AWS Training and Certification Blog
10 study areas for the AWS Certified Advanced Networking – Specialty exam
Editor’s Note (10/20/22): The below is updated to reflect the current version of the AWS Certified Advanced Networking – Specialty exam, updated in July 2022.
Editor’s Note: This blog post shares 10 specific topics that candidates should understand before taking the AWS Certified Advanced Networking – Specialty exam. You’ll learn what to expect during the exam and how to prepare. The post is geared toward IT professionals who are pursuing the certification and looking for advice on their preparation to pass the exam.
During the last few years working as a solutions architect at Amazon Web Services (AWS), I’ve had the opportunity to work with numerous customers building resilient network connectivity between their data centers and AWS regions. As my knowledge of networking in AWS increased, I decided to study for the AWS Certified Advanced Networking – Specialty exam. The exam validates networking expertise and verifies the learner’s ability to implement AWS network services to meet performance, cost, and security requirements.
The exam covers numerous networking topics in depth. Foundational knowledge of networking topics, such as the Open Systems Interconnection (OSI) model, IPv4 addressing and Classless Inter-Domain Routing (CIDR), IP-routing logic, and subnetting are required. Based on my experience, I would recommend completing either the AWS Certified SysOps Administrator – Associate or AWS Certified Solutions Architect – Associate exam before taking this specialty exam.
The experience of studying for the exam strengthened my understanding considerably. As part of my preparation for the exam, I built networks within my AWS account and tested scenarios using services such as AWS Global Accelerator. I find getting hands on with technology is a great way to solidify my knowledge. Since passing the exam and achieving the certification, I’ve found that I’m better prepared to help customers consider network-design options. I would encourage any architect or engineer with an interest in this area to pursue this certification.
AWS Training and Certification offers a mix of free, on-demand digital courses, virtual/in-person instructor-led classroom training, virtual webinars, and an exam-readiness course to help you build your knowledge. I encourage you to utilize the training as well as my suggestions for 10 study areas to review as you prepare for the AWS Certified Advanced Networking – Specialty exam.
Areas of study
1. Edge network services
AWS edge-computing services provide infrastructure and software that move data processing and analysis as close to the endpoint as necessary. Amazon CloudFront is a global content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to your viewers with low latency and high transfer speeds. AWS Lambda is a compute service that allows you to run code without provisioning or managing servers. Lambda runs your code only when needed and scales automatically, from a few requests per day to thousands per second. Lambda@Edge allows you to run Node.js and Python Lambda functions to customize content that Amazon CloudFront delivers, executing the functions in AWS locations closer to the viewer. The functions run in response to CloudFront events without provisioning or managing servers. CloudFront integration with AWS Web Application Firewall (WAF) can mitigate network attacks that target different layers of the OSI model. For network path optimization can be used AWS Global Accelerator. Deploying compute closer to your users or network path optimization can simplify your architecture, increase security, and optimize the user experience through reduced latency. In addition to the network and transport layer protections that come with Shield Standard, Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF. Shield Advanced also gives protection against DDoS-related spikes in your EC2, ELB, CloudFront, Global Accelerator, and Route 53 charges.
2. AWS global infrastructure and how to deploy foundational network elements
To pass the Advanced Networking – Specialty Certification exam, you’ll need a thorough understanding of how the AWS Global Infrastructure is designed and how the fundamental AWS networking components in a Virtual Private Cloud (VPC) work. Be sure to brush up on configuration options for foundational VPC design, including IPv4 and IPv6 CIDRs, subnets, route tables, network-access control lists (NACLs), security groups (SGs), and Dynamic Host Configuration Protocol (DHCP) configurations. As an architect, it’s also necessary to know how to best provide connectivity beyond the VPC, including NAT gateways (NGW), internet gateways (IGW), egress-only internet gateways (EIGW), and virtual gateways (VGW). Consider reviewing:
- Documentation: What is Amazon VPC?
- Documentation: Bring your own IP addresses and IPAM
- Blog post: Dual-stack IPv6 architectures for AWS and hybrid networks
3. Hybrid network-connectivity options
Many AWS customers rely on VPNs or SDWAN to provide private connectivity between infrastructure in AWS and on-premises resources. For use cases requiring higher bandwidth, consistent network performance, or increased privacy, AWS Direct Connect may be more appropriate. Traffic routing and failover is another important topic. These connectivity solutions are often critical in enabling migration to AWS. Consider the following resources:
- Whitepaper: Hybrid Connectivity
- Whitepaper: Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
- Blog post: Introducing AWS Site-to-Site VPN Private IP VPN
- Blog post: Adding MACsec security to AWS Direct Connect connections
- Blog post: Simplify SD-WAN connectivity with AWS Transit Gateway Connect
- re:Invent video: AWS Direct Connect: Deep Dive
4. Inter-VPC connectivity options
VPC peering provides a convenient way to connect multiple VPCs; however, at scale, there are considerable operational efficiencies of hub-and-spoke network designs using AWS Transit Gateway. Transit Gateway unlocks a variety of design options. Consider the following resources:
- re:Invent video: Transit Gateway architectures for many VPCs
- re:Invent video: Advanced VPC Design and New Capabilities for Amazon VPC
- Digital course: AWS Transit Gateway Networking and Scaling
- Blog post: Designing hyperscale Amazon VPC networks
- Blog post: Multicast with AWS Transit Gateway
5. Automate network management using AWS CloudFormation
Infrastructure as code is the ability to build up and tear down entire environments programmatically and automatically. It enables a rapid deployment of infrastructure, enabling organizations to operate with great agility. It also provides the ability to rebuild infrastructure rapidly, increasing resilience. CloudFormation is infrastructure as code. It provides the ability to manage your network configuration through simple JSON or YAML. It’s important to understand how CloudFormation can deploy network infrastructure and how it can safely update configurations using features such as change sets and deletion policies. These features enable you to manage the entire lifecycle of your network components. Consider the following resources:
- Documentation: Updating stacks using change sets
- Documentation: How do I retain some of my resources when I delete an AWS CloudFormation stack?
6. Integrate VPC networks with other AWS services
Preventing sensitive data, such as customer records, from traversing the internet is a requirement for some workloads, which have to maintain compliance with regulations, such as HIPAA, EU/US Privacy Shield, and PCI. AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks without exposing your traffic to the public internet. A common use case for customers is the need to provide communication between workloads deployed inside a VPC (e.g., EC2 instances) to other AWS services (e.g., an Amazon Simple Storage Service bucket or an Amazon Simple Queue Service queue). AWS enables this communication across a private network segment via Gateway and interface VPC endpoints powered by AWS PrivateLink. Endpoints can be used to improve the reliability and security of communications. Configuring VPC endpoints correctly requires knowledge of AWS Identity and Access Management (IAM), route tables, elastic network interfaces, security groups, and NACLs. With wide adoption of Kubernetes, it’s important to understand EKS networking. Consider the following resources:
- Blog post: Reduce Cost and Increase Security with Amazon VPC Endpoints
- Workshop: VPC Endpoint Workshop
- re:Invent video: Integrate Amazon EKS with your networking pattern
7. Security and compliance
Many AWS customers deploy infrastructure accessed by a globally distributed user base. Network architects need to support access in a secure manner. AWS provides a variety of services that can help to meet these security goals. Network Access Analyzer is a feature that identifies unintended network access to your resources on AWS. You can use Network Access Analyzer to specify your network access requirements and to identify potential network paths that do not meet your specified requirements. With AWS Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. Consider the following resources:
- Blog post: Deployment models for AWS Network Firewall with VPC routing enhancements
- Documentation: VPC Security
8. Methods to simplify network management and troubleshooting
AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. With Network Manager you can centrally manage and monitor CloudWAN core network and TGW network across AWS accounts, Regions, and on-premises locations. Connectivity issues are common in real-world scenarios, arising when communication needs to occur within VPCs between peered VPCs and when working with VPNs or Direct Connect to on-premises networks. AWS provides a variety of data sources that increase visibility into network operations. These can aid common network-administration tasks such as troubleshooting network connectivity. You can use VPC Reachability Analyzer to determine whether a destination resource in your virtual private cloud (VPC) is reachable from a source resource. Logs include VPC flow logs, TGW flow logs, access logs for your application load balancer, WAF logs, ANF logs and CloudFront logs. Additionally, Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of Amazon Elastic Compute Cloud (EC2) instances. You can then send the traffic to out-of-band security and monitoring appliances for content inspection, threat monitoring, and troubleshooting. Network administrators need to understand where these data sources are stored, how frequently data is written to them, and what information they contain to be effective at troubleshooting.
- Blog post: Analyzing VPC Flow Logs using Amazon Athena, and Amazon QuickSight
- Documentation: Analyzing VPC flow log with CloudWatch Logs Insights
9. Network configuration options for high performance applications
Certain application workloads, such as high-performance computing, may require lower latency, high bandwidth network connections between compute nodes. AWS provides configuration options to meet the needs of these workloads (i.e., placement groups, jumbo frames, Elastic Fabric Adapters (EFA) and Elastic Network Adapters (ENA)). High-performance computing workloads may require an operating system configuration to achieve the desired network performance. Consider reviewing this documentation, Network Performance.
10. Designs for reliability
A design principal of the reliability pillar of the AWS Well Architected Framework is to design systems that can automatically recover from failure. Network architects can build highly resilient, multi-region designs using network services such as Amazon Route 53 and AWS Global Accelerator. These services can detect failure and route client traffic away from it, increasing availability. Similarly, traffic flows within an Amazon VPC can route around failure. AWS Elastic Load Balancing offers health-checking capabilities that can validate the health of compute components using a variety of network protocols (i.e., TCP, HTTP, HTTPS, and SSL). When integrated with Amazon CloudWatch, these capabilities provide operational alerting and can trigger automated remediation of failures.
The value of certification
Network design is a critical foundation for organizations looking to migrate workloads to—or build new workloads in—AWS. The AWS Certified Advanced Networking – Specialty certification presents IT engineering professionals with the opportunity to validate their knowledge and show they understand how to design cost-efficient, secure, and performant networks on AWS. Preparing for a certification exam is an excellent way to reinforce your knowledge of any technology. I hope you consider pursuing this exam and experience similar benefits. If you haven’t done it yet, sign up for a training account and take the recommended courses. Best of luck!