How to Pass AWS Advanced Networking Specialty (ANS-C01) in 2026: Complete Study Guide

# How to Pass AWS Advanced Networking Specialty (ANS-C01) in 2026: Complete Study Guide The AWS Certified Advanced Networking Specialty (ANS-C01) is widely regarded as one of the hardest AWS certifications. It demands deep, hands-on knowledge of AWS networking architecture — not just familiarity with service names, but genuine understanding of how BGP routing works, when to use Transit Gateway vs VPC peering, and how to design resilient hybrid networks with Direct Connect. If you work in network engineering, cloud infrastructure, or solutions architecture with a networking focus, this certification validates expertise that most cloud practitioners do not have. This guide covers the exam format, every domain in depth, key architecture patterns, and a realistic 8-week study plan. --- ## Exam Facts at a Glance | Detail | Value | |---|---| | Exam code | ANS-C01 | | Exam cost | $300 USD | | Number of questions | 65 | | Time limit | 170 minutes | | Passing score | ~75% | | Format | Multiple choice, multiple response | | Delivery | Pearson VUE (online or test center) | | Validity | 3 years | | Prerequisites | AWS Solutions Architect Associate recommended | 170 minutes for 65 questions gives you about 2.5 minutes per question — but networking scenarios are long. Expect questions with multi-paragraph network topology descriptions. Practice reading quickly and identifying the key constraint before looking at answers. --- ## Domain Breakdown ### Domain 1: Network Design (30%) The largest domain. It tests your ability to design scalable, resilient AWS network architectures from scratch — or evaluate existing designs for correctness. Key topics: - VPC design: CIDR block sizing, subnet allocation, multi-AZ patterns - VPC peering vs Transit Gateway vs AWS Cloud WAN - Hub-and-spoke vs mesh topologies - Shared Services VPC pattern - IPv6 dual-stack design - Egress-only Internet Gateway (IPv6 outbound only) - NAT Gateway: single-AZ vs multi-AZ for high availability - AWS PrivateLink for private service exposure - Gateway Load Balancer for inline third-party security appliances ### Domain 2: Network Implementation (26%) This domain focuses on building and configuring the network components you designed in Domain 1. It is the most hands-on domain and heavily tests Transit Gateway and Direct Connect configuration. Key topics: - Transit Gateway route tables: default, isolated, custom - TGW attachments: VPC, VPN, Direct Connect Gateway, peering - TGW multicast: configuring multicast domains and group memberships - AWS Cloud WAN: segments, core network policies - Direct Connect: ordering, Virtual Interface (VIF) types - Direct Connect Gateway (DXGW): multi-region, multi-account access - Link Aggregation Groups (LAG): combining multiple DX connections - VPN over Direct Connect (backup or primary path) - Accelerated Site-to-Site VPN (uses Global Accelerator backbone) ### Domain 3: Network Management and Operation (20%) Once the network is built, you need to monitor it, troubleshoot it, and keep it running. This domain tests observability and operational tools. Key topics: - VPC Flow Logs: enabling, log format fields, publishing to S3 or CloudWatch Logs - Traffic Mirroring: capturing packets for deep inspection (requires Nitro instances) - VPC Reachability Analyzer: automated path analysis without sending traffic - Network Access Analyzer: evaluating network access against policies - AWS Network Manager: managing TGW Network Manager, Cloud WAN dashboard - Route 53 Resolver DNS Firewall - CloudWatch metrics for VPN tunnels, TGW attachments, DX virtual interfaces - AWS Config for network configuration compliance ### Domain 4: Network Security, Compliance, and Governance (24%) Security is deeply embedded in advanced networking. This domain tests your ability to design defense-in-depth for network traffic. Key topics: - AWS Network Firewall: stateful and stateless rule groups, Suricata rules - AWS WAF: rule groups, managed rules, rate limiting - AWS Shield Standard vs Advanced - Security Groups vs Network ACLs (stateful vs stateless) - VPC endpoints: Interface endpoints (PrivateLink) vs Gateway endpoints (S3, DynamoDB) - VPC endpoint policies - Route 53: DNSSEC signing and validation - AWS Certificate Manager (ACM) with ALB/NLB for TLS termination - GuardDuty network findings (VPC Flow Log-based threat detection) --- ## VPC Design Fundamentals VPC design questions appear throughout the exam, not just in Domain 1. Master the fundamentals. ### CIDR Planning A /16 VPC gives you 65,536 addresses. Subnet sizing depends on what you put in each: - Public subnets (load balancers, NAT Gateways): /24 is typical (251 usable hosts) - Private app subnets: /24 or /23 depending on expected scale - Private data subnets: /24 - Reserved for future use: always leave CIDR space in your VPC AWS reserves 5 IP addresses per subnet (network, VPC router, DNS, future, broadcast). A /28 subnet gives only 11 usable addresses — barely enough for a small ECS task group. ### Multi-AZ NAT Gateway A common exam trap: one NAT Gateway in one AZ creates a single point of failure. Best practice is one NAT Gateway per AZ so that if an AZ fails, resources in the surviving AZs still have outbound internet access through their own NAT Gateway. This costs more (each NAT Gateway has an hourly charge) but is required for production workloads. --- ## Transit Gateway Architecture Transit Gateway (TGW) replaces complex VPC peering meshes with a hub-and-spoke routing model. Every attachment connects to the TGW, and route tables control which attachments can reach each other. ### Route Tables A TGW can have multiple route tables. Each attachment is associated with exactly one route table (which routes the attachment can receive) and can propagate into one or more route tables (which routes the attachment announces). Common patterns: | Pattern | Setup | |---|---| | Full connectivity (default) | All attachments in one route table, all propagate to it | | Isolated VPCs | Each VPC in its own route table with no cross-VPC propagation | | Shared services | Shared services VPC propagates to all route tables; spoke VPCs only route to shared services | ### TGW Peering TGW peering connects Transit Gateways across regions or accounts. Peering connections are static (no dynamic route propagation) — you must add static routes manually on both sides. This is a frequent exam question. 💡 **Exam Tip:** TGW peering uses static routes. If you see a question about dynamic route exchange between TGWs in different regions, the answer is not TGW peering — consider AWS Cloud WAN or a BGP-based overlay. --- ## Direct Connect: Virtual Interfaces Explained Direct Connect provides a dedicated private network connection from your on-premises data center to AWS. It bypasses the public internet entirely. ### Virtual Interface (VIF) Types | VIF Type | Connects To | Use Case | |---|---|---| | Private VIF | Single VPC (via Virtual Private Gateway) | Private access to one VPC | | Transit VIF | Direct Connect Gateway → Transit Gateway | Access multiple VPCs across regions/accounts | | Public VIF | AWS public services (S3, DynamoDB, public endpoints) | Access public AWS endpoints without internet | For most enterprise deployments, Transit VIF + Direct Connect Gateway + Transit Gateway is the preferred pattern. It provides access to hundreds of VPCs through a single DX connection. ### Redundancy AWS recommends two DX connections to two different AWS Direct Connect locations for maximum resilience. A single DX connection has no SLA. Two connections at the same location protect against port failure but not facility failure. Link Aggregation Groups (LAG) bundle multiple physical connections into one logical connection for higher bandwidth and port-level redundancy — but they share the same location, so they do not protect against facility outages. --- ## Route 53 Routing Policies | Policy | When to Use | |---|---| | Simple | Single resource, no health checks | | Weighted | A/B testing, gradual traffic shifts | | Latency | Route to lowest-latency region | | Failover | Active-passive disaster recovery | | Geolocation | Route based on user's country/continent | | Geoproximity | Route based on resource location, with bias | | Multi-value | Up to 8 healthy records returned (not a load balancer replacement) | ### Route 53 Resolver Route 53 Resolver enables DNS resolution between VPCs and on-premises networks: - **Inbound endpoints**: On-premises DNS servers forward queries to AWS. An ENI in your VPC receives the query. - **Outbound endpoints**: VPC instances query on-premises DNS. A forwarding rule directs queries to your corporate DNS servers. - **DNS Firewall**: Block or allow DNS queries by domain name pattern, integrated with Route 53 Resolver. --- ## Global Accelerator vs CloudFront A classic exam trap: both services improve application performance globally, but they solve different problems. | Feature | Global Accelerator | CloudFront | |---|---|---| | Protocol | TCP, UDP | HTTP/HTTPS | | Caching | No | Yes | | Static IP | Yes (2 anycast IPs) | No | | Use case | Non-HTTP workloads, gaming, IoT, VoIP | Web content, APIs, media distribution | | Health checking | Yes, with failover | Yes (origin health) | 💡 **Exam Tip:** If a question involves static IP addresses for whitelisting, TCP/UDP protocols (non-HTTP), or gaming/IoT workloads — the answer is Global Accelerator. If it involves caching, CDN, or web content delivery — the answer is CloudFront. --- ## Network Firewall vs Security Groups vs NACLs | Control | Stateful? | Where Applied | Granularity | |---|---|---|---| | Security Groups | Yes | ENI (instance level) | Allow rules only | | Network ACLs | No | Subnet boundary | Allow and deny rules | | AWS Network Firewall | Both | VPC traffic (via firewall endpoints) | Domain, IP, protocol, Suricata rules | | WAF | N/A | ALB/CloudFront/API GW | HTTP/HTTPS layer 7 | AWS Network Firewall supports deep packet inspection with Suricata-compatible rules and can filter based on domain names (SNI for HTTPS). It requires routing traffic through firewall endpoints, typically in a dedicated inspection VPC. --- ## Network Monitoring Tools | Tool | What It Does | Key Limitation | |---|---|---| | VPC Flow Logs | Captures IP traffic metadata (no payload) | No packet content | | Traffic Mirroring | Captures actual packets (full payload) | Nitro instances only, costs more | | Reachability Analyzer | Logical path analysis (no traffic needed) | Only between two specific endpoints | | Network Access Analyzer | Evaluates access against policies at scale | Broader policy compliance view | --- ## 8-Week Study Plan **Week 1 — VPC Foundations** Review VPC fundamentals: CIDR design, subnets, route tables, IGW, NAT Gateway, Security Groups, NACLs. Build a multi-AZ VPC from scratch with public and private subnets. Understand the 5 reserved IPs per subnet. **Week 2 — Transit Gateway** Study TGW architecture: attachments, route tables, associations, propagations. Build a hub-and-spoke topology with 3 VPCs. Implement an isolated route table pattern. Read the TGW documentation on multicast. **Week 3 — Direct Connect and Hybrid Networking** Study the three VIF types. Understand Direct Connect Gateway multi-account access. Learn LAG configuration and the redundancy tradeoffs. Build VPN as a DX backup design on paper. Read the AWS Direct Connect Resiliency Toolkit. **Week 4 — Route 53 and DNS** Master all 7 routing policies with use cases. Build a failover routing configuration. Study Resolver inbound and outbound endpoints. Configure DNS Firewall rules. Understand DNSSEC signing vs validation. **Week 5 — Security and Compliance** Study Network Firewall: stateful vs stateless rule groups, Suricata rules, firewall routing patterns. Configure VPC endpoint policies. Review AWS WAF managed rule groups. Study Shield Advanced DDoS response. **Week 6 — Monitoring and Troubleshooting** Enable VPC Flow Logs and query them with Athena. Use Reachability Analyzer to diagnose a misconfigured security group. Study Traffic Mirroring setup. Review CloudWatch metrics for TGW and DX. **Week 7 — Advanced Patterns and Edge Cases** Study AWS Cloud WAN segments. Review Global Accelerator vs CloudFront scenarios. Study Gateway Load Balancer for inline security appliances. Review IPv6 dual-stack design and egress-only IGW. **Week 8 — Practice Exams and Review** Take full-length practice exams under timed conditions. Focus on BGP path selection (AS path, MED, local preference), VPC endpoint type distinctions, and TGW route table patterns — the most common exam traps. --- ## Study Resources **Free:** - AWS documentation: VPC User Guide, TGW User Guide, Direct Connect User Guide - AWS re:Invent sessions: "Advanced VPC Design" and "Hybrid Networking" sessions on YouTube - AWS Skill Builder: Advanced Networking Specialty learning plan - AWS official exam guide **Paid:** - CertLand ANS-C01 practice exam — 340 questions covering all four domains with detailed explanations - Adrian Cantrill's AWS Advanced Networking course (highly regarded for DX and BGP depth) --- ## Final Tips The ANS-C01 rewards engineers who have actually configured BGP, deployed Direct Connect, and troubleshot routing issues in production. Abstract knowledge of service names is not enough — you need to understand *why* BGP path selection works the way it does, and *when* TGW is the right choice vs simpler alternatives. If you do not have hands-on networking experience, budget extra time for Labs 1-3 (VPC, TGW, DX) in your study plan. The exam questions are scenario-heavy and require elimination of plausible-but-wrong answers that a candidate without real networking experience might choose. Eight weeks is appropriate for candidates with some networking background. Allow twelve weeks if you are new to BGP or Direct Connect. Good luck.