Last week I took and passed the AWS Certified Advanced Networking – Specialty exam on my first attempt. In this post I will describe the study materials that I used and talk about my experience of taking this test.
What type of skills does this exam test? This is a quote from AWS:
Earning AWS Certified Advanced Networking – Specialty validates expertise in designing and maintaining network architecture for the breadth of AWS services.
The key here I think is “for breadth of AWS services”. It’s not enough to only understand general networking in AWS, you need to understand how to do networking for different AWS services such as S3, WorkSpaces, Lambda, storage gateway, and so on. There is no actual prerequisite to take the exam but it definitely doesn’t hurt if you already have the Solutions Architect Associate (this was previously a prereq) as it will help you in understanding what services are available.
The following is also listed as recommendations for who should take this exam:
- Professional experience using AWS technology, AWS security best practices, AWS storage options and their underlying consistency models, and AWS networking nuances and how they relate to the integration of AWS services.
- Knowledge of advanced networking architectures and interconnectivity options [e.g., IP VPN, multiprotocol label switching (MPLS), virtual private LAN service (VPLS)].
- Familiarity with the development of automation scripts and tools. This should include the design, implementation, and optimization of the following: Routing architectures (including static and dynamic); multi-region solutions for a global enterprise; highly available connectivity solutions (e.g., AWS Direct Connect, VPN).
- Knowledge of CIDR and sub-netting (IPv4 and IPv6); IPv6 transition challenges; and generic solutions for network security features, including AWS WAF, intrusion detection systems (IDS), intrusion prevention systems (IPS), DDoS protection, and economic denial of service/sustainability (EDoS).
Based on this, this is a certification for people that already have experience in networking. It doesn’t mean that you have to be an expert in networking but the more knowledge you have in networking, the easier the networking part of the exam will be. I would recommend the following before you take this exam:
- Being comfortable with CIDRs and subnetting. Calculating available hosts, how big a subnet you need etc.
- Knowledge of RFC1918 and public prefixes
- Basic understanding of NAT
- Intermediate level knowledge of BGP and its attributes. Understanding how BGP selects the best path
- Understanding of longest prefix match and best path selection in general
- Basic understanding of DNS
- Intermediate level understanding of VPNs using IPSec and GRE
- Basic understanding of CDNs
- Basic understanding of load balancers
- Basic understanding of different apps, what ports they use and how they communicate
- Intermediate level understanding of packet filtering
The picture below shows the domains covered in this exam and their percentage:
As you can see, more than half the exam (52%) is around designing and implementing networks. For a full breakdown of what’s covered, refer to the exam guide.
This should give you an understanding of who this exam is for and the level of networking skills that you need. Now let’s move on to what resources I used to study for this exam.
One of my main resources was the Advanced Networking Specialty course from Acloudguru. This course covers the breadth of the exam. Overall I was happy with the content even if it doesn’t always go to the depth that I want to but that is to be expected as this is already a long course with around 30h of content. One of the good things with this course is that it includes some labs and quizzes. The following labs were available:
- Create a Multi-Subnet VPC with Secure Access to Private Servers with Outbound Internet Access
- Create a VPC Endpoint and S3 Bucket in AWS
- Configure Transit Gateway for a Multi-VPC Environment
In addition to the labs included, Acloudguru also provides what they call a cloud playground. This is the biggest selling point in my opinion in combination with the amount of courses they offer. The cloud playground allows you to play around freely in a safe environment without risking of getting a bill because you have gone beyond what the free tier in AWS offers. The following services are available in the cloud playground.
There is also an official study guide for this exam written by AWS experts. This book was released in March 2018 which means that anything released after that is obviously not covered, such as Transit Gateway (TGW) and Gateway Load Balancer (GWLB). Still, this book is a good read and goes a little more into depth into certain topics than the Acloudguru course. It also has more examples on different architectures that you can implement using AWS services. There is also a good amount of practice questions that you can use to prepare for this exam. Note that this book is available in O’reilly if you already have access to that.
With these two resources you will definitely have covered enough to be prepared for the exam. I would still recommend to go through re:Invent sessions and AWS white papers though to go more into depth on different services and architectures. Here are some of the ones I recommend:
Another Day, Another Billion Flows – This is an excellent session with Colm MacCárthaigh, the lead designer and principal engineer for Hyperplane, one of the AWS services that runs under the hood that powers things like NAT Gateway, PrivateLink, and so on. This session is not essential to passing the exam but it is essential to understand more on how AWS actually runs its network and how they make sure your packets in a VPC get forwarded to the correct destination.
AWS Direct Connect Deep Dive (NET403) – To pass this exam, you need expertise with Direct Connect. This session goes into public and private VIFs, Direct Connect Gateway (DXGW), traffic engineering, BGP communities, billing, and more.
Securely Access Services Over AWS PrivateLink – This is a white paper that covers gateway endpoints, interface endpoints and of course PrivateLink in detail. It also talks about providing DNS names for your services.
Building a Scalable and Secure Multi-VPC AWS Network Infrastructure – This white paper covers how to build a multi-VPC infrastructure using VPC peering, transit VPC, TGW, DXGW, and more.
Hybrid Connectivity – This white paper covers hybrid connectivity. When do you use a VPN? When do you use Direct Connect? How do you select between the two? How many routes are supported? This document helps you pick between different solutions for hybrid connectivity.
Hybrid DNS Resolution – This is a short and to the point document describing hybrid DNS resolution using Route53 resolver endpoints and multi-account hybrid DNS resolution.
Inspection Deployment Models with AWS Network Firewall – Another to the point document describing different deployment models with AWS network firewall. This paper is good for understanding route tables, traffic flows, TGW, ingress routing, and firewall endpoints.
AWS Transit Gateway reference architectures for many VPCs (NET406) – This is an excellent session with Nick Matthews on the challenges of having many VPCs and how you can use TGW to simplify your architecture.
Get the most from Elastic Load_Balancing for different workloads (NET407) – This session takes you deep into the different load balancers available in AWS. It helped me understand how AWS scales their load balancers and how traffic flows are routed and terminated as well as knowing when to use what load balancer.
Deep dive on DNS in the hybrid cloud (NET410) – DNS is an important topic and this sessions covers hybrid DNS, Route53 resolver endpoints, and managing DNS across many VPCs.
Networking foundations: Establish VPC connectivity (NET201) – This session is a good introduction to regions, availability zones, subnets, route tables, NACLs, SGs, and many of the networking constructs used in AWS.
Palo Alto AWS Reference Architecture Guide – This is an excellent document from Palo Alto that describes how to implement a security VPC architecture in AWS. It’s a really useful guide because it covers a lot about subnets, routing, traffic flows, the use of TGW, GWLB, and so on.
If you have covered the materials above you should be more than prepared to take the exam.
Now for the exam itself. It is a scenario-based exam with 65 questions where you have 170 minutes to answer them all. The exam costs 300$ This exam is challenging, especially if you haven’t taken these types of exams before. Being a CCDE I am used to these types of exams that are scenario-based and that require a lot of mental stamina. There is much information to process and you need to stay sharp to be able to focus and finding the best answer(s).
The questions will give you some background information. The question could be about connecting your on-premises environment to your VPC in AWS. The question will give you information that should help you in picking the right answer. It’s very important to try to find these details. For example, maybe they talk about predictable latency and throughput and that the organization needs 10 Gbit/s connectivity to their VPC. This could be a hint that you need to use Direct Connect as an IPSec VPN would not give you that type of throughput and is not predictable when it comes to latency or throughput.
Some questions you will be confident in answering. Some questions will be more difficult and you might not be certain what the correct answer is. In these scenarios, try to get rid of the answers that you are sure are incorrect. For example, you have four answers to pick from and only one is correct. The question has to do with NAT Gateway. Two of the answers talk about NAT Gateway in a private subnet. Two of the answers talk about NAT Gateway in a public subnet. To provide connectivity to the internet, NAT Gateway needs to be deployed to a public subnet. You are then fairly certain that the two answers with private subnet are incorrect. You now only have to pick between the two remaining answers. Your odds have gone from one in four (25%) to one in two (50%). That’s quite an improvement!
You should be aware that you can flag questions for review. Before submitting the exam you can review your flagged questions or all questions if you prefer. I did review all questions again as I had the time to do so. Just be aware of how much time you have spent and how much time is remaining. There will be a counter visible that shows you how much time you have remaining.
Overall I felt that this was a fair exam without too many stupid trivia type questions. I felt I had done a good job but was still not 100% sure I had passed but I was relieved to see the pass on the screen. It then took a couple of days before I got the official e-mail saying that I had passed.
I can definitely recommend this certification and especially the learning for it if you want to become proficient with networking in AWS. I hope this post has been helpful and wish you good luck in your studies!