AWS Advanced Networking – Speciality Study Guide

I recently passed the AWS Certified Advanced Networking – Specialty exam and want to share my experiences with those of you working toward the certification.


The exam is 170 minutes with 65 questions and compared to the professional level exams, this felt like ample time leaving more than 45 minutes to review my (many) marked questions. The question length was manageable and felt less than the pro exams, which made it easier to consume the content and move through the exam at a good pace. The questions are a mix of scenario and Q&A with scenarios making up the larger proportion.

Going in with a good understanding of networking such as TCP/IP, subnetting, routing and data center structure will help a lot. I don’t have a ‘networking’ background so I took more time to prepare and students with little or no networking experience should consider spending some extra time studying network fundamentals.

In terms of the technology specifics, I have included a list of top topics the exam focuses on along with some tips and key information. The section is limited to the top 6 +/- areas to keep this article a consumable size.

Study Resources

1. The AWS Certified Advanced Networking Study Guide

You will not often find me recommending the official text books as a number one study resource simply because I often find them hard to consume and remember. I prefer consolidated information that I can remember on test day. This study guide is specifically focused on test takers and the authors have done a great job of structuring the information in to easily consumable sections, each with its own assessment test.

I recommend taking the video courses mentioned below first while having this book on hand as a reference. Once the video courses are completed, take the assessment test in the book’s introduction to give you an idea of your strengths and weaknesses. Use the output as a guide to further research. The practice exams included in the online study tools will also help highlight areas you need to brush up and these exams are by far the closest practice exams to the real test that I found – offering much more of a read world experience than the exams included with the video courses, for example.

The 138 flash cards included with the online content are also really useful – these are not the usual ways that I choose to study but I would not have passed without this resource so it is cash well spent.

2. Video courses from and Linux Academy

Both of these courses are highly valuable. For those of you that have read my previous article, you know that I’m a huge advocate of both training providers and they both deliver for this certification.

Derek Morgan’s course does a great job of breaking down the concepts – everything from the basics of IPv4 and subnetting through to BGP and MPLS specifics and processes. I found the breakdown between fundamentals and deep dive really helpful. The course really helped me understand the specifics and helped me understanding the ‘right’ choice on questions where you need to reason the answer.

Ryan Kroonenburg’s course is also outstanding. The course helped me ‘get it’ and fit everything together. I loved the flow and structure and focus on flow of each of the subject areas as this is something the exam really focuses on, BGP path selection and how to influence it etc.

3. Blogs and Articles

Yujun Liang’s article on LinkedIn:
Jady Liu’s article on LinkedIn:
Michael Kelly’s blog:

4. AWS Re:Invent Videos

Jady Liu’s list is all you need:

In summary, get the book to maximise your chances of passing with the best score.

Top Topics, Tips and Key Information

Notes covering what I feel are the top 6 focus areas for the exam.

Direct Connect (DX) and Border Gateway Protocol (BGP)

  • By far the most focused topic of the exam
  • DX allows you to connect your AWS resources to your on-premises resources privately
  • DX is typically more consistent and reliable than a normal internet connection
  • AWS provides 1Gbps or 10 Gbps Ethernet single mode fiber-optic
    • Sub 1Gbps connections can be ordered by a partner (min 50 Mbps)
  • Direct Connect locations allow you to connect to that specific region
  • Supports both IPv4 and IPv6
  • Reduced data-out rates. Data in to AWS is free (in almost all cases)
  • Virtual interface (VIF) needed for each VPC. Connected to Direct Connect
    • Public VIF: Used to connect to AWS resources not in a VPC
      • Used for a VPN to a VGW
    • Private VIF: Used to connect to resources within a VPC
  • One LOA-CFA per connection per data centre
    • LOA-CFA = Letter of Authorization Customer Facility Access
  • LAGs = Link Aggregation Groups
  • 100 BGP prefixs can be announced over a single private VIF (hard limit)
  • S3 endpoint cannot be accessed over DX
    • Public VIF used to access S3 over a direct connect (but not the endpoint)

DX Requirements

  • BGP
  • BGP MD5 auth
  • Single mode fibre 1000BASE-LX and 10GBASE- with 802.1q VLANs
  • Auto-negotiation for the port for direct connect needs to be disabled
  • You cannot change the port speed of an existing connection
  • Limit on BGP (dynamic) advertised routes per route table is 100
    • Static route limit is 50 (convert to dynamic/BGP to increase amount of possible routes)
  • Lowest bandwidth on DX partners is 50 Mbps

Elastic Load Balancers

  • Allows you to distribute application traffic across multiple EC2 instances
  • Can distribute traffic over multiple availability zones
    • Cross-zone load balancing MUST be enabled
  • Two network configurations of ELBs:
    • External: Routes traffic from the internet to EC2 instances
    • Internal: Routes traffic from internal resources to EC2 instances
  • Minimum IPv4 subnet size of /27, which differs from the VPC
  • Cannot use AWAS WAF with ELB classic
  • Terminate SSL on ELB for performance – be aware of requirements for end-to-end encryption
  • x-forwarded-for header needed to see client in access logs – ALB
  • Proxy protocol to enable connection information (including client IP) when using TCP or SSL for both front and back end on ELB Classic
  • Use alias Route53 record

Virtual Private Networks (VPN)

  • Site-to-site only using AWS VPN
  • Client-to-site would be third party software running on EC2 in a VPC
  • IPSec and Encapsulating Security Protocol
  • IP protocol 50, port 500 UDP for IPSec
  • Benefits:
    • Data encryption in transit across the internet and direct connect
    • Used to encrypt direct connect (use Public VIF for VPN termination)
  • Use monitoring software (keep alive) to keep tunnel up
  • Routing hard limit of 50 for static routes and 100 for dynamic routes (BGP)
  • VPN connection consists of two tunnels (configure to a single customer router for HA on the AWS end)
  • HA on the customer end requires two VPN connection (each provides two tunnels for mesh HA)


  • Route 53 is Amazon’s DNS service
  • Allows registration of domain names or use of domain names you own
  • Utilises health checks to monitor health of your instances
  • Public or private hosted zones
    • A public hosted zone is accessible from the internet
    • A hosted zone is named after a domain name that you own
    • A private hosted zone can be any domain you wish as it does not traverse the public internet
  • A reusable delegation set can be used to create a set of name servers to use for multiple domains
  • Record specific information:
    • CNAME: Not free for queries, points to records hosted anywhere
    • ALIAS: Not charge for queries, AWS resources online
  • To ensure name servers remain consistent across domains create a Reusable Delegation Set (through the CLI or API)

Elastic Network Interfaces (ENI)

  • You can associate multiple IPs to each network interface
    • Beware of instance specific limitations
  • An ENI can have IPv6 addresses if the VPC has IPv6 enabled
  • ENI can be moved between subnets but not AZs
    • Can be a good way of migrating network configurations where required
  • Attaching two ENIs to the same instance in the same subnet can cause networking issues
    • Use multiple IPs on the primary NIC, if required


The exam has a reputation for being the most difficult of the AWS certifications and it necessitates a good understanding of general networking with specific focuses on connectivity, routing, performance and troubleshooting. I managed to pass on first attempt with a score of 75%, which is not my highest score and demonstrates the challenge especially considering I spent more time preparing than I did for each of the SA and DevOps certifications.

I personally really enjoyed the experience and have learned a lot of practical and usable skills and experience that will help me succeed professionally. I hope this article has been useful, good luck with the exam!

AWS Professional Certification Guide

Following on from the earlier post covering my experiences taking the AWS associate level certifications, this post covers preparing for and taking the AWS Professional level certifications.

Given that I started studying for these certifications coming up to the Christmas break and there were no suitable exam slots until late January, I decided to study for both the SA and DevOps pro, before sitting either exam. I found it to be a good decision given that there is a good amount of content overlap and I felt more confident going in to the first pro-level exam. The task was daunting – 6 weeks to preparation time for both exams and towards the end, I felt that pace was pushing too hard (if repeated I would have give myself at least 6 weeks per exam). Overall preparation time is relative to the amount of previous experience you have in the subject area and the amount of time you can invest in a given period. I managed an intense amount of study per day which was made easier by a combination of public holidays and planned time off from my day job.

It is a huge relief to be successfully on the better side of the pro-level certifications, something that was far from certain going in to the process. My preparation focused on the same techniques as during the associate level . Firstly, video training from Linux Academy and, secondly, AWS documentation (some of the industry’s best documentation) and finally (most importantly) hands on practice with AWS (lots of this at the pro-level along with some real world experience if possible).

AWS Solution Architect – Professional

As mentioned before, I feel the SA certification has the most wide ranging content which makes for the most daunting preparation. That being said, I didn’t find it the most difficult of the two. Linux Academy is the most comprehensive video training and offers a high standard of content backed by labs and additional tailored documentation, which made preparation that much easier than it would have been otherwise. I also took the course, which is great at focusing on the exam specifics (take both courses if possible).

One of the key things to be aware of when it comes to the exam is the time available, it’s tight! There are approx. 80 questions (I had 77) which have to be completed in 2 hours 50 minutes (170 minutes). The questions are wordy and have multiple theoretically correct answers, the key is to look for what the question is looking for in terms of technologies used and best practices. Reading the questions and deciding on the right answer took me a surprisingly long time. Rather than trying to keep an eye on the number of questions answered vs. amount of time remaining, I set myself a 2 minute rule for each question  and for the questions that took too longer – I gave my first/best guess.

My thoughts on preparing for and taking the exam:

  • Pay particular attention to ElasticBeanstalk and OpsWorks. When do they work together? What are the different deployment types? How do you deploy and rollback? What languages are supported?
  • Get familiar with EC2 instance types. There are a lot of EC2 design related questions and knowing which instance to use in which scenario is essential.
  • Understand connectivity, how each type is setup, how it works, routing, propagation (VPNs, VPCs, VPC Peering, DirectConnect)
  • Understand how to optimise EC2 storage performance, when different instance types are beneficial and how to optimise EBS performance.
  • Do you know when to use different caching engines? When would you choose Memcache and when might you prefer Redis?
  • How do you loose couple services? Do you know how, when, and why to use SQS and SNS? Do you know the limitations and when it is not appropriate to use one or the other of these services?
  • Understand when and how to use AssumeRole,  AssumeRoleWithSAML and AssumeRoleWithWebIdentity.
  • Make sure you understand consolidated billing, how to set it up and what it offers. I got a few easy points questions on this topic.
  • All of the training material, documentation and hands on practice is important and this list isn’t an overall guide to the exam but some pointers that would have been useful to know prior to taking my exam.
  • I found the official practice test for the SA pro exam to be highly misleading, poorly worded and generally I felt that it did me more harm than good when preparing for this certification. AWS really need to get the practice test updated. I recommend using the tests provided by Linux Academy.

AWS DevOps Engineer – Professional

The DevOps experience was the most varied for me. I found studying for the exam to be one of the most enjoyable experiences and learned a lot about OpsWorks, CloudWatch, AutoScaling (lifecycle hooks, self healing) and the various APIs however, the exam was by far the toughest of all. Contrary to some of the articles/blogs that I’d read before sitting the exam, I found it was by far the most challenging on time. I had exactly 80 questions to cover in 2 hours 50 minutes. The questions felt as wordy as the SA pro exam and took me longer to answer – often exceeding my 2 minute rule. The situation got so bad by question 35 that I had to skim read and answer the next 5/6 questions to catch up on time. Definitely be weary of time with the DevOps exam!

In terms of my preparation, both Linux Academy and were equally valuable. The key for me, even more so than in all of the certifications, was the AWS documentation and hands on practice – it was a huge help to develop my understanding.  I recommend researching the topics in depth, I naturally found myself doing this more than in the other certifications because I felt weaker on some of the subject areas and really wanted to familiarise myself with the CLI, API and SDK’s.

My thoughts on preparing for and taking the exam:

  • CloudFormation is one of the main topics in this exam. Understand template structure, intrinsic functions, WaitConditions, Helper Scripts, Stack, Update and Deletion Policies – I strongly recommend hands on familiarity along with theory.
  • OpsWorks and ElasticBeanstalk are also covered in detail. Understand OpsWorks auto healing, stacks, layers, lifecycle events, instances, and EB ebextensions, use cases, SDKs, supported languages.
  • As in the SysOps certification, DevOps builds on CloudWatch so learn about metrics, logging and monitoring.
  • AutoScaling is also covered at an advanced level. Learn about lifecycle hooks, termination policies and API, CLI and SDK calls etc.
  • Deployment strategies. Blue/Green or A/B, All at once, Immutable, Rolling.
  • The official practice exam for the DevOps pro exam is much better than the SA pro and is relevant for exam prep.
  • In summary, study the theory but there is serious benefit in putting this in to action with hands on practice.


The AWS Professional level certifications are a big step up from the associate level certifications and do an excellent job of testing true understanding and hands on abilities. The time aspect is one of the most challenging aspects of both exams but particularly the DevOps exam. If choosing to the take the practice exams be weary of the SA pro exam but I do recommend the DevOps pro practice exam. The practice exams from Linux Academy are by far the best that I found during my pro-level studies.

Final thoughts:

  • Always read the exam blueprint and AWS exam guidance. This is easy to over look but provides great context, detail on expectations and generally gets you in to the mindset of what AWS are assessing with the certification exams.
  • Learn to read fast! What I mean here is concentrate on exam strategy and timing, when taking the Linux Academy practice exam, allow yourself no longer than 2 minutes per question and prepare yourself for the 2 hour 50 minutes of heavy read, consider and answer type scenario of the exam.
  • Practice and practice some more. At the associate level, you could get through with theory but I strongly believe that is not the case with at the professional level.

In addition to reading my blog, read blogs by Adrian Cantrill, Nick Triantafillou and Stephen Wilding (all linked here and below) which I found were a huge help during my preparation.

If you feel that I can help your studies in any way – get in touch! Good luck!



Official Exam Links

** Unlike with the associate certs, I won’t link specific documentation here as there is a huge amount of content and particular focus areas will depend on your current level skills and experience **