I have completed 5 AWS Certifications, recently, I have passed, AWS Certified Advanced Networking – Specialty exam.
During the last few years working as a solutions architect at Systems Limited, I’ve had the opportunity to work with numerous customers building resilient network connectivity between their data centers and AWS regions. As my knowledge of networking in AWS increased, I decided to study for the AWS Certified Advanced Networking – Specialty exam. The exam validates networking expertise and verifies the learner’s ability to implement AWS network services to meet performance, cost, and security requirements.
I have summarized few topics from AWS certification path and would like to share with you and I hope it will be helpful of those who are taking this exam in future.
The exam goes in-depth on a lot of networking-related topics. It is necessary to have a basic understanding of networking concepts including IP-routing logic, the Open Systems Interconnection (OSI) model, IPv4 addressing and Classless Inter-Domain Routing (CIDR), and subnetting. I would advise passing either the AWS Certified SysOps Administrator - Associate or AWS Certified Solutions Architect - Associate certification before taking this speciality test, based on my own experience.
My understanding has been much improved by the experience of studying for the exam. I created networks on my AWS account and tested scenarios using tools like AWS Global Accelerator as part of my exam preparation. I find that using technology firsthand is a terrific method to reinforce my knowledge. I've discovered that I'm better equipped to assist customers in considering network-design options since taking the exam and earning the certification. Any architect or engineer interested in this field should pursue this certification, in my opinion.
AWS Training and Certification offers a mix of free, on-demand digital courses, virtual/in-person instructor-led classroom training, virtual webinars, and an exam-readiness course to help you build your knowledge. I encourage you to utilize the training as well as my suggestions for 10 study areas to review as you prepare for the AWS Certified Advanced Networking – Specialty exam.
Areas of study
- Edge network services AWS edge-computing services provide infrastructure and software that move data processing and analysis as close to the endpoint as necessary. Amazon CloudFront is a global content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to your viewers with low latency and high transfer speeds. AWS Lambda is a compute service that allows you to run code without provisioning or managing servers. Lambda runs your code only when needed and scales automatically, from a few requests per day to thousands per second. Lambda@Edge allows you to run Node.js and Python Lambda functions to customize content that Amazon CloudFront delivers, executing the functions in AWS locations closer to the viewer. The functions run in response to CloudFront events without provisioning or managing servers. CloudFront integration with AWS Web Application Firewall (WAF) can mitigate network attacks that target different layers of the OSI model. For network path optimization can be used AWS Global Accelerator. Deploying compute closer to your users or network path optimization can simplify your architecture, increase security, and optimize the user experience through reduced latency. In addition to the network and transport layer protections that come with Shield Standard, Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF. Shield Advanced also gives protection against DDoS-related spikes in your EC2, ELB, CloudFront, Global Accelerator, and Route 53 charges.
- AWS global infrastructure and how to deploy foundational network elements To pass the Advanced Networking – Specialty Certification exam, you’ll need a thorough understanding of how the AWS Global Infrastructure is designed and how the fundamental AWS networking components in a Virtual Private Cloud (VPC) work. Be sure to brush up on configuration options for foundational VPC design, including IPv4 and IPv6 CIDRs, subnets, route tables, network-access control lists (NACLs), and security groups (SGs), Dynamic Host Configuration Protocol (DHCP) configurations,. As an architect, it’s also necessary to know how to best provide connectivity beyond the VPC, including NAT gateways (NGW), internet gateways (IGW), egress-only internet gateways (EIGW), and virtual gateways (VGW). Consider reviewing: • Documentation: What is Amazon VPC? • Documentation: Bring your own IP addresses and IPAM • Blog post: Dual-stack IPv6 architectures for AWS and hybrid networks
- Hybrid network-connectivity options Many AWS customers rely on VPNs or SDWAN to provide private connectivity between infrastructure in AWS and on-premises resources. For use cases requiring higher bandwidth, consistent network performance, or increased privacy, AWS Direct Connect may be more appropriate. Traffic routing and failover is another important topic. These connectivity solutions are often critical in enabling migration to AWS. Consider the following resources: • Whitepaper: Hybrid Connectivity • Whitepaper: Building a Scalable and Secure Multi-VPC AWS Network Infrastructure • Blog post: Introducing AWS Site-to-Site VPN Private IP VPN • Blog post: Adding MACsec security to AWS Direct Connect connections • Blog post: Simplify SD-WAN connectivity with AWS Transit Gateway Connect • re:Invent video: AWS Direct Connect: Deep Dive
- Inter-VPC connectivity options VPC peering provides a convenient way to connect multiple VPCs; however, at scale, there are considerable operational efficiencies of hub-and-spoke network designs using AWS Transit Gateway. Transit Gateway unlocks a variety of design options. Consider the following resources: • re:Invent video: Transit Gateway architectures for many VPCs • re:Invent video: Advanced VPC Design and New Capabilities for Amazon VPC • Digital course: AWS Transit Gateway Networking and Scaling • Blog post: Designing hyperscale Amazon VPC networks • Blog post: Multicast with AWS Transit Gateway
- Automate network management using AWS CloudFormation Infrastructure as code is the ability to build up and tear down entire environments programmatically and automatically. It enables a rapid deployment of infrastructure, enabling organizations to operate with great agility. It also provides the ability to rebuild infrastructure rapidly, increasing resilience. CloudFormation is infrastructure as code. It provides the ability to manage your network configuration through simple JSON or YAML. It’s important to understand how CloudFormation can deploy network infrastructure and how it can safely update configurations using features such as change sets and deletion policies. These features enable you to manage the entire lifecycle of your network components. Consider the following resources: • Documentation: Updating stacks using change sets • Documentation: How do I retain some of my resources when I delete an AWS CloudFormation stack?
- Integrate VPC networks with other AWS services Preventing sensitive data, such as customer records, from traversing the internet is a requirement for some workloads, which have to maintain compliance with regulations, such as HIPAA, EU/US Privacy Shield, and PCI. AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks without exposing your traffic to the public internet. A common use case for customers is the need to provide communication between workloads deployed inside a VPC (e.g., EC2 instances) to other AWS services (e.g., an Amazon Simple Storage Service bucket or an Amazon Simple Queue Service queue). AWS enables this communication across a private network segment via Gateway and interface VPC endpoints powered by AWS PrivateLink. Endpoints can be used to improve the reliability and security of communications. Configuring VPC endpoints correctly requires knowledge of AWS Identity and Access Management (IAM), route tables, elastic network interfaces, security groups, and NACLs. With wide adoption of Kubernetes, it’s important to understand EKS networking. Consider the following resources: • Blog post: Reduce Cost and Increase Security with Amazon VPC Endpoints • Workshop: VPC Endpoint Workshop • re:Invent video: Integrate Amazon EKS with your networking pattern
- Security and compliance Many AWS customers deploy infrastructure accessed by a globally distributed user base. Network architects need to support access in a secure manner. AWS providing variety of services that can help to meet these security goals. Network Access Analyzer is a feature that identifies unintended network access to your resources on AWS. You can use Network Access Analyzer to specify your network access requirements and to identify potential network paths that do not meet your specified requirements. With AWS Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. Consider the following resources: • Blog post: Deployment models for AWS Network Firewall with VPC routing enhancements • Documentation: VPC Security
- Methods to simplify network management and troubleshooting AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. With Network Manager you can centrally manage and monitor CloudWAN core network and TGW network across AWS accounts, Regions, and on-premises locations. Connectivity issues are common in real-world scenarios, arising when communication needs to occur within VPCs between peered VPCs and when working with VPNs or Direct Connect to on-premises networks. AWS provides a variety of data sources that increase visibility into network operations. These can aid common network-administration tasks such as troubleshooting network connectivity. You can use VPC Reachability Analyzer to determine whether a destination resource in your virtual private cloud (VPC) is reachable from a source resource. Logs include VPC flow logs, TGW flow logs, access logs for your application load balancer, WAF logs, ANF logs and CloudFront logs. Additionally, Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic network interface of Amazon Elastic Compute Cloud (EC2) instances. You can then send the traffic to out-of-band security and monitoring appliances for content inspection, threat monitoring, and troubleshooting. Network administrators need to understand where these data sources are stored, how frequently data is written to them, and what information they contain to be effective at troubleshooting. • Blog post: Analyzing VPC Flow Logs using Amazon Athena, and Amazon QuickSight • Documentation: Analyzing VPC flow log with CloudWatch Logs Insights
- Network configuration options for high performance applications Certain application workloads, such as high-performance computing, may require lower latency, high bandwidth network connections between compute nodes. AWS provides configuration options to meet the needs of these workloads (i.e., placement groups, jumbo frames, Elastic Fabric Adapters (EFA) and Elastic Network Adapters (ENA)). High-performance computing workloads may require an operating system configuration to achieve the desired network performance. Consider reviewing this documentation, Network Performance.
- Designs for reliability A design principal of the reliability pillar of the AWS Well Architected Framework is to design systems that can automatically recover from failure. Network architects can build highly resilient, multi-region designs using network services such as Amazon Route 53 and AWS Global Accelerator. These services can detect failure and route client traffic away from it, increasing availability. Similarly, traffic flows within an Amazon VPC can route around failure. AWS Elastic Load Balancing offers health-checking capabilities that can validate the health of compute components using a variety of network protocols (i.e., TCP, HTTP, HTTPS, and SSL). When integrated with Amazon CloudWatch, these capabilities provide operational alerting and can trigger automated remediation of failures. The value of certification Network architecture is a crucial building block for businesses wishing to move workloads to AWS or create new workloads there. IT engineering professionals have the chance to demonstrate their understanding of how to construct affordable, secure, and performant networks on AWS by earning the AWS Certified Advanced Networking - Specialty certification. A great method to strengthen your understanding of any technology is to be ready for a certification exam. I hope you think about taking this exam and gain similar advantages. Create a training account and take the suggested courses if you haven't already. I wish you luck!