How I prepared for the AWS Advanced Networking Specialty exam ?

I passed AWS Advanced Networking specialty certification on my first attempt. I believe that this is the hardest AWS certification I have taken to date. At the time of writing this I hold 6x AWS certifications, AWS SA Professional, AWS SA Associate, AWS DevOps Professional, AWS Security, Machine Learning and Advanced Networking Specialities.?

I studied hard evenings and weekends over the course of 2 month, my preparation included the following:

1. Stéphane Maarek ’s Course on Udemy. NET Course Udemy
2. Stéphane Maarek ’s Practice Exam on Udemy Practice Exam Udemy
3. Adrian Cantrill ’s Course on Cantrill.io? NET Course + Practice Exam
4. Practice Questions tutorialsdojo
5. Practice exams on Whizlabs
6. AWS Advanced Networking Practice Questions
7. AWS re:Invent : AWS PrivateLink Deep Dive (NET310)
8. AWS re:Invent : Connectivity Options and Co (NET301)
9. AWS re:Invent : Deep Dive: AWS Direct Connect and VPNs (NET403)
10. AWS re:Invent : Elastic Load Balancing Deep Dive and Best Practices (NET402)
11. AWS re:Invent : DNS Demystified: Global Traffic Management with Amazon Route 53 (NET302)
12. AWS re:Invent : IPv6 in the Cloud: Protocol and AWS Service Overview (NET202)
13. AWS re:Invent : Networking Many VPCs: Transit and Shared Architectures (NET404)

Topics to prepare include:

Design and implement hybrid IT network architectures at scale

1. Direct Connect comes up a lot. Memorize the following conditions:

• Single mode fiber, 1000BASE-LX (1310nm) for 1 Gbps Ethernet.
• Single mode fiber, 10GBASE-LR (1310nm) for 10 Gbps Ethernet.
• Autonegotiation must be disabled.
• Equipment must support 802.1Q VLANs.
• Equipment must support BGP and BGP MD5 authentication.

1. AS-Path prepending or MEDs. Must understand when to use and in which combinations. Implement HA between DC and VPC.
2. Department creates DX to a VPC via a Private VIF, that is not part of the organization's billing account for payment , so who pays? Billing can and probably will come up.
3. Connecting DC to a 3rd party VPC using inter-region capability of DirectConnect? Direct Connect User Guide.
4. Link Aggregation Groups (LAG's).
5. Routing Policies and BGP Communities. Must understand when to use. Link.
6. Software VPN in a shared services VPC connected to VGW on other VPCs and DX with private VIF. Route propagation of all VPCs via VGW on central VPC or creating a resilient IPSec VPN between central VPC and on prem. HA for software VPN. VPN connection sharing.
7. Connecting S3 over VPC endpoint and security e.g relation to bucket policies and VPC-E for access. Troubleshooting.
8. Providing S3 over DX public VIF.
9. When creating a new Public or Private VIF what do you need? e.g. virtual gateway (VGW), VLAN ID, Public Peer IP, Public AS number, prefixes you want to advertise? Prerequisites. (I had 2 questions on the exam).
10. Overlapping VPC CIDRs peered to a 3rd VPC with two subnets / route tables.
11. BGP summarizing less than 100 routes, default gateway? Is it possible to request increased limits? Troubleshooting.
12. Who to contact in case of a DX cross connect.
13. When peering overlapping CIDR ranges tend to prefer /27 over /28. Remember that AWS takes 5 so that would only leave 11 for use.
14. Virtual Router Forwarding (VRF). Connecting a Single Customer Router to Multiple VPCs.
15. Cannot reach S3 via VPC-E over a VPN. Need to use DX with public VIF and run a VPN over that.
16. A more specific route is the only way to prefer a VPN over DX.
17. Understand how the Transit Gateway integrate it with VPN and DX. TGW ( many questions on the exam)

Design and implement AWS networks

1. Be prepared for Application Load Balancer (ALB) and Network Load Balancer (NLB) not just Classic Load Balancers. Understand when to use an ALB over Classic or when it is best to use Network Load Balancers (e.g. one use case is when associated with VPC Endpoint Services).?
2. Understand Gateway Load Balancer and when to use it. (many questions on the exam)
3. Adding IPv4 CIDR blocks to a VPC. Link.
4. Understand Gateway Endpoints vs. Interface Endpoints (PrivateLink).
5. Invalid VPC Peering Configurations. Link.
6. Transit VPC. Link.
7. Note UDP 500 and IP 50 (customer side firewall rules) needed for customer gateway.
8. If your customer gateway is behind a NAT device that is enabled for NAT traversal (NAT-T), use the public IP address of your NAT device, and adjust your firewall rules to unblock UDP port 4500.
9. Troubleshooting packet loss, Internet gateway only supports MTU 1500, no support for Jumbo Frames. MTU.
10. If packets are over 1500 bytes, they are fragmented, or they are dropped if the Don’t Fragment flag is set in the IP header.
11. Lambda@Edge.( three questions on the exam)

• A Lambda function can inspect cookies and rewrite URLs so that users see different versions of a site for A/B testing.
• CF can return different objects to viewers based on the device they’re using by checking the User-Agent header, which includes information about the devices. CF can return different images based on the screen size on their device.
• A Lambda function can generate HTTP responses when CF viewer request or origin request events occur.
• A function can inspect headers or authorization tokens, and insert a header to control access to your content before CF forwards the request to your origin.
• A Lambda function can also make network calls to external resources to confirm user credentials, or fetch additional content to customize a response.

1. Use of CNAME or ALIAS records.
2. AWS Metadata curl 168.254.168.254 - over which port e.g. 80 or 443 (https://)?
3. NAT Gateway troubleshooting.
4. End to end encryption, how to configure ELB and your back-end application.
5. Understand Network Firewall.

Configure network integration with application services

1. How to Restrict Amazon S3 Bucket Access to a Specific IAM Role. Link.
2. DNS on-prem and VPC, DHCP options set.
3. DNS feature (2 reserved address) DNS configuring on route 53. Resolving from the on-prem.
4. Split horizon DNS (public and private hosted zones). Keep www.example.com in a public hosted zone and R53 Subdomain www.internal.example.com in a private hosted zone.
5. Option of EnableDnsHostname and EnableDnsSupport, about resolving public DNS hostnames must be enabled. DNS with VPC.
6. To communicate with a DNS server, the instance needs to reach the DNS server on port 53 for both TCP and UDP.
7. CloudFront and Geo restrictions.
8. NTP not working? Link DHCP Options.?
9. Route 53, understand this back to back.
10. DNS forwarders resolving on prem DNS proxies. ( five related questions on exam)
11. Know the difference between DHCP options set and configure DNS server to forward queries for the private hosted zone to 10.1.0.2 (10.1.0.0/16 being the VPC). A DHCP option set is not required when resolving AWS resources from on-prem not VPC. Configure DHCP options so that instances forward to on-prem DNS instead of VPC DNS.
12. Redirecting HTTP to HTTPS on CloudFront.

Design and implement for security and compliance

1. CloudTrail vs. CloudWatch vs. Flow Logs and more Lambda. Make sure you know how to interpret a Flow Log!
2. URL whitelisting / filtering, including NAT instance hosting a Squid Server.?
3. GuardDuty vs. 3rd party IDS vs. Amazon Macie.
4. Packet sniffing vs. Flow Logs vs. CloudWatch. It is not possible for a virtual instance running in promiscuous mode to receive or sniff traffic that is intended for a different virtual instance. Promiscuous Mode is not supported on AWS so easy to eliminate any answer that depends on this.
5. Wireshark deep packet inspection. AWS native tools e.g. flow logs which are not deep packet inspection. Know that VPC flow logs include network metadata, not DPI.
6. Layer 7 packet inspection, Flow Logs, CloudWatch. AWS inspector . VPC Security Capabilities.
7. Interpret a VPC Flow Log and work out what was stopping an ICMP ping.

good luck, take the necessary time to be ready and don't underestimate the exam. keep an eye on the time, seems like a long time, but under pressure time goes very quickly.