AWS Advanced Networking Specialty ANS-C01 2026

ANS-C01 is the AWS cert that separates network architects from general cloud engineers.

Most AWS certifications in 2026 test breadth: the Solutions Architect Associate covers compute, storage, databases, networking, and security in roughly equal measure. The Advanced Networking Specialty does the opposite. It goes deep into a single discipline — cloud networking — and tests it at a level of complexity that most cloud professionals encounter only when designing infrastructure for large enterprise or multi-tenant environments.

ANS-C01 replaced the original ANS-C00 exam in 2022 with an updated objective set that reflects how enterprise AWS deployments actually look in production. The old exam was heavy on conceptual VPC knowledge; the updated exam assumes you already know the fundamentals and immediately tests multi-account architectures, complex BGP scenarios, Direct Connect redundancy models, and hybrid DNS resolution patterns. The difficulty increase was significant. Candidates who passed ANS-C00 on general cloud architect knowledge found ANS-C01 considerably harder, and AWS certification community pass-rate data reflects this: ANS-C01 consistently ranks among the two or three hardest active AWS exams.

The career case for ANS-C01 in 2026 is clear. Cloud networking has evolved from a side skill for sysadmins into a dedicated engineering discipline. Organisations running AWS at enterprise scale — hundreds of accounts, dozens of VPCs, hybrid connectivity to on-premises data centres, multi-region deployments — need engineers who understand Transit Gateway route propagation, Direct Connect redundancy tiers, and BGP attribute manipulation in AWS. ANS-C01 is the credential that proves that knowledge. Network architects, senior cloud engineers, and infrastructure leads at AWS-heavy shops hold ANS-C01 as the networking half of a credential stack that typically also includes Solutions Architect Professional or DevOps Professional. Compensation for ANS-C01 holders runs $155k–$200k USD in North American markets, with senior architect roles at Fortune 500 companies reaching $220k total compensation in 2026.

What ANS-C01 tests: the four domains

The exam objectives as of 2026 cover four domains. The weight distribution concentrates the exam on design and implementation (combined 56%), which means scenario-based architectural questions dominate — "given this environment, what is the correct Transit Gateway configuration?" rather than "what port does BGP use?"

Domain 1: Network Design — 30%

The heaviest domain tests your ability to design AWS networking architectures from scratch, with emphasis on multi-account environments and large-scale topologies that go beyond a single VPC.

VPC design and CIDR planning: A VPC spans all Availability Zones in a region and requires a CIDR block from /16 (65,536 addresses) to /28 (16 addresses). Subnets are AZ-scoped and consume portions of the VPC CIDR. The exam tests CIDR allocation at scale: overlapping CIDR blocks prevent VPC peering and Transit Gateway attachment — designing non-overlapping address space across 50+ VPCs requires upfront planning. Secondary CIDRs extend VPC address space without re-creating the VPC, with constraints: you cannot add a secondary CIDR from the 172.16.0.0/12 range if the primary is also 172.16.0.0/12. IPv6 /56 blocks are automatically assigned; subnets receive /64 allocations. Dual-stack VPCs require an Internet Gateway even if only IPv6 egress is needed (egress-only Internet Gateway handles IPv6 outbound without inbound).
Multi-account VPC architecture: AWS Organizations partitions accounts into Organizational Units; networking typically uses a Network account or Shared Services account pattern. Centralized egress places NAT Gateways in a shared VPC to reduce per-account NAT costs across hundreds of accounts. Shared VPCs (Resource Access Manager) allow subnet sharing across accounts in an Organization — workload accounts deploy EC2 instances into a centrally managed VPC without owning the VPC. The key trade-off: shared VPC simplifies connectivity but reduces blast radius isolation; separate VPCs with Transit Gateway provide isolation but add operational overhead. The exam presents multi-account scenarios and asks which pattern meets the stated requirements for cost, isolation, and management overhead.
Transit Gateway architecture: AWS Transit Gateway is the hub in a hub-and-spoke topology that connects thousands of VPCs and on-premises networks through a single regional gateway. Each VPC and VPN/Direct Connect attachment has a route table association (which route table the attachment uses for routing decisions) and route table propagation (which route tables learn the attachment's routes). Segmentation: create separate route tables for production, development, and shared-services attachments to prevent direct production–development routing while still allowing both to reach shared services. Transit Gateway peering connects gateways across regions; route propagation does not cross the peering connection — static routes must be added manually. Multi-cast is a Transit Gateway feature for one-to-many streaming applications; it requires a multicast domain with group membership managed via Internet Group Management Protocol (IGMP) or static configuration.
AWS PrivateLink and VPC endpoints: Interface endpoints (powered by PrivateLink) place an ENI with a private IP in your subnet for AWS service traffic, keeping it off the public internet. Gateway endpoints route S3 and DynamoDB traffic within AWS infrastructure without an ENI; they work by adding a route to the VPC route table and cannot be used from on-premises or peered VPCs. The exam distinguishes carefully: Interface endpoints work from on-premises via Direct Connect or VPN; Gateway endpoints do not. PrivateLink for custom services exposes a service in one VPC to consumers in other VPCs without VPC peering — the provider deploys behind an NLB; consumers create Interface endpoints. Traffic does not traverse the internet, does not require route table changes, and works across accounts and Organizational boundaries.

Domain 2: Network Implementation — 26%

Implementation tests whether you can configure AWS networking constructs correctly, with emphasis on hybrid connectivity (Direct Connect, VPN) and routing behaviour under realistic failure conditions.

AWS Direct Connect: A dedicated network connection from on-premises to AWS via an AWS colocation facility or a Direct Connect partner. Dedicated connections are 1 Gbps or 10 Gbps physical links from the customer to the AWS Direct Connect router. Hosted connections (50 Mbps to 10 Gbps) are ordered through a Direct Connect partner who owns the physical infrastructure and sub-divides capacity. Virtual Interfaces (VIFs) are logical connections over a Direct Connect link: Public VIFs access AWS public endpoints (S3, EC2 APIs) using public IP ranges; Private VIFs connect to a single VPC via a Virtual Private Gateway; Transit VIFs connect to a Transit Gateway for multi-VPC access from a single Direct Connect connection. Resiliency: a single Direct Connect link has no SLA; dual Direct Connect connections from different locations (Maximum Resiliency) provide 99.99% availability; a single connection with Site-to-Site VPN backup provides 99.9% availability with lower cost. Direct Connect SiteLink enables on-premises-to-on-premises traffic routing through the AWS global backbone, bypassing the public internet for branch office interconnection.
Site-to-Site VPN: AWS managed VPN endpoints in two Availability Zones provide two tunnels per VPN connection for redundancy. BGP over VPN: using dynamic routing, AWS advertises VPC CIDRs to the customer gateway; the customer advertises on-premises prefixes. Equal Cost Multi-Path (ECMP) over Transit Gateway allows traffic to load-balance across multiple VPN tunnels or across multiple Transit Gateway VPN attachments — up to 50 Gbps aggregate throughput with enough attachments. The exam distinguishes VPN termination at a Virtual Private Gateway (single VPC, no ECMP) versus Transit Gateway (multi-VPC, ECMP supported). IKEv2 is required for ECMP; IKEv1 is supported but does not enable multi-tunnel load balancing.
VPC peering: Connects two VPCs (same or different account, same or different region) with a one-to-one non-transitive connection — VPC A peered to B and B peered to C does not allow A to reach C through B. Route tables on both sides must be updated to route the peer's CIDR. VPC peering does not support overlapping CIDRs. Cross-region peering incurs data transfer costs and uses the AWS global backbone. The exam uses VPC peering for simple two-VPC connectivity questions and Transit Gateway for hub-and-spoke or mesh topologies beyond four VPCs (where the number of peering connections grows as n*(n–1)/2 and becomes unmanageable).
Elastic Load Balancing routing: Application Load Balancer (ALB) operates at Layer 7 and supports path-based routing (/api/* to one target group, /static/* to another), host-based routing (virtual hosting), HTTP header conditions, and query string conditions. Network Load Balancer (NLB) operates at Layer 4, preserves source IP, handles millions of requests per second, and supports static IP addresses or Elastic IPs per AZ (required when the downstream firewall allows-lists by IP). Gateway Load Balancer routes all traffic through third-party virtual appliances (Palo Alto, Fortinet) using the GENEVE protocol on port 6081 — the correct choice when an exam question requires inline traffic inspection at scale without managing appliance redundancy manually.

Domain 3: Network Management and Operations — 20%

This domain covers the operational tooling for DNS, content delivery, network monitoring, and troubleshooting. Route 53 and CloudFront together account for a large share of the questions here.

Amazon Route 53: Public hosted zones serve DNS queries from the internet; private hosted zones serve DNS queries from within one or more associated VPCs. Route 53 Resolver provides DNS resolution for EC2 instances in a VPC: the Resolver endpoint at 169.254.169.253 (or the base VPC CIDR +2 address) handles inbound and outbound resolution. Resolver Inbound Endpoints allow on-premises DNS servers to forward queries to Route 53; Resolver Outbound Endpoints allow VPC workloads to forward queries to on-premises DNS servers via forwarding rules. Routing policies: Simple (single record, no health checks), Weighted (traffic split by percentage for blue/green or A/B), Latency-based (routes to lowest-latency region), Geolocation (routes by user country/continent), Failover (active-passive, requires health check), Multivalue Answer (returns up to 8 healthy IPs, similar to round-robin with health checking). ALIAS records (Route 53–specific) resolve to AWS resources (ALB, CloudFront, S3 static sites) and do not incur per-query charges for apex domain (root domain, no CNAME allowed) use; they support health checks unlike standard CNAMEs.
Amazon CloudFront: A global CDN with 400+ edge locations that caches content and proxies dynamic requests to origins. Origins can be S3 buckets (with Origin Access Control replacing the deprecated Origin Access Identity), ALBs, NLBs, EC2 instances, or any HTTP endpoint. Cache behaviours define which URL patterns go to which origin with which cache settings. Origin Shield adds an additional caching layer between edge locations and the origin to reduce origin load during traffic spikes. Custom SSL certificates for CloudFront must be provisioned in us-east-1 via AWS Certificate Manager — a common exam gotcha. AWS WAF attaches to CloudFront to block requests at the edge before they reach the origin. Lambda@Edge and CloudFront Functions execute code at edge locations for request/response manipulation: CloudFront Functions (sub-millisecond, JavaScript) for header rewrites and URL normalisation; Lambda@Edge (milliseconds, Node.js or Python) for more complex transformations like A/B testing or authentication.
Network monitoring and troubleshooting: VPC Flow Logs capture accepted and rejected traffic metadata (source IP, destination IP, port, protocol, bytes, action) at the VPC, subnet, or ENI level and deliver to CloudWatch Logs, S3, or Kinesis Data Firehose. Flow Logs do not capture DNS queries, DHCP traffic, instance metadata requests, or Amazon Windows licence activation traffic. Reachability Analyzer performs deterministic static analysis of network paths between two endpoints without sending actual packets — it identifies the specific misconfigured Security Group, route table, or NACL blocking a path. Network Access Analyzer identifies over-permissive network access paths in AWS resources. AWS Network Manager provides a global view of Transit Gateway topologies and Direct Connect connections. CloudWatch Network Monitor (launched 2023) runs active probes from AWS to on-premises endpoints to measure latency and packet loss over Direct Connect and VPN links.

Domain 4: Network Security, Compliance, and Governance — 24%

Security is the second-heaviest domain and consistently produces the questions candidates find most difficult, because the correct answer requires understanding the interaction between multiple security layers rather than knowing a single product.

Security Groups and Network ACLs: Security Groups are stateful — allow a return packet automatically for allowed outbound traffic. NACLs are stateless — separate inbound and outbound rules must explicitly allow return traffic; rules are evaluated in ascending numeric order and the first match wins (add explicit deny all as the highest-numbered rule). Security Groups allow only allow rules; NACLs allow both allow and deny rules. The exam tests when to use each: Security Groups for EC2-level east-west traffic control; NACLs for subnet-level blocking of known bad IP ranges (since Security Groups cannot deny, only NACLs can explicitly block a CIDR). Security Groups reference other Security Groups as sources, enabling zero-trust micro-segmentation without managing IP lists.
AWS Network Firewall: A managed stateful/stateless network firewall deployed at the VPC level, positioned at the perimeter or between subnets. Stateless rule groups evaluate each packet independently (similar to NACLs) at very high throughput. Stateful rule groups maintain connection state and support Suricata-compatible IDS/IPS rules — enabling deep packet inspection, domain-based filtering, and protocol anomaly detection. Deployment patterns: centralised (single inspection VPC with Transit Gateway routing all traffic through the firewall) vs distributed (Network Firewall deployed in each spoke VPC). The exam asks which deployment pattern meets requirements for centralised logging versus minimising latency. Firewall policies define ordered stateless rule group evaluation followed by stateful evaluation; a default action applies to packets that do not match any rule.
AWS WAF, Shield, and Firewall Manager: AWS WAF protects ALB, CloudFront, API Gateway, and AppSync from web application attacks using managed rule groups (AWS Managed Rules for common CVEs, SQL injection, XSS) and custom rules (IP sets, regex patterns, rate limiting). Shield Standard is automatic and free for all AWS customers, protecting against volumetric DDoS attacks. Shield Advanced adds 24/7 AWS DDoS Response Team (DRT) access, cost protection for scaling charges during DDoS events, and application-layer DDoS detection via WAF. AWS Firewall Manager provides centralised policy management across an AWS Organization — deploy WAF rules, Security Groups, Network Firewall policies, and Shield Advanced protections to all accounts from a single delegated administrator account. The exam tests Firewall Manager for any requirement that includes "enforce across all accounts" or "ensure all accounts have consistent security policies."
AWS Certificate Manager and encryption in transit: ACM provisions TLS certificates for use with ALB, NLB (TLS listeners), CloudFront, and API Gateway. ACM certificates are free for public CAs; private CA certificates are billed per certificate. ACM public certificates cannot be exported (private key never leaves AWS); ACM Private CA certificates can be exported for use on EC2 or on-premises. SSL Policy on ALB/NLB specifies which TLS versions and cipher suites are supported — ELBSecurityPolicy-TLS13-1-2-2021-06 enforces TLS 1.2 minimum with TLS 1.3 support, the current AWS recommended policy. The exam distinguishes when to use ACM versus AWS Secrets Manager (for database credentials and application secrets) versus KMS (for data-at-rest encryption keys).

ANS-C01 is an architectural exam that tests depth, not breadth. Every scenario has a technically valid answer and a better answer — the better answer accounts for the specific constraints in the question: cost, operational overhead, scale, resiliency tier. Candidates who fail ANS-C01 typically know the technology but pick the first valid answer rather than the optimal one. The right preparation focus is understanding trade-offs: when Transit Gateway beats VPC peering and when it doesn't; when Direct Connect beats VPN and the resiliency SLA that changes the answer; when centralised Network Firewall beats distributed and when the latency argument reverses it.

Exam format and logistics

ANS-C01 is a 170-minute exam delivered through Pearson VUE at a test centre or via online proctoring. The exam contains 65 questions: multiple choice (single correct answer) and multiple response (select two or three from a list). There are no lab tasks, simulations, or hands-on components — it is entirely question-based. The passing score is 750 out of 1000. The exam costs $300 USD. AWS Specialty exams carry a 3-year validity period with renewal via a paid re-examination at the then-current exam price — unlike Microsoft (free annual assessment) or CompTIA (CE credits or paid renewal exam), AWS does not offer free renewal paths.

AWS recommends five or more years of hands-on AWS experience and two or more years in AWS networking roles as prerequisites, with Solutions Architect Associate as the baseline knowledge foundation. In practice, candidates without Direct Connect lab experience or real Transit Gateway deployments in production consistently struggle with the implementation and design domains regardless of study time. ANS-C01 is not a self-study-only exam — hands-on experience with real multi-account environments is the most effective preparation.

ANS-C01 at a glance

Cost: $300 USD • Questions: 65 (multiple choice + multiple response) • Duration: 170 minutes • Passing score: 750/1000 • Prerequisites: none (recommended: AWS SAA or SAP) • Validity: 3 years • Delivery: Pearson VUE, test centre or online proctored • Recommended experience: 5+ years AWS, 2+ years networking

How ANS-C01 fits the AWS certification map

Where ANS-C01 sits in the AWS credential landscape

AWS SAA-C03 → ANS-C01 — Solutions Architect Associate is the most common feeder certification for ANS-C01. SAA covers VPCs, Route 53, CloudFront, and Direct Connect at Associate depth; ANS-C01 extends every networking topic to Specialty depth. Candidates holding SAA who work in network engineering or infrastructure architecture roles progress to ANS-C01 as the natural specialisation. Combined SAA + ANS-C01 targets senior cloud architect and network architect roles at $145k–$185k.
AWS SAP-C02 + ANS-C01 — The combination of Solutions Architect Professional and Advanced Networking Specialty is the credential stack most associated with principal-level cloud architect roles. SAP covers hybrid architecture, migration strategy, and organisational design at a breadth that complements ANS-C01's networking depth. This pairing targets cloud architect and cloud infrastructure lead roles at $175k–$220k total compensation in 2026.
ANS-C01 alongside Security Specialty (SCS-C02) — Network security questions appear in both ANS-C01 (Network Firewall, WAF, DDoS protection) and SCS-C02 (GuardDuty, Security Hub, IAM policy analysis). Candidates pursuing a security-focused infrastructure career often hold both. The overlap reduces study time for the second exam — approximately 30% of ANS-C01 security content maps to SCS-C02 objectives.
ANS-C01 and on-premises networking certifications — Cisco CCNP or CCIE holders transitioning to cloud networking find ANS-C01 preparation easier than pure-cloud candidates because BGP, OSPF, ECMP, and redundancy design concepts transfer directly. The main learning investment is AWS-specific constructs: Transit Gateway, Virtual Private Gateway, and Direct Connect architecture. AWS network engineers who hold ANS-C01 alongside CCNP or NSE4 target hybrid cloud architect roles that require both on-premises and cloud networking depth, commanding the top of the $180k–$220k band in 2026.

How to prepare for ANS-C01

ANS-C01 requires a preparation strategy that prioritises practical experience and architectural trade-off reasoning over documentation review. The following sequence works for most candidates coming from an Associate-level AWS background.

Build a Transit Gateway lab: Create three or more VPCs in a personal AWS account and connect them via Transit Gateway. Configure separate route tables for different attachment groups. Add a Site-to-Site VPN attachment using a software VPN (OpenVPN on EC2) as the customer gateway. This single lab exercise covers Transit Gateway architecture, VPN attachment, BGP routing, and route propagation — the highest-value hands-on investment for the exam. AWS Free Tier does not cover Transit Gateway; budget $20–$40 USD for a focused lab session.
Understand Direct Connect without owning the hardware: Direct Connect is the most conceptually challenging part of ANS-C01 because few engineers have direct experience with it. Focus on the conceptual architecture: Dedicated vs Hosted connections, Private vs Public vs Transit VIFs, LAG (Link Aggregation Groups) for bandwidth and redundancy, and the four resiliency models (No Redundancy, Development, High, Maximum). AWS's Direct Connect resiliency model page is a required read. The exam tests redundancy architecture and VIF type selection extensively.
Master BGP attribute manipulation: AWS Site-to-Site VPN and Direct Connect Private VIFs both use BGP. The exam tests BGP path selection: AS Path prepending (to make a path less preferred), MED (Multi-Exit Discriminator, to influence inbound routing from AWS), and Local Preference (to influence outbound routing from on-premises). In an active-passive failover scenario via VPN and Direct Connect, Direct Connect is preferred because it has a shorter AS path — VPN backup kicks in only when Direct Connect is unavailable. BGP community tags on Direct Connect allow customers to set Local Preference at the AWS end without controlling AS path.
Study official AWS documentation for services the exam emphasises: The Transit Gateway guide, Direct Connect User Guide, Route 53 Resolver documentation, and Network Firewall deployment patterns are the highest-priority official resources. AWS re:Invent networking sessions (available on YouTube) provide architectural depth on Transit Gateway and Direct Connect patterns that is not fully captured in written documentation.
Timeline: Candidates with hands-on AWS networking experience in production environments typically need 6–10 weeks of preparation at 1–2 hours per day. Candidates without Direct Connect or Transit Gateway hands-on experience should budget 10–16 weeks, including lab time. ANS-C01 rewards sustained preparation over cramming — architectural reasoning cannot be developed in a week of intensive study.

Practice AWS networking concepts with CertQuests — scenario-based questions for ANS-C01, SAA-C03, AWS Security Specialty, and more.

Practice ANS-C01 Questions →