A W S C E R T I F I C A T I O N
ANS C01 Advanced Networking Specialty Practice Exam
Exam Number: 1210 | Last updated April 24, 2026 | 875+ questions across 5 vendor-aligned objectives
The AWSANS C01 Advanced Networking Specialty targets network engineers, architects, and operations specialists who design and operate complex AWS networks. Candidates typically have five or more years of networking experience, including hands-on AWS networking, plus expert knowledge of TCP/IP, BGP, IPsec, DNS, and large-scale routing. The exam favors deep, narrow scenarios that test edge cases in hybrid and multi-account network designs.
Network Design and Network Implementation lead the blueprint. Network Design (30%) covers Amazon VPC at scale, AWS Transit Gateway hub-and-spoke topologies, AWS Cloud WAN, AWS Direct Connect with Direct Connect Gateway, AWS Site-to-Site VPN, and IPv6 dual-stack designs. Network Implementation (26%) covers AWS Network Firewall, AWS Gateway Load Balancer, AWS PrivateLink, VPC peering, and Amazon VPC Lattice service mesh.
The remaining domains test operations and security depth. Network Management and Operation (20%) covers VPC Reachability Analyzer, VPC Flow Logs, Amazon CloudWatch Network Monitor, AWS Network Manager, and troubleshooting frameworks for hybrid environments. Network Security, Compliance, and Governance (24%) covers AWS Web Application Firewall, AWS Shield Advanced, AWS Network Firewall, security groups versus network ACLs, and DNS security with Amazon Route 53 Resolver DNS Firewall.
Every answer links to the source. Each explanation below includes a hyperlink to the exact AWS documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
168
practice exam users
99.4%
satisfied users
91.5%
passed the exam
3.9/5
quality rating
Test your ANS C01 Advanced Networking Specialty knowledge
10 of 875+ questions
Question #1 - Network Design
An enterprise has 200 VPCs across 8 Regions and needs scalable, transitive routing between them and on-prem via Direct Connect.
Which service is the right hub?
A) VPC peering full mesh
B) AWS Transit Gateway with inter-Region peering and Direct Connect Gateway
C) Public IGW per VPC
D) NAT Gateway hub
Show solution
Correct answers: B – Explanation:
Transit Gateway centralizes VPC-to-VPC and VPC-to-on-prem routing; inter-Region peering and DX Gateway extend it globally. Full-mesh peering is non-transitive and unscalable; IGW/NAT don’t provide private interconnect. Source: [AWS Transit Gateway](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html)
Question #2 - Network Implementation
Two VPCs in different accounts must share a private subnet’s services. The team wants to expose only specific services, not full network reachability.
Which service is most appropriate?
A) AWS PrivateLink (interface VPC endpoints behind a Network Load Balancer)
B) VPC peering for both
C) Public ALB
D) Internet Gateway
Show solution
Correct answers: A – Explanation:
PrivateLink exposes a single service via an interface endpoint without sharing CIDRs or full routing — ideal for service-level sharing across accounts. VPC peering exposes the entire VPC; public ALB and IGW go over the internet. Source: [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html)
Question #3 - Network Management and Operations
An operator needs visibility into rejected packets at the ENI level for compliance.
Which feature provides this?
A) ALB access logs
B) CloudFront access logs
C) VPC Flow Logs filtered to REJECT
D) Route 53 query logs
Show solution
Correct answers: C – Explanation:
VPC Flow Logs capture ACCEPT/REJECT decisions per ENI; filtering to REJECT meets the compliance need. The other logs cover different layers. Source: [VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html)
Question #4 - Network Security, Compliance, and Governance
A team must inspect east-west traffic between VPCs with deep packet inspection and IDS/IPS.
Which service fits?
A) AWS Network Firewall via a centralized inspection VPC behind Transit Gateway
B) Security groups only
C) Amazon GuardDuty alone
D) Public NLB
Show solution
Correct answers: A – Explanation:
Network Firewall provides stateful DPI/IDS/IPS; routing east-west through a central inspection VPC behind TGW is the canonical pattern. Security groups are stateful but L3/L4 only; GuardDuty detects, doesn’t inspect/block; NLB doesn’t inspect. Source: [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html)
Question #5 - Network Implementation
A workload requires consistent 10 Gbps from on-prem to AWS with low jitter and no internet exposure.
Which connectivity option fits?
A) Site-to-Site VPN over the internet
B) VPC peering with on-prem
C) Public IGW
D) AWS Direct Connect 10 Gbps dedicated connection
Show solution
Correct answers: D – Explanation:
Direct Connect provides dedicated, predictable bandwidth with no public-internet path. VPN traverses the internet (variable jitter); IGW is internet-only; VPC peering is between VPCs, not to on-prem. Source: [AWS Direct Connect](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html)
Question #6 - Network Design
A globally distributed app needs the lowest user-perceived latency for TCP and UDP traffic and instant failover between Regions.
Which service helps?
A) Route 53 weighted routing alone
B) CloudFront only
C) AWS Global Accelerator
D) VPC peering
Show solution
Correct answers: C – Explanation:
Global Accelerator routes traffic over the AWS backbone with two anycast IPs and supports TCP/UDP with fast Regional failover. CloudFront is HTTP/HTTPS at edge for caching; weighted DNS has TTL-bound failover; peering is internal. Source: [AWS Global Accelerator](https://docs.aws.amazon.com/global-accelerator/latest/dg/what-is-global-accelerator.html)
Question #7 - Network Management and Operations
A diagnostic shows asymmetric routing dropping traffic between two VPCs connected via a TGW with a stateful firewall.
What is the most likely fix?
A) Split the firewall across two unsynced appliances
B) Use a single TGW route table that forces both directions through the same firewall endpoint
C) Disable health checks
D) Remove the firewall entirely
Show solution
Correct answers: B – Explanation:
Stateful firewalls require symmetric routing so both directions hit the same engine; centralized inspection with a single TGW route domain ensures this. Splitting unsynced firewalls breaks state; disabling checks or removing the firewall isn’t a routing fix. Source: [TGW centralized inspection](https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html)
Question #8 - Network Security, Compliance, and Governance
DNS resolution from on-prem must reach private Route 53 hosted zones in AWS, and AWS resolvers must answer queries for on-prem domains.
Which feature does this?
A) VPC peering
B) Public hosted zone with NS delegation
C) EC2 BIND server in default VPC
D) Route 53 Resolver inbound and outbound endpoints
Show solution
Correct answers: D – Explanation:
Inbound endpoints accept queries from on-prem; outbound endpoints forward queries from AWS to on-prem resolvers — standard hybrid DNS. Public zones aren’t private; rolling your own BIND adds ops; peering doesn’t solve DNS. Source: [Route 53 Resolver hybrid DNS](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html)
Question #9 - Network Design
A team needs to provide internet access for thousands of private-subnet EC2 instances with high bandwidth and managed scaling.
Which option scales best?
A) Single NAT instance in one AZ
B) NAT Gateway in each AZ
C) Internet Gateway directly attached to private subnets
D) VPN Gateway
Show solution
Correct answers: B – Explanation:
NAT Gateway is a managed, AZ-scoped, horizontally scalable service (up to 100 Gbps and 10M PPS per gateway) — deploy one per AZ for HA. NAT instances cap out and become ops burden; IGW alone exposes private subnets; VGW is for VPN. Source: [NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html)
Question #10 - Network Implementation
An application using Network Load Balancer needs to preserve the client source IP for downstream logging.
What is true by default?
A) Client IP is only available via X-Forwarded-For headers
B) NLB always uses its own IP
C) NLB preserves the client source IP for instance and IP targets in non-TLS listeners
D) You must enable PROXY protocol to see any client info
Show solution
Correct answers: C – Explanation:
NLB preserves source IP to instance and IP targets out of the box for TCP/UDP. ALB uses XFF; PROXY protocol is required only for specific cross-account or TLS termination scenarios. Source: [NLB target type behavior](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html)
Get 875+ more questions with source-linked explanations
Every answer traces to the exact AWS documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated April 24, 2026
Learn more...
What the aws-advanced-networking-specialty exam measures
- Network Design (30%) — Architect Amazon VPC topologies, multi-account connectivity with AWS Transit Gateway and AWS Cloud WAN, hybrid links via AWS Direct Connect, and IPv6 dual-stack networks.
- Network Implementation (26%) — Deploy AWS Network Firewall, AWS Gateway Load Balancer, AWS PrivateLink, VPC peering, and Amazon VPC Lattice for service-to-service connectivity.
- Network Management and Operation (20%) — Operate networks with VPC Reachability Analyzer, VPC Flow Logs, Amazon CloudWatch Network Monitor, and AWS Network Manager.
- Network Security, Compliance, and Governance (24%) — Apply AWS WAF, AWS Shield Advanced, security groups, network ACLs, and Amazon Route 53 Resolver DNS Firewall to protect AWS networks.
How to prepare for this exam
- Review the official AWS exam guide and confirm the latest domain weights and content scope before scheduling.
- Complete the matching learning plan on AWS Skill Builder, including the digital courses and exam prep modules.
- Build hands-on muscle memory in an AWS Free Tier account by deploying the services that appear in the Network Design domain.
- Apply your skills to a real-world project — workplace assignments, volunteer work, or open-source contributions where AWS services solve a concrete problem.
- Master one objective at a time, beginning with the highest-weighted domain so the score impact of each study session is maximized.
- Run PowerKram in Learn mode to read the explanations and follow every sourced documentation link until you can predict the right answer before reading the choices.
- Switch to PowerKram Exam mode across all objectives once your accuracy in Learn mode passes 85%, simulating the timed exam experience.
Career paths and salary outlook
Advanced Networking Specialty unlocks senior network roles that are scarce and well-paid:
- Cloud Network Engineer — $135,000 to $200,000. Glassdoor: Cloud Network Engineer Salaries
- Senior Network Architect — $155,000 to $230,000. BLS: Computer Network Architects Outlook
- Hybrid Cloud Network Specialist — $145,000 to $215,000. Levels.fyi: Network Engineer Compensation
Official resources
Networking exams reward deep documentation reading; budget extra time for whitepapers: