Amazon Web Services
Expert
ANS-C01
AWS Certified Advanced Networking - Specialty
The AWS Certified Advanced Networking - Specialty (ANS-C01) validates advanced expertise in designing, implementing, and troubleshooting complex AWS and hybrid IT network architectures at scale. This is one of the most technically challenging AWS certifications, designed for networking professionals with five or more years of experience.
The exam covers four domains: Network Design (30%), Network Implementation (26%), Network Management and Operations (20%), and Network Security, Compliance, and Governance (24%). Candidates must demonstrate mastery of AWS networking services including VPC, Transit Gateway, Direct Connect, Site-to-Site VPN, Client VPN, Route 53, CloudFront, Global Accelerator, Elastic Load Balancing, PrivateLink, Network Firewall, and AWS Network Manager.
Key skills tested include designing multi-region and multi-VPC network architectures, implementing hybrid connectivity with Direct Connect and VPN, configuring advanced routing with BGP and ECMP, designing DNS architectures for complex environments, implementing network segmentation and security controls, troubleshooting network connectivity and performance issues, and optimizing network performance and cost. The ANS-C01 version was released in July 2023.
Updated Jul 2024
Networking
65
Питања
6
Пробни тестови
75%
Пролазни резултат
93
Прегледи
0
Укупно покушаја
0%
Просечан резултат
0%
Стопа пролазности
0
Дискусије
ANS-C01 Practice Exam 1
Comprehensive 65-question practice exam covering all four ANS-C01 domains: network design, network implementation, network management and operations, and network security, compliance, and governance.
65 Q
170 минута
75%
ANS-C01 Practice Exam 2
Second comprehensive 65-question practice exam covering all four ANS-C01 domains with new scenarios and advanced networking challenges.
65 Q
170 минута
75%
ANS-C01 Practice Exam 3
Third comprehensive 65-question practice exam for ANS-C01 with challenging expert-level networking scenarios across all domains.
65 Q
170 минута
75%
ANS-C01 Practice Exam 4
Fourth comprehensive 65-question practice exam for ANS-C01 covering advanced networking scenarios across all domains.
65 Q
170 минута
75%
ANS-C01 Practice Exam 5
Fifth comprehensive 65-question practice exam for ANS-C01 with expert-level advanced networking challenges.
65 Q
170 минута
75%
ANS-C01 Practice Exam 6
Sixth comprehensive 65-question practice exam for ANS-C01 with the most challenging advanced networking scenarios.
65 Q
170 минута
75%
Откључајте сав садржај за ANS-C01
6 Пробни тест(ови) + Флеш картице — 3 месеца приступа
€39.99
€26.99
Уштедите 30%
или укључено у месечну претплату / Комплет садржаја
Преглед (10 / 150)
What are the key VPC design patterns and CIDR planning considerations for the ANS-C01 exam?
A VPC supports CIDR blocks from /16 to /28. You can assign up to 5 secondary CIDRs to a VPC. Plan non-overlapping CIDR ranges across VPCs to enable peering and Transit Gateway connectivity. Use RFC 1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Reserve space for future growth by allocating larger blocks upfront. Common patterns include multi-tier VPCs (public, private, data subnets), isolated VPCs per workload, and shared-services VPCs. For hybrid connectivity, avoid overlapping with on-premises CIDR ranges. Exam tip: remember that VPC CIDR cannot be changed after creation, but secondary CIDRs can be added or removed.
How should subnets be designed across Availability Zones for high availability?
Deploy subnets across at least 2 AZs (preferably 3) for fault tolerance. Each subnet exists in exactly one AZ and cannot span AZs. Create matching subnet tiers in each AZ: public subnets for internet-facing resources, private subnets for application logic, and isolated subnets for databases. Subnet CIDR blocks must be subsets of the VPC CIDR and cannot overlap. Reserve at least 5 IP addresses per subnet (AWS reserves the first 4 and last 1). Use consistent sizing across AZs for balanced load distribution. Exam tip: Elastic Load Balancers require subnets in at least 2 AZs. Auto Scaling groups should span multiple AZs to survive AZ failures.
What is Transit Gateway architecture and how do route tables control traffic flow?
Transit Gateway (TGW) is a regional hub that connects VPCs, VPNs, and Direct Connect gateways. Each attachment (VPC, VPN, DX) associates with one route table. TGW supports multiple route tables enabling network segmentation: create separate tables for production, development, and shared services. Routes can be static or propagated from attachments. Default route table auto-associates and auto-propagates. TGW supports 5,000 attachments and 50 peering connections. It operates at layer 3 and supports equal-cost multi-path (ECMP) routing for VPN attachments. Exam tip: use separate TGW route tables with blackhole routes to isolate environments while allowing access to shared services VPCs.
What are the Direct Connect resiliency levels and architecture options?
AWS defines four resiliency models. Maximum Resiliency: separate connections at separate DX locations to separate devices. High Resiliency: at least two connections at two separate DX locations. Development/Test: single connection at one location. Non-critical production: dual connections at a single DX location. Each dedicated connection provides 1, 10, or 100 Gbps. Hosted connections support 50 Mbps to 10 Gbps. A physical connection supports multiple virtual interfaces (VIFs). DX uses 802.1Q VLANs. LAG bundles multiple connections at the same location. For SLA eligibility you need at minimum the High Resiliency model. Exam tip: failover to VPN backup over the internet is common for cost-effective redundancy.
What is the difference between transit VIF and private VIF when using Direct Connect Gateway?
A private VIF connects to a Direct Connect Gateway (DXGW) which then associates with VPCs (up to 20 VGWs across regions). Traffic flows from on-premises through DX, to the private VIF, to the DXGW, to the VGW, and into the VPC. A transit VIF connects to a DXGW that associates with Transit Gateways (up to 6 TGWs across regions). This enables transitive routing through TGW to reach many VPCs. Private VIFs support up to 100 BGP routes; transit VIFs support up to 200 prefixes. Exam tip: use transit VIF when you need transitive routing or have many VPCs, and private VIF for simpler architectures with fewer VPCs.
What are the trade-offs between VPC peering and Transit Gateway for VPC-to-VPC connectivity?
VPC peering is a one-to-one connection: non-transitive, no single point of failure, no bandwidth bottleneck, and no additional hop. It works cross-region and cross-account. Cost is only data transfer. Transit Gateway is a hub-and-spoke model: transitive routing, centralized management, supports thousands of VPCs, and enables complex routing policies. TGW adds per-attachment hourly cost plus data processing charges. VPC peering scales as N*(N-1)/2 connections for full mesh. TGW scales linearly as N attachments. Exam tip: for fewer than 10 VPCs, peering may be simpler and cheaper. For larger networks or when transitive routing is needed, TGW is preferred.
What are the seven Route 53 routing policies and when should each be used?
Simple: single resource, no health checks on the record itself. Weighted: distribute traffic by percentage across resources (e.g., blue-green deployments). Latency-based: route to the region with lowest latency for the user. Failover: active-passive configuration using health checks. Geolocation: route based on user geographic location (continent, country, state). Geoproximity: route based on geographic distance with bias values to shift traffic. Multivalue answer: return up to 8 healthy records randomly. All policies except Simple can use health checks. Geolocation returns no answer if no match exists (add a default record). Exam tip: geoproximity requires Route 53 Traffic Flow and supports bias values from -99 to 99.
How do Route 53 Resolver inbound and outbound endpoints work for hybrid DNS?
Inbound endpoints allow on-premises DNS servers to resolve AWS-hosted domains by forwarding queries to the endpoint ENIs in your VPC. Each endpoint needs at least 2 IP addresses in different AZs. Outbound endpoints allow VPC resources to forward DNS queries to on-premises DNS servers using conditional forwarding rules. Rules specify which domain names should be forwarded and to which target IP addresses. Resolver endpoints are regional and can be shared across accounts using AWS RAM. Each endpoint supports up to 10,000 queries per second per IP address. Exam tip: for bidirectional DNS resolution in hybrid environments, you need both inbound and outbound endpoints configured with appropriate forwarding rules.
How should CloudFront distributions be designed with custom origins?
CloudFront supports custom origins including ALB, EC2, S3 websites, API Gateway, and any HTTP server. Use Origin Access Control (OAC) for S3 origins to restrict direct access. For ALB origins, use custom headers as a shared secret to ensure traffic only comes through CloudFront. Configure origin groups with primary and failover origins for high availability. Cache behaviors match URL path patterns to specific origins. Use origin shield to reduce origin load by adding a centralized caching layer. SSL/TLS certificates on CloudFront must be in us-east-1 (ACM). Exam tip: Lambda@Edge and CloudFront Functions can manipulate requests and responses at the edge for advanced routing and customization.
When should you use Global Accelerator versus CloudFront?
Global Accelerator provides static anycast IP addresses and routes TCP/UDP traffic over the AWS global network to the optimal regional endpoint. Use it for non-HTTP protocols (gaming, IoT, VoIP), TCP-based apps needing deterministic routing, and failover between regions. CloudFront is a CDN optimized for HTTP/HTTPS content delivery with caching at edge locations. Use it for static content, dynamic web content, video streaming, and API acceleration. Global Accelerator does not cache content. Both use the AWS backbone network. Global Accelerator supports client IP preservation with ALB/EC2 endpoints. Exam tip: if the question involves caching or HTTP optimization choose CloudFront; for non-HTTP or instant regional failover choose Global Accelerator.
Флеш картице
картица које покривају кључне 150 концепте ANS-C01
или укључено у месечну претплату / Комплет садржаја
140 још картица доступно након откључавања
Доступни језици
English
Japanese
Korean
Simplified Chinese
Теме испита
1
20 Q
Network Design
Design edge networking solutions, DNS solutions, network connectivity for hybrid environments, and inter-VPC connectivity.
2
17 Q
Network Implementation
Implement routing and switching, load balancing, hybrid network connectivity, and multi-VPC solutions.
3
13 Q
Network Management and Operations
Maintain routing and switching, monitor and analyze network traffic, and optimize network performance.
4
15 Q
Network Security, Compliance, and Governance
Implement and maintain network security, validate network compliance, and leverage network governance services.
ANS-C01 Cheat Sheet
Брзи референтни водич - 6 секција
AWS Certified Advanced Networking - Specialty (ANS-C01)
The ANS-C01 exam validates your expertise in designing, implementing, managing, and securing AWS and hybrid network architectures at scale. This Specialty-level certification is intended for networking professionals with advanced knowledge of AWS networking services including VPCs, Direct Connect, VPN, Route 53, CloudFront, Global Accelerator, Transit Gateway, and Network Firewall. The exam tests your ability to design complex multi-region and hybrid architectures, troubleshoot connectivity issues, optimize network performance, and implement defense-in-depth network security strategies.
Exam Details
| Exam Code | ANS-C01 |
| Duration | 170 minutes |
| Number of Questions | 65 questions (50 scored + 15 unscored) |
| Passing Score | 750 / 1000 |
| Cost | $300 USD |
| Validity | 3 years |
| Question Types | Multiple choice (single & multiple select), scenario-based |
| Testing Options | Pearson VUE testing center or online proctored |
| Recommended Experience | 5+ years networking experience, 2+ years hands-on AWS networking |
| Certification Level | Specialty |
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: Network Design | 30% |
| Domain 2: Network Implementation | 26% |
| Domain 3: Network Management and Operation | 20% |
| Domain 4: Network Security, Compliance, and Governance | 24% |
Study Tips
- Domain 1 (Network Design) carries the highest weight at 30%; master VPC architecture, CIDR planning, Transit Gateway topologies, and multi-Region design patterns before moving to other domains
- Direct Connect is the single most heavily tested service on this exam; understand dedicated vs hosted connections, LAGs, virtual interfaces (private, public, transit), BGP communities, and failover designs thoroughly
- Transit Gateway is central to nearly every multi-VPC question; know route tables, peering, multicast, inter-Region peering, ECMP with VPN, and how it integrates with Direct Connect Gateway
- Route 53 questions require deep knowledge of routing policies (simple, weighted, latency, failover, geolocation, geoproximity, multivalue), health checks, and hybrid DNS resolution with Resolver endpoints
- Network security is 24% of the exam; understand NACLs vs security groups, AWS Network Firewall rule groups, WAF rules, Shield Advanced, and Gateway Load Balancer for third-party appliance integration
- IPv6 is tested extensively; know dual-stack VPCs, egress-only internet gateways, IPv6 CIDR allocation, and how IPv6 differs from IPv4 in routing and security group behavior
- Practice drawing network diagrams for every architecture pattern; the exam tests your ability to visualize packet flow across complex hybrid topologies
- CloudFront and Global Accelerator questions test when to use each; understand their differences in caching behavior, origin types, static IP support, and TCP/UDP protocol handling
Question Strategy Tips
- Read the last sentence first to identify what is being asked (design, troubleshoot, optimize, or secure), then read the full scenario with that context
- Look for keywords like "lowest latency", "highest availability", "least operational overhead", "private connectivity", or "cost-effective" which narrow down the correct answer significantly
- When two answers seem correct, the exam favors AWS-managed services over self-managed solutions and favors Transit Gateway over complex VPC peering meshes
- Pay close attention to whether the question says "single Region" or "multi-Region" because the correct architecture often differs dramatically between the two
- If a question mentions on-premises connectivity with high bandwidth and low latency requirements, the answer almost always involves Direct Connect rather than VPN
- Questions about DNS resolution between on-premises and AWS always involve Route 53 Resolver inbound and outbound endpoints; know the direction of resolution for each
- Flag complex routing questions and return later; do not spend more than 2.5 minutes per question on the first pass
- Use the full 170 minutes; networking scenarios require careful reading to identify all constraints including bandwidth, latency, redundancy, and compliance requirements
Key Differences from Solutions Architect & SysOps Exams
- Advanced Networking goes significantly deeper into VPC design, CIDR planning, and subnet architecture than any Associate or Professional exam
- Direct Connect is covered at an expert level including BGP attributes, VLAN tagging, MACsec encryption, LAG configuration, and multi-site redundancy patterns that are only lightly mentioned in other exams
- Unlike Solutions Architect which covers networking as one of many topics, this exam expects you to understand packet-level routing, MTU considerations, and traffic engineering
- Transit Gateway questions go beyond basic hub-and-spoke to include route table segmentation, blackhole routes, multicast, ECMP, and inter-Region peering at a level not tested elsewhere
- This exam requires deep understanding of DNS resolution mechanics including recursive queries, forwarding rules, and hybrid DNS with Route 53 Resolver endpoints
- Network troubleshooting scenarios are unique to this exam; know how to use VPC Flow Logs, Traffic Mirroring, Reachability Analyzer, and Network Access Analyzer to diagnose connectivity issues
Recommended Preparation Path
- Step 1 – Foundation: Complete the Solutions Architect Associate (SAA-C03) and ensure solid understanding of VPCs, subnets, route tables, security groups, and NACLs before attempting the networking specialty
- Step 2 – Deep Dive: Study each domain in depth focusing on Direct Connect architecture, Transit Gateway design patterns, Route 53 routing policies, and network security services
- Step 3 – Hands-On Labs: Build multi-VPC architectures with Transit Gateway, configure Site-to-Site VPN with BGP, set up Route 53 Resolver endpoints, deploy Network Firewall, and practice with VPC Flow Logs and Traffic Mirroring
- Step 4 – Practice Exams: Take multiple full-length practice exams under timed conditions; review every wrong answer thoroughly and understand why the correct answer provides the best network design
- Step 5 – Weak Areas: Identify your weakest domains from practice exams and dedicate additional study time to those areas before scheduling the real exam
Exam Day Checklist
- Arrive 15 minutes early for testing center or start your online proctored check-in 30 minutes before the scheduled time
- Bring two forms of valid identification (one with photo) for testing center; clear your workspace for online proctoring
- You have 170 minutes for 65 questions, which gives you approximately 2 minutes and 37 seconds per question
- Use the "Flag for Review" feature liberally on questions you are unsure about; you can return to them later
- Read every word in the scenario carefully as questions often contain critical constraints about bandwidth, latency, or redundancy requirements buried in the middle of the text
- Your score is calculated on a scale of 100–1000; you need 750 to pass, which means you need to answer approximately 72–75% correctly
- Results are typically available within 1–5 business days through your AWS Certification account
- If you do not pass, you can retake the exam after 14 days; there is no limit on the number of attempts
- Request accommodations in advance if English is not your first language (extra 30 minutes available for non-native speakers)
Recommended AWS Whitepapers & Resources
- AWS Direct Connect Resiliency Recommendations: Best practices for building highly available Direct Connect architectures with multiple connections, LAGs, and failover to VPN; essential for Direct Connect design questions
- Building a Scalable and Secure Multi-VPC Network Infrastructure: Transit Gateway design patterns, route table segmentation, shared services architectures, and multi-account networking; directly relevant to Domain 1
- Hybrid Connectivity Whitepaper: Comprehensive guide to connecting on-premises data centers to AWS using Direct Connect, VPN, and Transit Gateway; critical for Domain 2
- Amazon VPC User Guide: Deep reference for VPC design including CIDR planning, subnet strategies, route tables, gateways, endpoints, and flow logs; foundational for all domains
- Reliability Pillar – AWS Well-Architected Framework: Network reliability patterns including multi-AZ, multi-Region, and fault-tolerant architecture designs with automated failover
Domain 1: Network Design (30%)
This domain focuses on designing network architectures that meet requirements for connectivity, performance, security, and reliability. You must understand VPC design including CIDR planning, subnet strategies, and multi-VPC topologies. Key topics include Transit Gateway architectures, VPC peering, PrivateLink, multi-Region design, IPv6 adoption, and choosing the right connectivity model for different use cases. This is the heaviest-weighted domain on the exam.
VPC Architecture & CIDR Planning
| Concept | Details | Key Considerations |
|---|---|---|
| Primary CIDR | /16 to /28 range; cannot be changed after creation | Plan for growth; avoid overlapping CIDRs with on-premises and other VPCs; use RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) |
| Secondary CIDRs | Up to 5 IPv4 CIDRs per VPC (can request increase) | Can add non-contiguous CIDR blocks; useful when original CIDR is exhausted; secondary CIDRs can be from different RFC 1918 ranges |
| Subnet Design | Divide VPC CIDR across AZs and tiers | AWS reserves 5 IPs per subnet (first 4 + last); use /24 for standard subnets; separate public, private, and isolated tiers across all AZs |
| IPv6 CIDR | Amazon-provided /56 or BYOIP /48 per VPC | All IPv6 addresses are globally unique and public; use egress-only internet gateway for outbound-only IPv6; /64 per subnet is mandatory |
| IPAM | VPC IP Address Manager for centralized IP planning | Manage IP pools across accounts and Regions; enforce non-overlapping CIDR allocation; integrates with AWS Organizations for multi-account governance |
Transit Gateway Architecture
| Feature | Description | Key Details |
|---|---|---|
| Hub-and-Spoke | Central hub connecting multiple VPCs and on-premises | Simplifies network topology; supports up to 5,000 attachments; each attachment associates with a route table for routing decisions |
| Route Tables | Segment traffic between attachments | Create separate route tables for isolation (e.g., production vs development); use blackhole routes to drop unwanted traffic; propagated vs static routes |
| Inter-Region Peering | Connect Transit Gateways across Regions | Encrypted over AWS backbone; static routes required (no dynamic propagation); enables global network architecture without VPN overlay |
| Multicast | Native multicast support within and across VPCs | Create multicast domains; add subnets as sources and group members; supports IGMPv2; only service in AWS that supports multicast natively |
| ECMP | Equal-Cost Multi-Path routing for VPN tunnels | Aggregate bandwidth across multiple VPN connections; each VPN provides 2 tunnels at 1.25 Gbps each; requires BGP; maximum ~50 Gbps with ECMP |
| Sharing via RAM | Share Transit Gateway across accounts | Use AWS Resource Access Manager; shared account creates attachment; owner account manages route tables and associations; supports Organizations |
VPC Connectivity Options
| Option | Use Case | Limitations & Details |
|---|---|---|
| VPC Peering | Direct connectivity between two VPCs | Non-transitive; CIDRs cannot overlap; cross-Region supported (encrypted); max 125 peering connections per VPC; no bandwidth bottleneck |
| Transit Gateway | Hub for connecting many VPCs and on-premises | Transitive routing; supports VPN, Direct Connect, peering; 50 Gbps per AZ bandwidth; route table segmentation; preferred for 3+ VPCs |
| AWS PrivateLink | Private access to services across VPCs or accounts | Unidirectional (consumer → provider); no CIDR overlap issues; uses ENIs in consumer VPC; scales with NLB or GWLB in provider; no transitive routing |
| VPC Endpoints (Gateway) | Free access to S3 and DynamoDB within VPC | Route table entry only; no ENI; use endpoint policies to restrict access; traffic stays on AWS network; no additional charge |
| VPC Endpoints (Interface) | Private connectivity to 100+ AWS services | Creates ENI in subnet; powered by PrivateLink; supports security groups; enable private DNS to override default service endpoint; hourly + data charges |
Multi-Region Network Design
- Transit Gateway Inter-Region Peering: Connect TGWs across Regions over the AWS backbone; traffic is encrypted; requires static routes on each TGW; enables centralized routing in each Region with cross-Region reachability
- VPC Peering Cross-Region: Direct encrypted connection between VPCs in different Regions; non-transitive; suitable for low-latency point-to-point communication between specific VPCs
- Global Accelerator: Anycast IP addresses route traffic to the nearest AWS edge location; TCP/UDP protocol support; static IPs for predictable entry points; health check-based failover across Regions
- CloudFront: Global CDN for HTTP/HTTPS content delivery; edge caching reduces latency; supports custom origins, Lambda@Edge, and CloudFront Functions; ideal for web application acceleration
- Route 53 Failover: DNS-based multi-Region failover using health checks; active-passive with failover routing or active-active with weighted or latency-based routing
- Exam Tip: Multi-Region designs are tested heavily; know when to use TGW inter-Region peering vs VPC peering vs Global Accelerator vs CloudFront; the choice depends on protocol (HTTP vs TCP/UDP), caching needs, and routing granularity
Network Design Best Practices
- Non-Overlapping CIDRs: Plan IP addressing centrally using IPAM; ensure no overlaps between VPCs, on-premises networks, and partner networks; overlapping CIDRs prevent peering and routing
- Scalable Subnetting: Use /16 VPCs with /24 subnets as a standard pattern; allocate larger blocks for workloads that require many IPs (EKS, Lambda); leave room for secondary CIDRs
- Least Privilege Routing: Use TGW route table segmentation to enforce network isolation; production and development should not have direct routes to each other unless explicitly required
- Redundancy: Deploy across at least 2 AZs; use 2+ Direct Connect connections from different locations; configure VPN as backup; design for single-point-of-failure elimination
- Private Connectivity: Use VPC endpoints and PrivateLink to keep traffic off the public internet; gateway endpoints for S3/DynamoDB; interface endpoints for other AWS services
- Exam Tip: The exam heavily favors Transit Gateway over VPC peering mesh for any scenario involving 3 or more VPCs; if a question describes a full mesh of peering connections causing complexity, the answer is Transit Gateway
Domain 2: Network Implementation (26%)
This domain covers implementing and configuring hybrid connectivity between on-premises data centers and AWS. You must understand AWS Direct Connect in depth including dedicated and hosted connections, virtual interfaces, LAGs, BGP configuration, and redundancy patterns. Site-to-Site VPN, Client VPN, Route 53 DNS resolution, and content delivery with CloudFront and Global Accelerator are also heavily tested. This domain requires hands-on knowledge of configuring these services end to end.
AWS Direct Connect
| Feature | Description | Key Details |
|---|---|---|
| Dedicated Connection | Physical port at AWS Direct Connect location | 1 Gbps, 10 Gbps, or 100 Gbps; single-mode fiber; 802.1Q VLAN tagging; you own the port; provision time weeks to months; supports MACsec at 10G and 100G |
| Hosted Connection | Sub-1G connection via AWS Partner | 50 Mbps to 10 Gbps; provisioned by partner; single VIF per hosted connection; faster provisioning than dedicated; partner manages physical infrastructure |
| Hosted VIF | Virtual interface shared from another AWS account | Owner of dedicated connection allocates a VIF to your account; you accept it; useful for multi-account Direct Connect sharing without separate physical connections |
| LAG | Link Aggregation Group for bundling connections | Bundle up to 4 dedicated connections; same bandwidth and location required; uses LACP; provides aggregate bandwidth; minimum-links threshold for failover |
| MACsec | Layer 2 encryption for dedicated connections | IEEE 802.1AE standard; encrypts data at the Ethernet frame level; supported on 10 Gbps and 100 Gbps connections; requires MACsec-capable router; uses CKN/CAK key pairs |
Direct Connect Virtual Interfaces
| VIF Type | Purpose | Key Details |
|---|---|---|
| Private VIF | Access VPC resources via private IP | Connects to VGW (single VPC) or Direct Connect Gateway (multiple VPCs across Regions); uses BGP with private ASN; supports jumbo frames (9001 MTU) |
| Public VIF | Access all AWS public services | Routes to all AWS public IP ranges; use for S3, DynamoDB, and other public endpoints; requires public IP or public ASN; does NOT go through VPC |
| Transit VIF | Connect to Transit Gateway via DX Gateway | One transit VIF per dedicated connection; connects to DX Gateway which attaches to TGW; supports up to 3 TGWs per DX Gateway; enables transitive routing to all TGW-attached VPCs |
Direct Connect Gateway & BGP
| Concept | Description | Key Details |
|---|---|---|
| DX Gateway | Global resource connecting DX to multiple VPCs/TGWs | Attach up to 10 VGWs or 3 TGWs; VGWs can be in different Regions; single DX Gateway per transit VIF; does NOT enable VPC-to-VPC routing through itself |
| BGP Peering | Dynamic routing protocol for DX connections | Required for all VIF types; private ASN (64512–65534) for private/transit VIFs; supports MD5 authentication; BGP keepalive and hold timers must be configured |
| BGP Communities | Tag routes for scope and preference control | Local preference communities (7224:7100–7300) control inbound path; scope communities control route propagation to specific Regions; use NO_EXPORT to limit route advertisement |
| AS Path Prepending | Influence outbound traffic path preference | Prepend your ASN multiple times to make a path less preferred; used to steer traffic to preferred DX connection when multiple paths exist; affects AWS → on-premises direction |
| BFD | Bidirectional Forwarding Detection | Fast failure detection for BGP sessions; recommended for all DX connections; detects link failures in milliseconds vs BGP hold timer (90 seconds default); asynchronous mode supported |
Direct Connect Resiliency Models
- Maximum Resiliency: Separate connections at separate DX locations with separate customer routers; protects against device failure, connectivity failure, and complete location failure; AWS recommended for critical workloads
- High Resiliency: Two connections at a single DX location terminating on different AWS devices; protects against single device failure but not location failure; suitable for non-critical production workloads
- Development & Test: Single connection at a single location; no redundancy; acceptable only for development and testing environments
- VPN Backup: Site-to-Site VPN over the internet as failover for Direct Connect; lower cost than dual DX; higher latency during failover; use BGP with lower local preference for VPN path
- Exam Tip: When a question asks for the "most resilient" or "highest availability" Direct Connect design, the answer is always separate connections at separate DX locations; when cost is a constraint, VPN backup is the correct choice
Site-to-Site VPN
| Feature | Description | Key Details |
|---|---|---|
| VPN Connection | IPsec tunnel over the public internet | Two tunnels per connection for redundancy; attaches to VGW or TGW; supports IKEv2; 1.25 Gbps max per tunnel; AES-256 encryption |
| Customer Gateway | Represents on-premises VPN device in AWS | Configure with on-premises router public IP and ASN; supports static or BGP routing; download configuration for popular router vendors from AWS console |
| Accelerated VPN | VPN over AWS Global Accelerator network | Routes VPN traffic through nearest AWS edge location; reduces internet path variability; improves performance for geographically distant connections; TGW attachment only |
| VPN CloudHub | Connect multiple branch offices via VGW | Multiple customer gateways connect to single VGW; branches communicate through AWS; uses BGP with unique ASNs per branch; low-cost hub-and-spoke for branch offices |
Route 53 DNS
| Feature | Description | Key Details |
|---|---|---|
| Routing Policies | Control how DNS queries are answered | Simple (single resource), Weighted (percentage split), Latency (lowest latency Region), Failover (active-passive), Geolocation (by continent/country), Geoproximity (with bias), Multivalue (up to 8 healthy IPs) |
| Health Checks | Monitor endpoint health for DNS failover | HTTP, HTTPS, TCP checks; 10 or 30 second intervals; string matching for HTTP/HTTPS; calculated health checks combine multiple checks; CloudWatch alarm-based health checks for private endpoints |
| Private Hosted Zones | DNS resolution within VPCs | Associate with VPCs for private DNS; cross-account association supported; enableDnsHostnames and enableDnsSupport must be true; useful for internal service discovery |
| Resolver Endpoints | Hybrid DNS resolution between AWS and on-premises | Inbound endpoint: on-premises → AWS DNS resolution; Outbound endpoint: AWS → on-premises DNS resolution via forwarding rules; deploy in 2+ AZs; each endpoint supports up to 10,000 queries/sec per IP |
| DNSSEC | DNS response authentication and integrity | Enable DNSSEC signing on public hosted zones; uses KMS asymmetric key for KSK; creates DS record in parent zone; protects against DNS spoofing and cache poisoning |
| Resolver Rules | Conditional forwarding for specific domains | Forward queries for on-premises domains to on-premises DNS servers via outbound endpoint; share rules across accounts using RAM; system rules take precedence for AWS internal domains |
Content Delivery & Acceleration
| Service | Use Case | Key Details |
|---|---|---|
| CloudFront | HTTP/HTTPS content delivery and acceleration | 450+ edge locations; caching at edge; supports S3, ALB, EC2, custom origins; SSL/TLS termination; Lambda@Edge for request/response manipulation; Origin Shield for origin protection |
| Global Accelerator | TCP/UDP acceleration with static IPs | 2 anycast static IPs; routes to optimal endpoint via AWS backbone; no caching; supports ALB, NLB, EC2, Elastic IP; health check-based failover; ideal for non-HTTP (gaming, IoT, VoIP) |
| CloudFront Functions | Lightweight edge compute for viewer events | JavaScript runtime; sub-millisecond execution; viewer request/response only; URL rewrites, header manipulation, redirects; 10 KB code limit; millions of requests/sec |
| Lambda@Edge | Full compute at edge for all CloudFront events | Node.js or Python; viewer and origin request/response events; up to 5 sec (viewer) or 30 sec (origin) execution; access to network and other AWS services; A/B testing, auth, dynamic content |
Hybrid Connectivity Best Practices
- Redundant DX: Always deploy at least two Direct Connect connections from different DX locations for production workloads; configure active/active with BGP load sharing or active/passive with AS path prepending
- VPN as Backup: Configure Site-to-Site VPN over the internet as a backup path for Direct Connect; set BGP local preference lower on VPN path so DX is always preferred when available
- Transit VIF for Scale: Use transit VIF with DX Gateway and TGW instead of private VIFs to individual VGWs when connecting to many VPCs; simplifies architecture and enables transitive routing
- DNS Integration: Deploy Route 53 Resolver inbound endpoints for on-premises to resolve AWS private hosted zones; deploy outbound endpoints with forwarding rules for AWS to resolve on-premises domains
- Encryption: Direct Connect is NOT encrypted by default; use MACsec for Layer 2 encryption on 10G/100G connections or IPsec VPN over DX for Layer 3 encryption of sensitive traffic
- Exam Tip: If a question asks for private encrypted connectivity with consistent latency, the answer is usually Direct Connect with IPsec VPN on top or MACsec; pure VPN over the internet cannot guarantee consistent latency
Domain 4: Network Security, Compliance, and Governance (24%)
This domain covers implementing security controls at every layer of the network, from edge protection with CloudFront and WAF to VPC-level controls with NACLs, security groups, and Network Firewall. You must understand defense-in-depth strategies, DDoS protection with Shield, traffic inspection with Gateway Load Balancer, and network visibility through VPC Flow Logs and Traffic Mirroring. This domain also covers compliance requirements and how to enforce network governance across an AWS Organization.
NACLs vs Security Groups
| Feature | Network ACLs | Security Groups |
|---|---|---|
| Level | Subnet level | ENI (instance) level |
| State | Stateless — must allow return traffic explicitly | Stateful — return traffic automatically allowed |
| Rules | Allow AND deny rules; processed in order by rule number | Allow rules only; all rules evaluated together |
| Default | Default NACL allows all inbound/outbound; custom NACL denies all | Allows all outbound; denies all inbound by default |
| References | CIDR blocks only | CIDR blocks, other security groups, or prefix lists |
| Use Case | Block specific IPs or CIDR ranges at subnet boundary | Control access per instance/ENI with fine-grained rules |
Exam Tip: When a question asks to block a specific IP address, the answer is NACL (deny rule) because security groups can only allow traffic. For ephemeral port issues, remember NACLs are stateless and require explicit outbound rules for return traffic on ports 1024–65535.
AWS Network Firewall
| Feature | Description | Key Details |
|---|---|---|
| Architecture | Managed stateful firewall deployed in VPC | Creates firewall endpoint in dedicated subnet per AZ; route traffic through firewall endpoint using VPC route tables; supports up to 100 Gbps per AZ |
| Stateless Rules | 5-tuple matching (source/dest IP, port, protocol) | Processed in priority order; actions: pass, drop, forward to stateful engine; fast packet-level filtering before deep inspection |
| Stateful Rules | Deep packet inspection with Suricata-compatible rules | Domain filtering (allow/deny by FQDN); IPS/IDS signatures; TLS inspection with certificate; protocol detection; custom Suricata rules for advanced inspection |
| Rule Groups | Reusable collections of rules | Stateless and stateful rule groups; managed rule groups from AWS; share across accounts via RAM; capacity units limit rules per firewall policy |
| Logging | Alert and flow logs for visibility | Send to S3, CloudWatch Logs, or Kinesis Data Firehose; alert logs for rule matches; flow logs for all traffic; essential for troubleshooting and compliance |
AWS WAF & Shield
| Service | Purpose | Key Details |
|---|---|---|
| WAF | Web application firewall for Layer 7 protection | Deploys on CloudFront, ALB, API Gateway, AppSync, Cognito; rule types: IP set, rate-based, regex, geo-match, managed rules; up to 5,000 WCUs per web ACL |
| WAF Managed Rules | Pre-built rule groups from AWS and Marketplace | AWS Managed Rules: Core, SQL injection, XSS, Known Bad Inputs, Anonymous IP, Bot Control; count mode for testing before blocking; version-controlled updates |
| Shield Standard | Free DDoS protection for all AWS resources | Automatic Layer 3/4 DDoS mitigation; always-on detection; no additional cost; protects against SYN floods, UDP reflection, and other common volumetric attacks |
| Shield Advanced | Enhanced DDoS protection with SRT access | $3,000/month + data transfer; protects CloudFront, ALB, NLB, Elastic IP, Global Accelerator; 24/7 Shield Response Team (SRT); cost protection against DDoS scaling charges; automatic application-layer mitigation |
Gateway Load Balancer & Traffic Inspection
| Feature | Description | Key Details |
|---|---|---|
| Gateway Load Balancer | Deploy and scale third-party virtual appliances | Operates at Layer 3 (IP); uses GENEVE protocol (port 6081) for encapsulation; transparent to source/destination; integrates with firewall, IDS/IPS, deep packet inspection appliances |
| GWLB Endpoint | VPC endpoint for routing traffic to GWLB | Powered by PrivateLink; deployed in consumer VPC; traffic routed via VPC route tables to GWLB endpoint; GWLB can be in same or different account (centralized inspection VPC) |
| Traffic Mirroring | Copy network traffic for out-of-band inspection | Mirror source (ENI) → mirror target (ENI, NLB, or GWLB); VXLAN encapsulation; filter by protocol, port, direction; non-intrusive; use for forensics, IDS, compliance monitoring |
| VPC Flow Logs | Capture IP traffic metadata for VPC interfaces | VPC, subnet, or ENI level; publish to CloudWatch Logs, S3, or Kinesis Data Firehose; custom fields including pkt-srcaddr, pkt-dstaddr, traffic-path; does NOT capture packet payload |
Network Visibility & Troubleshooting
| Tool | Purpose | Key Details |
|---|---|---|
| VPC Reachability Analyzer | Test connectivity between two endpoints | Analyzes VPC configuration without sending packets; identifies blocking component (route table, NACL, security group); supports cross-VPC and cross-account analysis |
| Network Access Analyzer | Identify unintended network access | Define network access scope (trusted CIDRs, gateways); analyzer finds paths that allow access from untrusted sources; useful for compliance and security audits |
| CloudWatch Network Monitor | Monitor hybrid network performance | Active probing of network paths; measures round-trip time, packet loss, and jitter; monitor Direct Connect and VPN connections; CloudWatch metrics and alarms |
| VPC Flow Logs Analysis | Query flow logs for traffic patterns | Use Athena to query S3-stored flow logs; CloudWatch Logs Insights for log group queries; identify top talkers, rejected traffic, and unusual patterns |
Network Security Best Practices
- Defense in Depth: Layer security controls at every level: edge (CloudFront + WAF + Shield), VPC perimeter (Network Firewall), subnet (NACLs), instance (security groups), application (TLS + authentication)
- Centralized Inspection: Use a dedicated inspection VPC with Network Firewall or GWLB-based appliances; route all inter-VPC and internet-bound traffic through the inspection VPC via Transit Gateway
- Egress Filtering: Use Network Firewall with domain-based rules to allow only approved FQDNs for outbound traffic; proxy or inspection is critical for preventing data exfiltration
- Encryption in Transit: Use TLS for application traffic; IPsec for VPN; MACsec for Direct Connect; VPC peering and TGW inter-Region peering are encrypted by AWS automatically
- Firewall Manager: Centrally manage WAF rules, Shield Advanced protections, security groups, Network Firewall policies, and Route 53 Resolver DNS Firewall rules across all accounts in an Organization
- Exam Tip: For inline traffic inspection use Network Firewall (AWS native) or GWLB (third-party appliances); for out-of-band inspection use Traffic Mirroring; for web application protection use WAF on CloudFront or ALB
Domain 3: Network Management and Operation (20%)
This domain covers maintaining, monitoring, troubleshooting, and optimizing AWS network architectures. You must understand how to automate network infrastructure with CloudFormation and the AWS CDK, monitor network health with CloudWatch and VPC Flow Logs, optimize performance with proper MTU settings and enhanced networking, and manage network changes across an Organization. This domain also tests your ability to troubleshoot complex routing and connectivity issues systematically.
Network Automation with IaC
| Tool | Purpose | Key Details |
|---|---|---|
| CloudFormation | Declarative infrastructure as code | JSON/YAML templates; stack sets for multi-account/multi-Region deployment; drift detection for configuration compliance; change sets for preview; nested stacks for modularity |
| AWS CDK | Programmatic infrastructure definition | TypeScript, Python, Java, C#, Go; synthesizes to CloudFormation; constructs for reusable components; L1 (CFN), L2 (opinionated), L3 (patterns) construct levels |
| Network Manager | Centralized network management and monitoring | Global network view across Regions; register Transit Gateways, Site-to-Site VPN, Direct Connect; topology visualization; route analysis; CloudWatch Events for network changes |
| RAM | Share network resources across accounts | Share Transit Gateways, subnets, Route 53 Resolver rules, prefix lists, IPAM pools; integrates with Organizations for automatic sharing; no additional cost |
Network Performance Optimization
| Feature | Description | Key Details |
|---|---|---|
| Enhanced Networking | High-performance networking with SR-IOV | Uses Elastic Network Adapter (ENA) or Intel 82599 VF; up to 100 Gbps; lower latency, higher PPS, lower jitter; no additional charge; supported on most current instance types |
| Placement Groups | Control instance placement for network performance | Cluster: same rack, lowest latency, 10+ Gbps between instances; Spread: separate hardware, max 7 per AZ; Partition: isolated racks, for distributed systems (HDFS, Cassandra) |
| Jumbo Frames | 9001 byte MTU for reduced overhead | Supported within VPC, VPC peering (same Region), DX with private VIF, Transit Gateway; NOT supported over internet, VPN, or inter-Region peering; use path MTU discovery to detect |
| Elastic Fabric Adapter | HPC and ML network interface | OS-bypass for ultra-low latency; supports MPI and NCCL; attached to EC2 instances in cluster placement group; used for tightly-coupled HPC workloads and distributed training |
| Bandwidth Allocation | Instance network bandwidth management | Baseline vs burst bandwidth per instance type; within-Region traffic uses full bandwidth; internet and inter-Region traffic may be limited to 50%; check instance type specs for exact limits |
Monitoring & Observability
| Service | Purpose | Key Details |
|---|---|---|
| CloudWatch Metrics | Network performance and health metrics | VPN tunnel state, DX connection state, NAT Gateway metrics (bytes, packets, errors, connections), TGW attachment metrics, NLB/ALB metrics; set alarms for threshold breaches |
| CloudTrail | API activity logging for network changes | Track who created/modified/deleted VPCs, route tables, security groups, NACLs; use with EventBridge for automated response to unauthorized network changes |
| AWS Config | Configuration compliance for network resources | Track security group rules, NACL changes, VPC configuration over time; managed rules for compliance checks (restricted-ssh, vpc-flow-logs-enabled); auto-remediation with SSM |
| Route 53 Resolver Query Logs | DNS query logging for VPCs | Log all DNS queries from VPC resources; send to CloudWatch Logs, S3, or Kinesis Data Firehose; useful for security analysis and troubleshooting DNS resolution issues |
Load Balancing for Network Architectures
| Type | Layer | Key Details |
|---|---|---|
| ALB | Layer 7 (HTTP/HTTPS) | Path and host-based routing; supports WebSocket, gRPC; integrates with WAF; target types: instance, IP, Lambda; SNI for multiple TLS certificates; sticky sessions |
| NLB | Layer 4 (TCP/UDP/TLS) | Ultra-low latency; static IP per AZ; preserves source IP; millions of requests/sec; supports PrivateLink for service exposure; TLS termination; cross-zone LB optional |
| GWLB | Layer 3 (IP/GENEVE) | Transparent traffic inspection; GENEVE encapsulation; used with firewall/IDS appliances; deployed in security VPC; accessed via GWLB endpoint in workload VPCs |
IPv6 in AWS
| Feature | IPv4 | IPv6 |
|---|---|---|
| Address Type | Private (RFC 1918) + public via IGW/NAT | All addresses are globally unique and public |
| VPC CIDR | /16 to /28 user-selected | /56 Amazon-provided or BYOIP /48 |
| Subnet | Variable size subnet CIDR | Fixed /64 per subnet |
| Outbound Only | NAT Gateway for private → internet | Egress-only Internet Gateway (free, stateful) |
| Security Groups | Separate IPv4 rules | Separate IPv6 rules (both required in dual-stack) |
| DNS | A records | AAAA records; dual-stack endpoints resolve both |
Exam Tip: IPv6 questions test dual-stack VPC configuration; remember that egress-only internet gateway replaces NAT Gateway for IPv6, security groups need separate IPv6 rules, and all IPv6 addresses are public so you cannot use NACLs to differentiate "private" IPv6 traffic.
Operational Best Practices
- Infrastructure as Code: Define all network resources in CloudFormation or CDK; use stack sets for multi-account deployment; enable drift detection to catch manual changes
- Automated Monitoring: Set CloudWatch alarms for VPN tunnel state, DX connection state, NAT Gateway errors, and NLB unhealthy targets; use SNS for notifications and Lambda for auto-remediation
- Change Management: Use CloudFormation change sets to preview network changes before applying; enable CloudTrail for audit logging of all network API calls; use Config rules to detect unauthorized changes
- Cost Optimization: Use VPC gateway endpoints (free) for S3 and DynamoDB instead of NAT Gateway; consolidate VPN connections through Transit Gateway; use Reserved capacity for Direct Connect when committed
- Troubleshooting Flow: Verify route tables → check NACLs → check security groups → verify DNS resolution → check VPC Flow Logs → use Reachability Analyzer for systematic connectivity testing
- Exam Tip: Troubleshooting questions follow a pattern: if traffic is rejected at subnet level, check NACLs; if at instance level, check security groups; if no route exists, check route tables; if DNS fails, check VPC DNS settings and Resolver endpoints
Key Networking Comparisons for ANS-C01
The ANS-C01 exam frequently tests your ability to choose the correct networking service or architecture for a given scenario. The following comparisons highlight the most commonly tested differences between similar services, features, and design patterns. Understanding these distinctions is critical for selecting the right answer when multiple options appear viable.
Transit Gateway vs VPC Peering
| Aspect | Transit Gateway | VPC Peering |
|---|---|---|
| Routing | Transitive; hub routes between all attachments | Non-transitive; point-to-point only |
| Scale | Up to 5,000 attachments | 125 peering connections per VPC |
| Bandwidth | 50 Gbps per AZ per VPC attachment | No aggregate bandwidth limit |
| Segmentation | Route table segmentation for isolation | No built-in segmentation |
| Cost | Hourly per attachment + data processing | Data transfer only (no hourly charge) |
| Best For | 3+ VPCs, hub-and-spoke, hybrid connectivity | 2 VPCs, high bandwidth, low-cost direct link |
Direct Connect vs Site-to-Site VPN
| Aspect | Direct Connect | Site-to-Site VPN |
|---|---|---|
| Connection | Dedicated physical fiber connection | IPsec tunnel over public internet |
| Bandwidth | 1 Gbps, 10 Gbps, or 100 Gbps | 1.25 Gbps per tunnel (2 tunnels per connection) |
| Latency | Consistent, predictable low latency | Variable; depends on internet path |
| Encryption | Not encrypted by default; MACsec or VPN overlay | IPsec encrypted by default (AES-256) |
| Setup Time | Weeks to months for physical provisioning | Minutes to hours for configuration |
| Cost | Port hourly + data transfer out | VPN connection hourly + data transfer out |
| Best For | High bandwidth, consistent latency, production | Quick setup, backup path, lower bandwidth needs |
CloudFront vs Global Accelerator
| Aspect | CloudFront | Global Accelerator |
|---|---|---|
| Protocol | HTTP/HTTPS only | TCP and UDP (any port) |
| Caching | Edge caching for content delivery | No caching; proxies all traffic to origin |
| IP Addresses | Dynamic IPs (uses DNS-based routing) | 2 static anycast IPs |
| Edge Compute | Lambda@Edge, CloudFront Functions | No edge compute capability |
| DDoS Protection | Shield Standard included; WAF integration | Shield Standard included; Shield Advanced eligible |
| Best For | Web apps, APIs, static content, streaming | Gaming, IoT, VoIP, static IP requirements |
Private VIF vs Transit VIF vs Public VIF
| Aspect | Private VIF | Transit VIF | Public VIF |
|---|---|---|---|
| Connects To | VGW (single VPC) or DX Gateway | DX Gateway → Transit Gateway | All AWS public service endpoints |
| Transitive | No; reaches only attached VPCs | Yes; reaches all TGW-attached VPCs | N/A; accesses public endpoints only |
| Jumbo Frames | Supported (9001 MTU) | Supported (8500 MTU via TGW) | Not supported (1500 MTU) |
| Per Connection | Up to 50 per dedicated connection | 1 per dedicated connection | Up to 50 per dedicated connection |
| Best For | Small number of VPCs, simple design | Many VPCs, TGW-based architecture | Accessing S3, DynamoDB, and other public AWS services over DX |
Network Firewall vs WAF vs NACLs vs Security Groups
| Aspect | Network Firewall | WAF | NACLs | Security Groups |
|---|---|---|---|---|
| Layer | L3–L7 | L7 (HTTP/S) | L3–L4 | L3–L4 |
| Scope | VPC (all traffic routed through it) | CloudFront, ALB, API GW | Subnet boundary | ENI / instance |
| State | Stateful + stateless | Stateful | Stateless | Stateful |
| DPI | Yes (Suricata IPS/IDS) | HTTP inspection only | No | No |
| Domain Filter | Yes (FQDN-based rules) | No (URI path matching) | No | No |
| Best For | VPC perimeter protection, egress filtering, IPS | Web app protection (SQLi, XSS, bots) | Block specific IPs at subnet level | Instance-level access control |
Gateway Endpoint vs Interface Endpoint vs PrivateLink
| Aspect | Gateway Endpoint | Interface Endpoint | PrivateLink (Service) |
|---|---|---|---|
| Services | S3 and DynamoDB only | 100+ AWS services | Your own or third-party services |
| Mechanism | Route table entry (prefix list) | ENI in subnet with private IP | ENI in consumer VPC → NLB/GWLB in provider |
| Security | Endpoint policy only | Security groups + endpoint policy | Security groups + NLB/GWLB controls |
| Cost | Free | Hourly + per GB processed | Hourly + per GB processed |
| On-Premises Access | Not accessible from on-premises | Accessible via DX or VPN (private IP) | Accessible via DX or VPN (private IP) |
Dedicated DX vs Hosted DX vs Hosted VIF
| Aspect | Dedicated Connection | Hosted Connection | Hosted VIF |
|---|---|---|---|
| Bandwidth | 1G, 10G, or 100G | 50M to 10G via partner | Shares owner’s dedicated connection bandwidth |
| Port Ownership | You own the physical port | Partner owns; you get a logical connection | Another account owns; you get a VIF allocation |
| VIFs per Connection | Up to 50 private/public + 1 transit | 1 VIF only (private, public, or transit) | 1 VIF (the allocated one) |
| MACsec | Supported on 10G and 100G | Not supported | Not supported |
| LAG | Yes (up to 4 bundled) | No | No |
| Best For | Full control, high bandwidth, MACsec, multiple VIFs | Sub-1G needs, partner-managed, faster provisioning | Multi-account DX sharing without separate physical connections |
Quick-Fire Comparisons
- NLB vs ALB for PrivateLink: NLB is required to expose services via PrivateLink (AWS PrivateLink uses NLB or GWLB as the provider endpoint); ALB cannot be used as a PrivateLink provider directly
- Route 53 Geolocation vs Geoproximity: Geolocation routes based on user’s continent/country/state (exact match); Geoproximity routes based on geographic distance with adjustable bias to shift traffic between Regions
- NAT Gateway vs NAT Instance: NAT Gateway is managed, scales to 100 Gbps, HA within AZ; NAT Instance is self-managed EC2, limited by instance type, requires disabling source/dest check; always prefer NAT Gateway
- VPN over DX vs MACsec: VPN over DX provides Layer 3 IPsec encryption (works on all DX speeds); MACsec provides Layer 2 encryption (requires 10G or 100G dedicated connection and compatible router)
- Resolver Inbound vs Outbound: Inbound endpoint allows on-premises DNS servers to resolve AWS private hosted zones; Outbound endpoint allows AWS VPC resources to resolve on-premises domain names via forwarding rules
- Traffic Mirroring vs VPC Flow Logs: Traffic Mirroring captures full packet data (payload) for deep inspection; VPC Flow Logs capture metadata only (source, dest, port, action, bytes); use Mirroring for forensics, Flow Logs for monitoring
- Cluster vs Spread Placement: Cluster packs instances on same rack for lowest network latency (HPC); Spread distributes across racks for high availability (max 7 instances per AZ per group)
- ECMP with TGW: Only works with VPN attachments (not VPC or DX attachments); enables load balancing across multiple VPN tunnels to aggregate bandwidth beyond 1.25 Gbps per tunnel