr, action, bytes), how to interpret ACCEPT/REJECT, limitations (no packet payload, no DNS queries), and destinations (S3, CloudWatch Logs, Firehose).

4.3 VPC Traffic Mirroring ★★ Important

For deep packet inspection and forensics. Know sources (ENIs on Nitro instances), targets (NLB, ENI, GWLB endpoint), and filters. Traffic Mirroring captures actual packets, unlike Flow Logs.

4.4 VPC Reachability Analyzer and Network Access Analyzer ★★ Important

Reachability Analyzer tests path connectivity without sending packets — ideal for troubleshooting SG/NACL/route issues. Network Access Analyzer finds unintended network access across your VPCs.

4.5 Transit Gateway Network Manager ★ Light

Provides a global view of your network. Route Analyzer validates TGW routing. Events integrate with CloudWatch for monitoring connectivity changes. Light exam coverage.

4.6 Access logs (edge / load balancer) ★★ Important

Know where to find logs: ALB/NLB access logs go to S3, CloudFront has standard logs (S3) and real-time logs (Kinesis). Use these for request-level troubleshooting beyond what Flow Logs provide.

FAQ

Chapter 5 — Hybrid connectivity design: on-premises ↔ AWS

Maps to Task Statement 1.5 — Design a routing strategy and connectivity architecture between on-premises networks and the AWS Cloud

Knowledge of:

  • Routing protocol concepts (for example, static, dynamic, BGP)
  • High availability architectures (for example, clustering, active/passive)
  • Connectivity options for AWS and hybrid networks (for example, AWS VPN, AWS Direct Connect, AWS Transit Gateway, Transit VPC, SD-WAN, AWS PrivateLink, AWS Marketplace appliances)
  • Encryption options for AWS Site-to-Site VPN connectivity
  • Connectivity patterns for hybrid networks (for example, at the VPC level, at the TGW level, through a shared services VPC)

Skills in:

  • Designing a redundant hybrid network based on use case requirements (for example, Direct Connect, VPN)
  • Designing a BGP design that accounts for private ASNs, path prepending, and MED
  • Designing a routing policy based on use case requirements (for example, load balancing across links, BFD)
  • Designing an encapsulated traffic architecture using GRE
  • Designing VPN connectivity architectures (for example, static/dynamic, certificate-based, CloudHub)
  • Selecting AWS Marketplace appliances for a hybrid network

5.1 Routing fundamentals and BGP on AWS ★★★ Core

BGP is everywhere on this exam. Know AS_PATH prepending, local preference communities (7224:7100/7200/7300), MED, longest-prefix match, and BFD for fast failover. This section alone could be 5-8 questions.

5.2 AWS Site-to-Site VPN ★★★ Core

Know the two-tunnel design, accelerated VPN (uses Global Accelerator), static vs BGP routing, and IPsec options. VPN is the quick/cheap option; DX is for performance/consistency. 1.25 Gbps per tunnel limit.

5.3 AWS Direct Connect ★★★ Core

The biggest topic on the exam. Know dedicated vs hosted connections, private/public/transit VIFs, DXGW for multi-region, LAGs for aggregation, MACsec for encryption, SiteLink for DX-to-DX, and the resiliency models.

5.4 Encapsulation and encrypted overlays ★★ Important

Private IP VPN runs IPsec over DX transit VIF for encryption without public IPs. VPN CloudHub enables hub-and-spoke over VGW. TGW Connect uses GRE+BGP for SD-WAN integration.

5.5 SD-WAN integration ★ Light

TGW Connect attachments let SD-WAN appliances peer via GRE tunnels with BGP. Cloud WAN offers native SD-WAN-like policy. Light exam coverage but know the pattern.

FAQ

Deeper reading

Chapter 6 — Multi-account, multi-region, multi-VPC design

Maps to Task Statement 1.6 — Design a routing strategy and connectivity architecture that include multiple AWS accounts, AWS Regions, and VPCs to support different connectivity patterns

Knowledge of:

  • Inter-VPC and multi-account connectivity options (for example, VPC peering, AWS Transit Gateway, AWS PrivateLink)
  • Private application connectivity options (for example, DNS name resolution with Route 53, internal load balancers, EC2 instances)
  • Multi-Region connectivity options and considerations (for example, latency, convergence, cost)
  • AWS network sharing architectures (for example, shared services VPC, Transit Gateway, shared subnets)
  • Address overlap mitigation options

Skills in:

  • Connecting VPCs in different Regions and accounts based on business requirements
  • Evaluating the impact of address overlapping on connectivity options
  • Designing a multi-VPC solution based on multiple connectivity requirements
  • Selecting appropriate connectivity patterns based on performance, cost, and security requirements
  • Using IP Address Manager (IPAM) to design and implement IP allocation across AWS accounts, Regions, and VPCs

6.1 VPC fundamentals for designers ★★★ Core

Foundation for everything. Know route table precedence (longest prefix wins, local always wins within VPC), secondary CIDRs and their restrictions, IPv6 dual-stack, BYOIP, and IPAM for address management.

6.2 VPC peering ★★★ Core

Simple 1:1 connectivity. Critical limitations: no transitive routing, no edge-to-edge routing (can’t route through a peered VPC to reach on-prem). Inter-region peering works but has latency. Good for few VPCs.

6.3 AWS Transit Gateway ★★★ Core

The hub for multi-VPC networking. Know attachments (VPC, VPN, DX, peering, Connect), route tables, associations vs propagations, inter-region peering, and appliance mode for stateful inspection. Expect 5+ questions.

6.4 AWS Cloud WAN ★ Light

Newer service for global network management with policy-based routing. Know it exists as an alternative to TGW for very large, complex networks. Segments replace TGW route tables. Light exam coverage.

6.5 AWS PrivateLink and VPC endpoints ★★★ Core

Interface endpoints (ENIs with private IPs) vs gateway endpoints (route table entries for S3/DynamoDB). PrivateLink lets you expose services across accounts without VPC peering. Endpoint policies control access.

6.6 VPC sharing (RAM) and IP overlap strategies ★★ Important

Shared VPCs reduce VPC sprawl — participants deploy into owner’s subnets. RAM shares TGWs, subnets, Resolver rules. For IP overlaps: PrivateLink or NAT. Know when each pattern applies.

FAQ

Deeper reading (must-read whitepaper for this domain)

Part II — Domain 2: Network Implementation (26%)

Chapter 7 — Implementing on-premises ↔ AWS connectivity

Maps to Task Statement 2.1 — Implement routing and connectivity between on-premises networks and the AWS Cloud

Knowledge of:

  • Routing protocol concepts (for example, static, dynamic, BGP, ECMP)
  • VPN connectivity over AWS Direct Connect (public VIF, private VIF, transit VIF)
  • Connectivity options for hybrid networks (for example, AWS Site-to-Site VPN, AWS Direct Connect)

Skills in:

  • Configuring the physical components of AWS Direct Connect (for example, LOA-CFA, cross-connects, link aggregation groups [LAGs])
  • Ordering AWS Direct Connect connections and hosted connections
  • Configuring AWS Direct Connect virtual interfaces (private VIF, public VIF, transit VIF)
  • Configuring AWS Site-to-Site VPN (static, dynamic)

7.1 Physical layer and colocation ★★ Important

Know the LOA-CFA process, cross-connect ordering, and port speeds (1G/10G/100G/400G). Dedicated connections are physical ports you own; hosted connections come from partners.

7.2 Configuring the Site-to-Site VPN ★★ Important

Two tunnels per connection for HA. Know Dead Peer Detection, NAT-T, and the importance of configuring both tunnels. Download config files for specific CGW vendors from the console.

7.3 Configuring Direct Connect VIFs ★★★ Core

Private VIF → VGW/DXGW for VPC access. Public VIF → AWS public services. Transit VIF → DXGW+TGW for scalable multi-VPC. Know the limits: 10 VGWs per DXGW, 3 TGWs per DXGW, 20 prefixes per TGW association.

7.4 Load balancing implementation details ★★ Important

Practical implementation: registering targets, cross-zone behaviour (enabled by default on ALB, opt-in on NLB), and the newer NLB security groups feature for easier access control.

7.5 Testing connectivity ★★ Important

Use Reachability Analyzer for path analysis, TGW Route Analyzer for TGW routing validation, and DX failover tests to verify resiliency. These tools help without sending production traffic.

FAQ

Chapter 8 — Implementing multi-account, multi-region, multi-VPC connectivity

Maps to Task Statement 2.2 — Implement routing and connectivity across multiple AWS accounts, Regions, and VPCs to support different connectivity patterns

Knowledge of:

  • Inter-VPC and multi-account connectivity options (for example, VPC peering, AWS Transit Gateway, AWS PrivateLink)
  • Routing protocol concepts (for example, static, dynamic)
  • How to configure Direct Connect Gateway for multiple accounts in AWS Organizations
  • AWS Resource Access Manager (AWS RAM) for multi-account resource sharing

Skills in:

  • Configuring network connectivity using VPC peering and Transit Gateway
  • Configuring VPNs for Transit Gateway
  • Configuring inter-Region Transit Gateway peering
  • Configuring Direct Connect Gateway for multiple accounts in AWS Organizations
  • Configuring AWS PrivateLink to share services with other accounts

8.1 AWS Organizations and Resource Access Manager (RAM) ★★ Important

RAM shares networking resources across accounts: TGWs, subnets, DXGW, Resolver rules, prefix lists. Organizations enables sharing within the org without explicit invitations.

8.2 Building a hub-and-spoke with Transit Gateway ★★★ Core

Core pattern. Associations determine which route table an attachment uses for routing decisions. Propagations populate routes automatically. Use multiple route tables for segmentation (prod/dev/shared).

8.3 AWS Client VPN ★ Light

Remote access VPN for users. Know mutual auth (certificates) vs federated auth (SAML), authorization rules, and split-tunnel (only AWS traffic through VPN) vs full-tunnel. Light exam coverage.

8.4 Security at network boundaries ★★★ Core

Security groups are stateful (return traffic auto-allowed), NACLs are stateless (need explicit rules for both directions). Know the numbered-rule evaluation for NACLs and SG referencing across peered VPCs.

FAQ

Chapter 9 — Implementing complex hybrid and multi-account DNS

Maps to Task Statement 2.3 — Implement complex hybrid and multi-account DNS architectures

Knowledge of:

  • When to use private hosted zones and Resolver endpoints
  • How to use Route 53 Resolver endpoints
  • AWS RAM for sharing Route 53 resources

Skills in:

  • Configuring Route 53 public, private, and split-horizon DNS
  • Configuring Route 53 Resolver endpoints in a hybrid network
  • Configuring Route 53 Resolver rules to forward DNS queries for multi-account architecture and for integration with on-premises DNS infrastructure
  • Using AWS RAM to share Route 53 Resolver rules

9.1 Hybrid DNS patterns ★★★ Core

Inbound endpoints: on-prem resolvers forward to AWS. Outbound endpoints: VPC resolver forwards to on-prem. Conditional forwarding rules determine which domains go where. Share rules via RAM.

9.2 Multi-account DNS with RAM ★★ Important

Share Resolver rules and PHZ associations across accounts. PHZ cross-account association requires CLI/API — can’t be done in console. Centralise DNS in a shared-services account.

9.3 Private hosted zone behaviour ★★ Important

PHZs resolve only within associated VPCs. enableDnsHostnames and enableDnsSupport must be true. Overlapping namespaces: most-specific match wins. Split-horizon: same domain, different answers public vs private.

9.4 Monitoring and logging DNS ★ Light

Query logging for public zones goes to CloudWatch Logs. Resolver query logs capture VPC-level DNS queries. Use for troubleshooting resolution issues and security analysis.

Deeper reading

Chapter 10 — Network automation and infrastructure as code

Maps to Task Statement 2.4 — Automate and configure network infrastructure

Knowledge of:

  • How to script interactions with AWS APIs using the AWS CLI
  • How to use AWS CloudFormation to deploy automation
  • How to use Amazon EventBridge to trigger events

Skills in:

  • Creating and managing AWS CloudFormation StackSets
  • Implementing automation for VPC subnet and NACL creation
  • Implementing automation for VPC route management
  • Implementing automation for DNS (for example, Route 53 private hosted zone associations, Route 53 Resolver endpoints)
  • Implementing automation for load balancers (for example, ALB, NLB, GWLB)
  • Using CloudFormation to create Lambda functions for network automation

10.1 AWS CloudFormation for networking ★ Light

Know that CloudFormation can provision VPCs, TGWs, and all networking resources. StackSets deploy across accounts/regions. Light exam coverage — focus on what you can automate, not deep CFN syntax.

10.2 AWS CDK ★ Light

CDK uses familiar programming languages to define infrastructure. The aws-ec2 module covers VPCs, subnets, SGs. Light exam coverage.

10.3 Event-driven network automation ★ Light

EventBridge captures VPC/TGW events; Lambda can respond automatically. Example: auto-approve TGW attachment requests. Know the pattern exists; deep implementation details are rare on the exam.

10.4 AWS CLI and SDKs ★ Light

CLI and SDKs for scripting network operations. Know they exist for automation scenarios. Exam rarely tests specific CLI commands.

FAQ

Part III — Domain 3: Network Management and Operation (20%)

Chapter 11 — Maintaining routing and connectivity

Maps to Task Statement 3.1 — Maintain routing and connectivity on AWS and hybrid networks

Knowledge of:

  • Industry-standard routing protocols that are used in AWS hybrid networks (for example, BGP over Direct Connect)
  • Routing tables for AWS services (for example, Amazon VPC, Transit Gateway)
  • Connectivity options for AWS and hybrid networks (for example, AWS VPN, AWS Direct Connect, Transit Gateway)
  • How to analyze route tables and BGP advertisements

Skills in:

  • Diagnosing asymmetric routing issues
  • Extending a VPC CIDR
  • Correcting asymmetric routing issues
  • Maintaining Direct Connect connectivity
  • Maintaining VPN connectivity

11.1 BGP operations over Direct Connect and VPN ★★★ Core

Operational BGP knowledge is heavily tested. Know how to troubleshoot BGP sessions, interpret route advertisements, and use DXGW allowed prefixes to filter. Understand route priority in VPCs.

11.2 Quotas that matter for the exam ★★ Important

Know key limits: 5 VPCs/region (soft), 200 subnets/VPC, 5000 SG rules, 1.25 Gbps per VPN tunnel, 100 Gbps per DX, 50 routes per TGW route table (soft). Quotas appear in “what’s wrong” scenarios.

11.3 Route table operations ★★ Important

TGW propagations auto-populate routes; static routes override. Blackhole routes drop traffic intentionally. Route table sizing: default 50, up to 1000. Know how to interpret route table conflicts.

11.4 Public vs private access to AWS services ★★★ Core

Gateway endpoints (S3/DynamoDB) use route table entries — free. Interface endpoints use ENIs with private IPs — charged per hour and per GB. Public VIF on DX reaches all AWS public endpoints.

Chapter 12 — Monitoring and troubleshooting connectivity

Maps to Task Statement 3.2 — Monitor and analyze network traffic to troubleshoot and optimize connectivity patterns

Knowledge of:

  • Network troubleshooting tools (for example, VPC flow logs, Traffic Mirroring, VPC Reachability Analyzer, Transit Gateway Network Manager)
  • Network metrics and statistics (for example, packet drop, latency)
  • CloudWatch metrics and agents

Skills in:

  • Analyzing VPC flow logs to identify traffic anomalies and patterns
  • Implementing Traffic Mirroring solutions to capture and inspect network traffic
  • Implementing CloudWatch alarms to alert on network issues
  • Using VPC Reachability Analyzer to verify and troubleshoot network paths
  • Using Transit Gateway Route Analyzer to verify routes

12.1 Flow Logs for troubleshooting ★★★ Core

Interpret flow log records: ACCEPT means SG/NACL allowed, REJECT means blocked. Query with Athena or CloudWatch Logs Insights. Know the action field patterns for troubleshooting connectivity.

12.2 Traffic Mirroring for packet capture ★★ Important

When you need actual packets (not just metadata). Mirror to NLB or ENI running packet capture tools. Filters select which traffic to mirror. Use for deep troubleshooting and security forensics.

12.3 Reachability Analyzer ★★ Important

Tests path connectivity by analysing config — no packets sent. Identifies where traffic would be blocked (SG, NACL, route table). Great for “why can’t I connect” troubleshooting.

12.4 Packet-size and MTU troubleshooting ★★ Important

VPC supports 9001 MTU (jumbo frames) within a VPC. TGW/DX may have lower limits. Path MTU discovery requires ICMP type 3 code 4 — ensure SGs/NACLs allow it. Common exam troubleshooting scenario.

12.5 CloudTrail for network-config auditing ★ Light

CloudTrail logs API calls for compliance auditing. Know it captures who made VPC/TGW changes, not traffic data. Use for investigating configuration changes.

FAQ

Chapter 13 — Performance, reliability, and cost optimisation

Maps to Task Statement 3.3 — Optimize AWS networks for performance, reliability, and cost-effectiveness

Knowledge of:

  • How enhanced networking on EC2 instances works
  • Networking costs (for example, data transfer costs, NAT gateway data processing costs)
  • Different methods for sizing network bandwidth (for example, VPN, Direct Connect)
  • How network loads affect cost and performance

Skills in:

  • Designing a VPC connectivity solution that accounts for cost and performance
  • Optimizing bandwidth for hybrid networks (for example, VPN, Direct Connect)
  • Optimizing edge network services (for example, CloudFront, Global Accelerator)
  • Optimizing EC2 networking (for example, placement groups, enhanced networking)

13.1 Network performance on EC2 ★★ Important

ENA enables up to 200 Gbps on supported instances. EFA adds OS-bypass for HPC/ML. Cluster placement groups for lowest latency. Network bandwidth scales with instance size.

13.2 Choosing connectivity: peer, TGW, PrivateLink, or VPN ★★★ Core

Decision tree: few VPCs → peering; many VPCs or hybrid → TGW; specific service exposure → PrivateLink; encrypted over internet → VPN. Know data transfer costs: peering is cheapest within-region.

13.3 Multicast ★ Light

TGW Multicast enables one-to-many distribution. Know it exists for media streaming and financial data use cases. IGMPv2 support for dynamic group membership. Light exam coverage.

13.4 NAT options ★★★ Core

NAT gateway for internet egress (45 Gbps, scales automatically). Private NAT gateway for VPC-to-VPC with overlapping CIDRs. Egress-only IGW for IPv6 outbound. NAT instances are legacy but may appear.

13.5 Subnet and IP optimisation ★★ Important

Plan CIDR ranges to avoid overlaps. Secondary CIDRs have restrictions (can’t overlap with existing). IPAM automates IP allocation across accounts. 5 IPs reserved per subnet.

13.6 Global Accelerator for performance ★★ Important

Static anycast IPs route to nearest AWS edge, then traverse the AWS backbone. Custom routing accelerators map clients 1:1 to endpoints — useful for gaming. Know when GA beats CloudFront.

FAQ

Part IV — Domain 4: Network Security, Compliance, and Governance (24%)

Chapter 14 — Implementing network security controls

Maps to Task Statement 4.1 — Implement and maintain network features to meet security and compliance needs and requirements

Knowledge of:

  • Different threat models based on application architecture
  • Common security threats (for example, DDoS, SQL injection, cross-site scripting, credential stuffing, session hijacking, web scraping)
  • How to implement security mechanisms (for example, security groups, network ACLs, AWS WAF, AWS Shield, AWS Firewall Manager)
  • Network access controls in AWS environments (for example, NAT gateways, VPC endpoints, AWS PrivateLink)
  • Infrastructure as code (IaC) tools (for example, Terraform, CloudFormation, AWS CDK)

Skills in:

  • Designing an AWS Network Firewall architecture
  • Configuring security groups and network ACLs to meet security requirements
  • Configuring NAT gateways
  • Configuring VPC endpoints
  • Configuring AWS WAF to protect web applications
  • Configuring AWS Shield to protect applications

14.1 Ingress protection: WAF, Shield, CloudFront ★★★ Core

WAF protects against SQLi, XSS, bad bots via web ACLs and rules. Shield Standard is free DDoS protection; Advanced adds 24/7 SRT support and cost protection. Know which resources WAF attaches to.

14.2 AWS Network Firewall ★★★ Core

Managed firewall for VPC. Stateless rules evaluate first (like NACLs), then stateful (Suricata-compatible). Deployment models: centralised (inspection VPC) vs distributed. Know logging options: alert, flow, TLS.

14.3 Centralised egress and inspection VPCs ★★★ Core

Core design pattern: route all traffic through a central inspection VPC with Network Firewall or GWLB+appliances. TGW appliance mode ensures symmetric routing for stateful inspection. Know the traffic flow.

14.4 AWS Firewall Manager ★★ Important

Central management for WAF, Shield, SGs, Network Firewall, and DNS Firewall policies across accounts. Requires Organizations. Auto-remediates non-compliant resources.

14.5 Security groups, NACLs, and endpoint policies ★★★ Core

SGs: stateful, allow-only, evaluated all rules. NACLs: stateless, numbered rules, evaluated in order. Endpoint policies restrict which principals/actions are allowed through a VPC endpoint. Know prefix lists.

FAQ

Deeper reading

Chapter 15 — Auditing and logging for security

Maps to Task Statement 4.2 — Validate and audit security by using network monitoring and logging services

Knowledge of:

  • AWS network-related logging and monitoring services (for example, CloudWatch, AWS CloudTrail, VPC flow logs, VPC Traffic Mirroring, Transit Gateway Network Manager)
  • AWS security services (for example, AWS Firewall Manager, AWS Config, Amazon GuardDuty, Amazon Inspector)

Skills in:

  • Verifying network security controls by using VPC flow logs, Traffic Mirroring, and CloudTrail logs
  • Configuring logging for security purposes (for example, VPC flow logs, access logs, AWS WAF logs)
  • Configuring CloudWatch alarms for network security events
  • Capturing baseline network performance

15.1 Multi-source log strategy ★★ Important

Combine multiple log sources: Flow Logs for metadata, Traffic Mirroring for packets, CloudTrail for API calls. Send to S3, CloudWatch Logs, or Firehose. Know which log answers which question.

15.2 Delivery destinations ★ Light

Flow Logs, Resolver query logs, and other network logs can go to S3 (long-term, cheap), CloudWatch Logs (search/alerts), or Firehose (real-time streaming). Know the trade-offs.

15.3 CloudWatch alarms and automation ★ Light

Set alarms on network metrics (high traffic, dropped packets). Composite alarms combine multiple conditions. EventBridge + SSM Automation can auto-remediate. Light exam coverage.

15.4 Config and Trusted Advisor ★ Light

Config records resource configurations and evaluates compliance rules (e.g., “all VPCs must have flow logs”). Trusted Advisor checks for SG rules allowing 0.0.0.0/0. Light exam coverage.

FAQ

Chapter 16 — Confidentiality and encryption in transit

Maps to Task Statement 4.3 — Implement and maintain confidentiality of data and communications of the network

Knowledge of:

  • Network encryption options that are available on AWS
  • VPN connectivity over AWS Direct Connect
  • Encryption methods for data in transit (for example, IPsec, TLS)
  • Network encryption under the AWS shared responsibility model
  • Security methods for DNS communications (for example, DNSSEC)

Skills in:

  • Implementing network encryption by using AWS services (for example, Site-to-Site VPN, Client VPN)
  • Implementing network encryption by using third-party vendor appliances
  • Implementing TLS on AWS network services (for example, CloudFront, load balancers, API Gateway)
  • Implementing MACsec for Direct Connect connections

16.1 TLS on AWS edge services ★★ Important

ACM provides free public certificates (auto-renewed). ACM Private CA for internal PKI. Know TLS termination points: ALB, NLB (TLS listener), CloudFront, API Gateway. mTLS for client certificate auth.

16.2 IPsec / VPN encryption ★★ Important

Site-to-Site VPN uses IPsec with configurable cipher suites. IKEv2 preferred. Private IP VPN runs IPsec over DX transit VIF — encryption without public IPs. Know FIPS endpoints exist.

16.3 MACsec on Direct Connect ★★ Important

MACsec provides Layer 2 encryption on dedicated DX connections (10G/100G). Know it’s hop-by-hop between your router and AWS, requires MACsec-capable hardware. For compliance when DX encryption is required.

16.4 Shared-responsibility boundary for network encryption ★ Light

AWS encrypts backbone traffic between regions/AZs. You’re responsible for encrypting within VPCs and to on-prem. Know where encryption responsibility lies for each connectivity option.

16.5 Secure DNS ★ Light

DNSSEC prevents DNS spoofing via cryptographic signatures. DNS Firewall blocks queries to known-bad domains. Light exam coverage but know both exist for DNS security.

FAQ

Appendix A — Services list (in-scope) quick-link index

A concise alphabetical index of every in-scope service from the exam guide, each linking to its canonical user/developer guide and FAQ.

ServiceUser guideFAQ
API GatewayGuideFAQ
App MeshGuideFAQ
Auto Scaling (EC2)GuideFAQ
Certificate Manager (ACM)GuideFAQ
Client VPNGuideFAQ
Cloud MapGuideFAQ
Cloud WANGuideFAQ
CloudFormationGuideFAQ
CloudFrontGuideFAQ
CloudTrailGuideFAQ
CloudWatchGuideFAQ
ConfigGuideFAQ
Direct ConnectGuideFAQ
EC2GuideFAQ
EKSGuideFAQ
Elastic Load BalancingGuideFAQ
EventBridgeGuideFAQ
Firewall ManagerGuideFAQ
Global AcceleratorGuideFAQ
IAMGuideFAQ
LambdaGuideFAQ
Network FirewallGuideFAQ
OrganizationsGuideFAQ
PrivateLinkGuideFAQ
Resource Access ManagerGuideFAQ
Route 53GuideFAQ
S3GuideFAQ
ShieldGuideFAQ
Site-to-Site VPNGuideFAQ
Transit GatewayGuideFAQ
Trusted AdvisorGuide(see Support FAQ)
VPCGuideFAQ
WAFGuideFAQ

Appendix B — Essential whitepapers and reference guides

Appendix C — A suggested 8-week study plan

  • Weeks 1–2: Chapters 1–6 (Domain 1 — Network Design). Read both whitepapers while going.
  • Week 3: Chapters 7–10 (Domain 2 — Implementation). Build a TGW hub-and-spoke in a sandbox account.
  • Week 4: Chapters 11–13 (Domain 3 — Operations). Practise with Reachability Analyzer and Flow Logs on your sandbox.
  • Week 5: Chapters 14–16 (Domain 4 — Security). Deploy Network Firewall in a centralised inspection VPC.
  • Week 6: Cycle through every FAQ page in Appendix A. These are gold for distractor-elimination on exam day.
  • Week 7: Practice exams (Tutorials Dojo, official AWS sample questions). Note the topics you miss and revisit the relevant chapter.
  • Week 8: Focused review on weak areas. Take the official Exam Readiness course on Skill Builder again at 1.5x speed.

Last refreshed against AWS documentation: April 2026. If a link returns 404, AWS has reorganised the docs — search the page title to find its new home.