AWS — Advanced / Specialty

AWS Advanced Networking Specialty

Master enterprise-grade AWS networking: VPC CIDR design, Transit Gateway, Cloud WAN, Direct Connect, PrivateLink, Network Firewall, Gateway Load Balancer, Route 53 Resolver, and Reachability Analyzer. 60 specialty-level scenario questions — the hardest networking exam in the AWS catalog.

AWS ANS-C01 7 Modules ~50 hours Advanced / Specialty 60 practice questions Updated 2026
Start Practice Quiz Listen on Spotify
Field Details
Exam CodeANS-C01
Questions65 multiple-choice and multiple-response
Duration170 minutes
Passing Score750 / 1000
Price$300 USD
RecertificationEvery 3 years
Recommended Experience5+ years networking, 2+ years AWS networking
PrerequisitesNone formal; AWS SAA-C03 recommended

Exam Domain Weights

Domain 1 — Network Design ~30%
Domain 2 — Network Implementation ~26%
Domain 3 — Network Management & Operations ~20%
Domain 4 — Network Security, Compliance & Governance ~24%

Course Modules

Module 01
VPC Architecture & CIDR Planning
Build rock-solid VPC foundations. Master primary and secondary CIDR blocks, public/private/isolated subnet design, NAT Gateway vs NAT instance tradeoffs, VPC peering scale limits (125 peers per VPC), IPv6 dual-stack designs, and the Egress-Only Internet Gateway used to allow IPv6 egress without inbound access. Learn route-table precedence and why the most-specific-route always wins.
VPC CIDR secondary CIDR NAT Gateway subnet design peering limits Egress-Only IGW IPv6
Module 02
Hybrid Connectivity: Direct Connect, Site-to-Site VPN, Client VPN
Connect on-premises to AWS the right way. Compare Direct Connect dedicated vs hosted connections, master the three VIF types (private, public, transit), understand LAG for redundant circuits, SiteLink for global DX-to-DX traffic, Direct Connect Gateway for multi-region and multi-VPC scenarios, BGP attributes (local preference, AS_PATH, MED, communities), accelerated VPN over the AWS global backbone, and Client VPN mutual authentication + authorization rules. Includes the classic VPN CloudHub spoke topology.
Direct Connect private VIF public VIF transit VIF LAG SiteLink DX Gateway BGP Client VPN CloudHub
Module 03
Transit Gateway, Cloud WAN & Multi-Region Architectures
Design hub-and-spoke and fully routed enterprise topologies. Master Transit Gateway attachments (VPC, VPN, DX Gateway, peering, Connect), route table association vs propagation, inter-region peering over the AWS backbone, TGW Connect using GRE tunnels for SD-WAN appliances, and AWS Cloud WAN — the managed global backbone with a declarative core network policy, segments, and sharing. Learn the decision matrix for when Transit Gateway is enough vs when Cloud WAN pays off.
Transit Gateway route propagation TGW peering TGW Connect Cloud WAN core network policy segments
Module 04
PrivateLink, Service Endpoints & VPC Lattice
Keep traffic private without internet exposure. Understand Gateway Endpoints (free, S3 + DynamoDB only, route-table based) vs Interface Endpoints (ENI-based PrivateLink with hourly + per-GB pricing), VPC Endpoint Services for exposing your own NLB-fronted service to other accounts (SaaS producer/consumer), and the newer VPC Lattice service network mesh with auth policies, health checks, and weighted traffic for service-to-service communication across VPCs and accounts.
Gateway Endpoint Interface Endpoint PrivateLink Endpoint Service cross-account VPC Lattice auth policies
Module 05
Load Balancing: ALB, NLB, GWLB & Global Accelerator
Choose the right load balancer for the scenario. ALB for HTTP/HTTPS/gRPC/WebSocket with path and host routing; NLB for TCP/UDP/TLS with ultra-low latency and preserved client IP; GWLB for inserting inline security appliances via GENEVE encapsulation; and Global Accelerator for two static anycast IPs backed by the AWS global edge for fast non-HTTP failover — contrast with CloudFront edge caching for static and HTTP content.
ALB NLB GWLB GENEVE Global Accelerator CloudFront anycast IPs
Module 06
Network Security: Network Firewall, GWLB, WAF, Shield
Build enterprise security perimeters on AWS. Master AWS Network Firewall with Suricata-compatible stateful rule groups, Gateway Load Balancer for inserting third-party NGFWs (Palo Alto VM-Series, Fortinet, Check Point) transparently, the centralized egress inspection pattern with a dedicated inspection VPC behind Transit Gateway, AWS WAF rule priority (lowest number evaluated first) with managed rule groups, and Shield Advanced DDoS protection with DRT engagement and cost protection.
Network Firewall Suricata rules GWLB + NGFW central egress AWS WAF Shield Advanced DRT
Module 07
Operations & Troubleshooting: Flow Logs, Traffic Mirroring, Reachability Analyzer
Operate and debug large networks at scale. VPC Flow Logs default vs custom format fields, Traffic Mirroring for packet-level IDS, Reachability Analyzer for static path analysis between ENIs, Network Access Analyzer for finding unintended network paths at the organization level, Transit Gateway Network Manager for topology and event insights, CloudWatch Internet Monitor for end-user experience, and Route 53 Resolver DNS Firewall with block/alert/allow rules against malicious domains.
VPC Flow Logs Traffic Mirroring Reachability Analyzer Network Access Analyzer TGW Network Manager Internet Monitor Route 53 Resolver DNS Firewall
Test your knowledge as you study 60 scenario-based questions covering all 4 ANS-C01 domains. Instant explanations for every answer.
Take the Quiz Podcast

Key Concepts to Master

Concept 1

Transit Gateway vs Cloud WAN: When to Choose Which

Transit Gateway is region-scoped with manual route table design; ideal for up to roughly 10–20 VPCs in a single region. Cloud WAN provides a global core network with declarative policy (segments, routing, sharing) built for enterprise-scale multi-region architectures with hundreds of VPCs across continents. Cloud WAN automatically handles TGW peering under the hood. If the scenario says "global backbone with policy-as-code" it's Cloud WAN; if it says "hub-and-spoke in one region with custom route tables" it's TGW.

Concept 2

Gateway Load Balancer Traffic Flow (GENEVE)

GWLB inserts inline security appliances (3rd-party NGFWs, IDS/IPS) into the traffic path using GENEVE encapsulation on port 6081. The pattern: traffic enters via a GWLB endpoint in the spoke VPC → GWLB → appliance fleet → back to GWLB → destination. Appliances are fully transparent (no IP-level changes) and scale horizontally behind a target group. Critical for east-west and north-south inspection without re-architecting applications or rewriting source IPs.

Concept 3

VPC Endpoint Types Decision Matrix

Gateway Endpoints: free, S3 and DynamoDB only, configured by adding a prefix-list route to the VPC route table. Interface Endpoints (PrivateLink): $0.01/hour/AZ plus per-GB, backed by an ENI with a private DNS hostname, supports nearly every other AWS service. VPC Endpoint Services: expose your own NLB-fronted service across accounts via PrivateLink (producer/consumer), ideal for SaaS providers selling into customer VPCs.

6-Week Study Plan

Week 1
VPC Architecture & CIDR Planning Complete Module 1. Lab: build a 3-tier VPC with public, private, and isolated subnets across 3 AZs, deploy a NAT Gateway, add a secondary CIDR block, and validate route-table precedence. Read the VPC peering quota docs end-to-end.
Week 2
Hybrid Connectivity Complete Module 2. Lab: deploy a Site-to-Site VPN with BGP to a software router (strongSwan or libreswan) in another VPC simulating on-prem. Review the three Direct Connect VIF types until you can pick the correct one from a scenario without hesitation.
Week 3
Transit Gateway & Cloud WAN Complete Module 3. Lab: connect 3 VPCs via Transit Gateway with both route propagation and static routes. Read the Cloud WAN core network policy document format and understand how segments isolate traffic between environments.
Week 4
PrivateLink & Load Balancing Complete Modules 4 and 5. Hands-on: expose an NLB-fronted service via a VPC Endpoint Service to another AWS account and validate DNS-based connectivity. Compare ALB, NLB, and GWLB target types and listeners side by side.
Week 5
Network Security Complete Module 6. Lab: deploy AWS Network Firewall in a dedicated inspection VPC with a stateful rule group and implement the centralized egress inspection pattern behind a Transit Gateway. Walk through AWS WAF rule priorities on a test ALB.
Week 6
Operations, Troubleshooting & Full Practice Complete Module 7. Enable VPC Flow Logs with a custom format and query them with Athena. Run a Reachability Analyzer path from an EC2 instance to an RDS endpoint. Take the full 60-question practice test and review every wrong answer in depth.

Top 4 Mistakes on the ANS-C01 Exam

Confusing VPC peering transitive routing VPC peering does NOT support transitive routing. If A↔B and B↔C are peered, A cannot reach C via B. The correct solution is either Transit Gateway (recommended at any scale) or a full mesh of peering connections. The exam baits you with hub-VPC designs that look valid but silently break.
Mixing up Direct Connect VIF types Private VIF accesses a VPC via a Virtual Private Gateway or Direct Connect Gateway. Public VIF accesses AWS public service endpoints (S3, DynamoDB, public IPs). Transit VIF connects to a Transit Gateway via DX Gateway for multi-VPC aggregation. The exam rewards engineers who can pick the correct VIF from a one-line scenario.
Forgetting Gateway Endpoints for S3 and DynamoDB The default and cheapest way to privately access S3 or DynamoDB from a VPC is a Gateway Endpoint — free, route-table based, no ENI. You only need an Interface Endpoint for S3 if you must reach the bucket from on-premises over Direct Connect or need a specific private DNS name. Picking an Interface Endpoint when a Gateway Endpoint will do is a costly wrong answer on the exam.
Misunderstanding NLB client IP preservation NLB with instance or ip target types preserves the client IP by default. But with target type ip behind PrivateLink, the client IP is NOT preserved unless you explicitly enable preserve_client_ip on the target group. NLB with target type ALB (NLB fronting an ALB) always preserves. This distinction is a classic exam trap.

AWS ANS-C01 vs SAA-C03 — What's the Difference?

ANS-C01 — Specialty

  • Transit Gateway + Cloud WAN architect-level
  • Direct Connect VIFs, LAG, SiteLink
  • PrivateLink + VPC Endpoint Services
  • GWLB + 3rd-party NGFW GENEVE inspection
  • AWS Network Firewall Suricata rules
  • Reachability & Network Access Analyzer
  • BGP attributes, ECMP, asymmetric routing
  • Focus: deep networking for network engineers

SAA-C03 — Associate

  • Broad AWS services across 4 pillars
  • VPC basics: subnets, NACLs, security groups
  • ALB vs NLB at a decision level
  • Route 53 routing policies (failover, weighted)
  • Design resilient multi-AZ architectures
  • ~10-15% of exam is networking
  • No deep BGP or Direct Connect VIFs
  • Focus: solution architect breadth

Many engineers take SAA-C03 first to build the AWS foundation, then ANS-C01 as a specialty once they have real-world AWS networking responsibility. Specialty exams do not require any prerequisite but expect associate-level fluency.

Related Certifications

SAA-C03
AWS Solutions Architect
Associate · Amazon AWS
SCS-C02
AWS Security Specialty
Specialty · Amazon AWS
GCP PCA
Cloud Architect
Professional · Google Cloud
SCOR 350-701
CCNP Security
Professional · Cisco

Ready to Practice?

60 scenario-based questions covering all 4 ANS-C01 exam domains. Immediate feedback with detailed explanations. No signup, no paywall.

Start the Quiz — Free Listen on Spotify
AWS ANS-C01 exam tips on the CertQuests podcast →