This blog post shares 10 specific topics that candidates should understand before taking the AWS Certified Advanced Networking – Specialty exam. The reader will learn what to expect during the exam and how to prepare. The post is geared toward IT professionals who are pursuing the certification and looking for advice on their preparation to pass the exam.
The experience of studying for the exam strengthened my understanding considerably. As part of my preparation for the exam, I built networks within my AWS account and tested scenarios using services such as AWS Global Accelerator. I find getting hands on with technology is a great way to solidify my knowledge. Since passing the exam and achieving the certification, I’ve found that I’m better prepared to help customers consider network-design options. I would encourage any architect or engineer with an interest in this area to pursue this certification.
During the last few years working as a solutions architect at Amazon Web Services (AWS), I’ve had the opportunity to work with numerous customers building resilient network connectivity between their data centers and AWS regions. As my knowledge of networking in AWS increased, I decided to study for the AWS Certified Advanced Networking – Specialty exam. The exam validates networking expertise and verifies the learner’s ability to implement AWS network services to meet performance, cost, and security requirements.
AWS Training and Certification offers a mix of free, on-demand digital courses, virtual/in-person instructor-led classroom training, virtual webinars, and an exam-readiness course to help you build your knowledge. I encourage you to utilize the training as well as my suggestions for 10 study areas to review as you prepare for the AWS Certified Advanced Networking – Specialty exam.
The exam covers numerous networking topics in depth. Foundational knowledge of networking topics, such as the Open Systems Interconnection (OSI) model, IPv4 addressing and Classless Inter-Domain Routing (CIDR), IP-routing logic, and subnetting are required. Based on my experience, I would recommend completing either the AWS Certified SysOps Administrator – Associate or AWS Certified Solutions Architect – Associate exam before taking this specialty exam.
- 1 Areas of study
- 1.1 Automate network management using AWS CloudFormation
- 1.2 Hybrid network-connectivity options
- 1.3 Edge network services
- 1.4 Designs for reliability
- 1.5 AWS global infrastructure and how to deploy foundational network elements
- 1.6 Security and compliance
- 1.7 Network configuration options for high performance applications
- 1.8 Inter-VPC connectivity options
- 1.9 Integrate VPC networks with other AWS services
- 1.10 Methods to simplify network management and troubleshooting
- 2 Before taking the exam
- 3 The value of certification
- 4 What next?
- 5 Share this:
- 6 Like this:
Areas of study
Automate network management using AWS CloudFormation
Infrastructure as code is the ability to build up and tear down entire environments programmatically and automatically. It enables a rapid deployment of infrastructure, enabling organizations to operate with great agility. It also provides the ability to rebuild infrastructure rapidly, increasing resilience. CloudFormation is infrastructure as code. It provides the ability to manage your network configuration through simple JSON or YAML. It’s important to understand how CloudFormation can deploy network infrastructure and how it can safely update configurations using features such as change sets and deletion policies. These features enable you to manage the entire lifecycle of your network components. Consider the following resources:
- Documentation: How do I retain some of my resources when I delete an AWS CloudFormation stack?
- Documentation: Updating stacks using change sets
Hybrid network-connectivity options
For use cases requiring higher bandwidth, consistent network performance, or increased privacy, AWS Direct Connect may be more appropriate. Many AWS customers rely on VPNs to provide private connectivity between infrastructure in AWS and on-premises resources. These connectivity solutions are often critical in enabling migration to AWS. Consider the following resources:
- User guide: Amazon VPC User Guide.
- Whitepaper: Building a Scalable and Secure Multi-VPC AWS Network Infrastructure.
- AWS re:Invent video: AWS Direct Connect: Deep Dive.
Edge network services
AWS edge-computing services provide infrastructure and software that move data processing and analysis as close to the endpoint as necessary. AWS Lambda is a compute service that allows you to run code without provisioning or managing servers. Lambda runs your code only when needed and scales automatically, from a few requests per day to thousands per second. Lambda@Edge allows you to run Node.js and Python Lambda functions to customize content that Amazon CloudFront delivers, executing the functions in AWS locations closer to the viewer. The functions run in response to CloudFront events without provisioning or managing servers. You can also use Lambda functions to change CloudFront requests and responses; this enables a variety of powerful use cases, including A/B testing, the ability to deliver different content based on client-device type, and the ability to implement business logic to add, delete, and modify headers and rewrite the URL path to direct users to different objects in the cache. Deploying compute closer to your users can simplify your architecture, increase security, and optimize the user experience through reduced latency.
Designs for reliability
A design principal of the reliability pillar of the AWS Well Architected Framework is to design systems that can automatically recover from failure. Network architects can build highly resilient, multi-region designs using network services such as Amazon Route 53 and AWS Global Accelerator. These services can detect failure and route client traffic away from it, increasing availability. Similarly, traffic flows within an Amazon VPC can route around failure. AWS Elastic Load Balancing offers health-checking capabilities that can validate the health of compute components using a variety of network protocols (i.e., TCP, HTTP, HTTPS, and SSL). When integrated with Amazon CloudWatch, these capabilities provide operational alerting and can trigger automated remediation of failures.
AWS global infrastructure and how to deploy foundational network elements
To pass the Advanced Networking – Specialty Certification exam, you’ll need a thorough understanding of how the AWS Global Cloud Infrastructure is designed and how the fundamental AWS networking components in a Virtual Private Cloud (VPC) work. Be sure to brush up on configuration options for foundational VPC design, including Dynamic Host Configuration Protocol (DHCP) configurations, route tables, network-access control lists (NACLs), and security groups. As an architect, it’s also necessary to know how to best provide connectivity beyond the VPC, including NAT gateways (NGW), internet gateways (IGW), egress-only internet gateways (EIGW), and virtual gateways (VGW).
Security and compliance
Many AWS customers deploy infrastructure accessed by a globally distributed user base. Network architects need to support access in a secure manner. AWS services can often be used together to meet these security goals. For example, when combined, CloudFront and AWS Web Application Firewall (WAF) can mitigate network attacks that target different layers of the OSI model.
Network configuration options for high performance applications
Certain application workloads, such as high-performance computing, may require lower latency, high bandwidth network connections between compute nodes. AWS provides configuration options to meet the needs of these workloads (i.e., placement groups, jumbo frames, and elastic network adapters). High-performance computing workloads may require an operating system configuration to achieve the desired network performance. Consider reviewing this documentation, Network Performance.
Inter-VPC connectivity options
VPC peering provides a convenient way to connect multiple VPCs; however, at scale, there are considerable operational efficiencies of hub-and-spoke network designs using AWS Transit Gateway. Transit Gateway unlocks a variety of design options. Consider the following resources:
- re:Invent video: Advanced VPC Design and New Capabilities for Amazon VPC.
- Digital course: AWS Transit Gateway Networking and Scaling.
- re:Invent video: Transit Gateway architectures for many VPCs.
Integrate VPC networks with other AWS services
AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks without exposing your traffic to the public internet. A common use case for customers is the need to provide communication between workloads deployed inside a VPC (e.g., EC2 instances) to other AWS services (e.g., an Amazon Simple Storage Service bucket or an Amazon Simple Queue Service queue). Preventing sensitive data, such as customer records, from traversing the internet is a requirement for some workloads, which have to maintain compliance with regulations, such as HIPAA, EU/US Privacy Shield, and PCI. AWS enables this communication across a private network segment via Gateway and interface VPC endpoints powered by AWS PrivateLink. Endpoints can be used to improve the reliability and security of communications. Configuring VPC endpoints correctly requires knowledge of AWS Identity and Access Management (IAM), route tables, elastic network interfaces, security groups, and NACLs. Consider the following resources:
- Blog post: Reduce Cost and Increase Security with Amazon VPC Endpoints.
- Workshop: VPC Endpoint Workshop.
Methods to simplify network management and troubleshooting
Connectivity issues are common in real-world scenarios, arising when communication needs to occur within VPCs between peered VPCs and when working with VPNs or Direct Connect to on-premises networks. AWS provides a variety of data sources that increase visibility into network operations. These can aid common network-administration tasks such as troubleshooting network connectivity. Logs include VPC flow logs, access logs for your application load balancer, and CloudFront logs. Additionally, Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of Amazon Elastic Compute Cloud (EC2) instances. You can then send the traffic to out-of-band security and monitoring appliances for content inspection, threat monitoring, and troubleshooting. Network administrators need to understand where these data sources are stored, how frequently data is written to them, and what information they contain to be effective at troubleshooting.
Before taking the exam
Spend time practicing for the exam, it will help you have good experience and familiar with the exam format. The best way is practicing on actual exam format and you can save a lot of time and ensure you can pass the exam in an easy way.
Actual Exam Version:
The value of certification
Network design is a critical foundation for organizations looking to migrate workloads to—or build new workloads in—AWS. The AWS Certified Advanced Networking – Specialty certification presents IT engineering professionals with the opportunity to validate their knowledge and show they understand how to design cost-efficient, secure, and performant networks on AWS. Preparing for a certification exam is an excellent way to reinforce your knowledge of any technology. I hope you consider pursuing this exam and experience similar benefits. If you haven’t done it yet, sign up for a training account and take the recommended courses. Best of luck!
- New beta exam: AWS Certified Advanced Networking – Specialty ANS-C01
- How To Prepare For AWS Certified Advanced Networking – Specialty
- AWS Certified Advanced Networking – Specialty ANS-C01 Sample Questions