I’ve just passed exam and happy to share share my resources preparation for AWS Certified Advanced Networking Specialty Exam. I have already written a couple of articles related to AWS certifications, and I can confidently say that this has been the hardest of all. Ever since I started to dig into the computer technologies, networking was one of the most difficult subjects for me, even when I like it so much. As an introduction, I need to highlight that the number of guides that I was able to find to clear this certification with a good level of confidence are scarce. But at the same time, there are tons of helpful resources that did instruct me but did not help me to focus on the specific of this exam. I want to share my experience with you to support the effort. A warning note: If you are planning to take this as your very first AWS exam, it is not a good idea. I recommend you to pass any of the Associate certifications before presenting this exam. I will not write much about the structure of the AWS exams nor about the basics of Networking. If you do not feel comfortable creating, maintaining, securing, and improving VPCs, you will row against the current.
When I started to search for guidance online, I did not find good news. There were just few posts that included some references or guides that could help me. Some good advice came from people that had tried at get the certification a couple of times (one tried 4 times, succeeding in the end). Something remarkable, not to say worrying, is that some of the authors were networking engineers, and still they failed to pass. In other words, do not get too comfortable if have a background in networking but you have not tried the cloud. By the time I presented this exam, I had already cleared 9 AWS certifications, I think this has been the most difficult one, the main reason in my opinion is that one does not deal with the service that appears in the majority of the questions on a daily basis, I am talking about Direct Connect (more about this coming soon). All the previous knowledge acquired to pass other AWS exams was extremely valuable as it helped me to distinguish answers that looked good from the networking perspective, but were incorrect because of the details and capabilities offered by other services included in them, like logging, security, and automation.
I did not started from zero, my professional experience with networking included scenarios where different technologies were involved: IP tables, host files, port and port mapping, OSI model, good knowledge of HTTP packets, subnets, subnet masks, self-signed certificates, basic Active Directory, and simple routing. From a basic level I have worked with DNS, DHCP, ICMP, VPN, TLS, high level Active Directory, iSCSI, and Network interfaces. As a Cloud Engineer I have had the chance to work with all the range of VPC services and manage them from the perspective of automation, security, troubleshot and creation and maintenance of mid-level networking architectures. I started to prepare this exam on February 2020 and presented on July 2020, I did not really dedicate much of my time until May 2020. So I would say that I prepared this exam during 3 months, but I started by reading some of the chapters of the book that made the difference for this exam (yes, to my own surprise, a book).
I used one main resource, a good old style book (OK, you can get it in a digital form, but that only changes the presentation): The “AWS Certified Advanced Networking Official Study Guide: Specialty Exam”. I would recommend it as the main source of truth for this exam, actually, the fact that it cannot be updated frequently helped me to focus on the topics for the exam.
The next helpful resource was the one that I enjoyed the most: re:Invent videos. They taught me great tips and tricks, and also exposed base architectures, something that you will need to understand for most of the questions of the exam. The only problem with them is that most of them talk about the brand new releases, both in terms of services and updates, but for the exam, this will actually misguide us. Interesting and helpful as these solutions are, a lot of them are not covered by the exam, that’s why a guide created by the group responsible to maintain the exam is better in this case, that’s the advantage of the book mentioned above.
The last resource was the Exam Readiness Course in the AWS Learning platform, I watched it three times, and it was really helpful as a readiness series, it does not go deep enough on the topics, but it works perfectly as check list to recap.
For practice exam, I found awslagi.com website. They have a lot of free and paid resources for practice. I choose the paid version for my practice. The actual questions were helped me a lot of, this help me save a lot of time and have good practice to pass the exam.
From the AWS Certified Advanced Networking Official Study Guide: Specialty Exam, if you only have a chance to read 3 chapters, read these and in this order:
- Direct Connect (Chapter 5)
- Domain Name System and Load Balancing (Chapter 6)
- Hybrid Architectures (Chapter 12)
Even with the warning, I recommend you to check re:Invent videos, it is worth to spend some time watching them, taking notes and understanding the concepts. My preferred were:
- DX and VPN Deep Dive
- DX Deep Dive (2018)
- VPC Design and New Capabilities for Amazon VPC (2018)
- Deep Dive on New AWS Networking Features (2018)
And you may want to check this great post where a number of designs are exposed with interesting graphics:
First, know that the number of requirements appearing in this exam is larger comparing it with other exams, let’s briefly recap the usual qualities that will be presented in the questions. You will be asked to pick the best answer that correspond to one or more of these qualities:
- Take less effort to implement
- Fastest to implement
- Fault tolerant
- More secure
The previous type of requirements are usual in the AWS exams, but because of the networking nature, you will be also get questions that requires you to choose answer that accomplish:
- Consistent bandwidth
- Higher throughput
- Active-Passive architectures
- Best performance
Understand the architectures, strategies, and the services that allow you to achieve these goals.
Now, an enumeration of the services that you need to know for the exam listed in order of number of appearance and relevance:
I was expecting a lot of questions around this topic, but I barely remember two that included a connection to S3 and Dynamo DB, I would not underestimate it anyway.
- Know the differences between Gateway Endpoints and Interface Endpoints as well as how to configure them and the requirements in the VPCs.
- Study how to reach them from outside the VPC.
- Check why you need to be aware of the public ranges for S3 IPs.
- Know that policies can be applied on some scenarios to restrict access.
Among the previously mentioned topics and services, investigate and understand the next concepts:
- SSL offloading.
- How to handle client authentication.
- Strategies and services to protect your architectures from intrusions.
- GuardDuty, Shield and Shield Advanced, WAF, and Macie.
- Flow Logs: What and where they can log.
- Access Logs for ELBs.
- Logging DNS queries.
- How to configure alerts based on network activity.
The area that it is covered by ELBs goes way beyond the basics of this service, focus on:
- Differences and advantages of ALB and NLB.
- How to apply SG on them.
- The way they work on Subnets.
- Security Policies.
- How to configure them to get the client IPs.
- Sticky sessions.
- ELBs cannot handle client authentication.
- WAF Sandwich architecture.
Even if it is not covered as deeply as I was expecting, I got around 5 questions related to the service, they asked about Lambda@Edge, black and whitelisting, and basic functionality.
Hybrid architectures based on VPN
This may sound like an old technology, but it is very import to establish secure connections around the network, I got a huge amount of questions related to it.
- Advances architectures: Know how to implement Transit architectures, as well as CloudHub, and Hub and Spoke implementations. Know the use cases and where they cannot be used. Know when you can use VPNs and VPC peering.
- Double check the differences related to hardware VPN and software VPN. Know the protocols that are supported by each option.
- If you know how to apply firewall capabilities, you will answer a couple of questions correctly.
- If this topic did not make you think about SGs, NACLs, IDS/IPS, WAF, Third party software, port restriction, Route 53, and CloudFront options to black and white listing or geo-restrictions, you have a hard road ahead.
This should have been part of the foundations, but embrace the challenge as you need to consider it at a higher level.
- You will be required to remember the limits accepted by AWS.
- Be able to calculate the number of IPs that you can host according to the CIDR.
- Of course, you need to remember how to CIDRs are configure in VPCs and Subnets.
- Among the calculations, you are expected to know when CIDRs overlap, the CIDRs used in the exam will require valuable seconds of your attention.
Hybrid architectures based on Direct Connect (DX)
The first two topics mentioned here were just to let you know that this is exam is tough, but as mentioned before, DX appeared in at least 15 questions. Remember, this is a service that you will hardly configure on a daily basis, you need to understand it pretty well, starting from physical connections and ending with the protocols as well as the way to maximize its use. Here a list of the concepts that you need to understand:
- Redundancy (HA) scenarios.
- Active-Passive architectures.
- Routing: The way to configure a preferred route.
- Protocols: BGP, VRF, ASN.
- VPN over DX and the way to interact with Customer GW.
- Private and Public VIFs: Requirements to configure them, use cases, restrictions.
- Requirement to install: Both physical, regional, and administrative.
- Process to set a connection.
- The way to summarize routes.
- Sub 1 GB options.
- Redundancy in the AWS side.
- Who pays the DX service and how can it be shared among other accounts.
- Hosted Connections.
- DXGW appeared only in one question.
This exam should have been named: “AWS Certified DX and Networking -Specialty”, do not take the exam if you cannot describe all of the terms and scenarios that have been just indicated.
I had direct questions for this service, plus it was used in many questions as a complementary piece.
- Know about Health Checks and how you can have a secondary site ready to respond to failures.
- Take a look at Private Hosted Zones and how to reference them inside your VPCs and from on-premise.
- Be able to recognize the differences between CNAMES and ALIASES.
- Understand the scenarios involving Private IPs and Public IPs.
- Check the details on FQDN and the way to make it available on private scenarios.
- You need to domain the routing policies.
- The extra effort to know the use all the record types will be valuable.
This exam is similar to others in the way that it will present you questions where 3 or more services take the lead in the question or in the answers, be prepared to find a mix of services in most of them. You should learn to recognize the best practices, protocols, and the services that go together to resolve certain scenarios. As the number of combinations will certainly require dozens of posts, let me tell you that you need to domain the next networking foundations topics:
- Security Groups: The way they work to block and enable connections, the places where they can be applied, the way to reference them, and the restrictions between regions.
- NACLs: Again, the way they are used to block and enable connections, where they can be applied, and that they are not always part of the security boundaries (like connections inside a single subnet).
- Routing: A corner stone, if you do not know about the way routing tables work, your will not pass the exam. You also need to know how to prioritize a path, the way to configure a secondary route in case of failures, how can routing be configured, as well the protocols used for this purpose.
- VPC and Subnets: At this point you should know all the details of configuring VPCs and Subnets.
- Gateways: NAT, IGW, VGW. If you do not know what these acronyms mean, you are not ready, investigate their use cases.
- Double check what you know about NICs, how they interact with EC2 instances, the way to add IPs to a VPC, and how Public IPs are applied.
- Study the benefits, disadvantages, and limits of VPC peering.
- Understand what they do, when they will not help you, the limitations, and where to set them up.
- Know when a package will be fragmented and why.
I got around fewer questions where the next services and solutions appeared, it is worth to know about them, specially their use cases:
- DHCP options: How to configure it and why.
- IPV6: Requirements and how to enable it in VPCs.
- Active Directory: Study the differences of MS AD, Simple AD, and AD Connector.
- PrivateLink: How to offer your solutions to others in a secure way.
- Placement groups.
- Networking metrics: Jitter, throughput, bandwidth, and latency.
- HSM cluster.
- Lambda setup in VPCs.
- Ways to protect against DDoS attacks.
- DNS forwarding architectures.
- Enhanced Networking, how and what services support it.
- Guard Duty.
- AWS Workspaces.
- AWS Appstream.
- Source of solutions for package inspection, like the AWS Market place.
- CloudWatch Agent.
Topics that did not appear
- Transit GW
- Advanced application protocols (just HTTP/S questions)
- Route 53 resolver
The exam is one of the toughest without a doubt, you need to be really well prepared. Your knowledge about VPC must be strong in order to save time when choosing the correct question. Study every architecture n where DX is involved and know how to combine the different services and technologies. Again, as it is hard to have the opportunity to implement or manage many of these type of solutions, my best recommendation is that you take a deep look at the chapters in the book that you need to reinforce, watch videos, read posts, check use cases, success stories, take notes and understand every architecture wherever you find them.