Amazon Web Services · 2026 Edition
A complete preparation guide written by Amazon Web Services-certified engineers. Covers the exam format,all 4 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
4–6 months
Prep time
Advanced
Difficulty
65
Exam questions
750/1000
Pass mark
Exam code
ANS-C01
Full name
AWS Advanced Networking Specialty
Vendor
Amazon Web Services
Duration
170 minutes
Questions
65 items
Passing score
750/1000 (scaled)
Domains covered
4 blueprint domains
Recommended experience
5+ years of networking experience; AWS Solutions Architect Associate required; CCNA-level networking knowledge strongly recommended
Typical prep time
4–6 months
ANS-C01 earns the AWS Certified Advanced Networking – Specialty designation. It is the most network-focused AWS credential and validates the ability to design, implement, and manage complex AWS networks — a credential for network architects and senior cloud network engineers.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Weeks 1–3
Network Design: VPC architecture, multi-account networking, Transit Gateway, PrivateLink
Tip: Transit Gateway route tables are heavily tested on ANS-C01. Know how TGW route tables control traffic between attachments (VPCs, VPN connections, Direct Connect Gateways), how TGW route propagation works, and how to implement network segmentation using separate TGW route tables for different security domains (e.g. production vs development).
Weeks 4–6
Hybrid Connectivity: Direct Connect, VPN, Direct Connect Gateway, Transit VIF
Tip: Direct Connect link types: Dedicated Connection (physical port allocated to one customer, 1Gbps or 10Gbps/100Gbps), Hosted Connection (logical port provided by a Direct Connect partner, various speeds). Know the difference between Private VIF (connects to VPCs), Transit VIF (connects to TGW), and Public VIF (connects to AWS public services).
Weeks 7–9
Load Balancing, DNS, and Global Infrastructure: ALB, NLB, GWLB, Route 53, CloudFront
Tip: Gateway Load Balancer (GWLB) is the newest and most tested load balancer type on ANS-C01. Know that GWLB operates at layer 3, uses GENEVE protocol to encapsulate traffic, and is used to insert third-party security appliances (next-gen firewalls, IDS/IPS) transparently into a traffic path.
Weeks 10–14
Network Security: Network Firewall, WAF, Shield Advanced, NACL vs Security Group, VPC traffic mirroring
Tip: AWS Network Firewall operates at the VPC level and provides stateful firewall rules, intrusion prevention, and web filtering. Know how to position Network Firewall in a VPC: place it in a dedicated firewall subnet in each AZ, route traffic through it using VPC route tables before it reaches the workload subnet.
BGP is heavily tested on ANS-C01. Know the difference between eBGP (between different autonomous systems — used for Direct Connect and most VPN integrations) and iBGP (within the same autonomous system). Know BGP path attributes tested: AS path (avoid loops, path length), Local Preference (prefer exit paths), MED (influence inbound traffic from a neighbour).
VPC routing: know the longest-prefix match rule (the most specific route wins), how route tables are associated with subnets, and how to implement inter-VPC traffic inspection using Gateway Load Balancer endpoint and a return route in the TGW route table.
Route 53 Resolver Endpoints: Inbound Endpoints allow DNS queries from on-premises to resolve Route 53 private hosted zones; Outbound Endpoints allow Lambda/EC2 in VPC to forward DNS queries to on-premises DNS servers via Resolver Rules. Know when each direction is required.
IPv6 in AWS VPCs: dual-stack subnets support both IPv4 and IPv6; Egress-Only Internet Gateway allows IPv6 outbound from private subnets (equivalent to NAT Gateway for IPv6). Know that IPv6 addresses in AWS are always public — there is no private IPv6 range equivalent to RFC 1918.
ANS-C01 includes troubleshooting scenarios. Know how to use VPC Flow Logs (capture accepted/rejected traffic), Reachability Analyzer (validate if a network path exists between two endpoints), and Network Access Analyzer (identify unintended network access in your VPC) for diagnosing connectivity issues.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on ANS-C01 — with exam key points and common misconceptions.