[NEW] AWS Certified Advanced Networking Specialty 2025

Let's talk about the section agenda and topics we are going to cover.

For beginners, often it's confusion to visualize the scope of the VPC and how it maps to AWS account, Region and Availability Zone. Before we dive deeper into VPC components let's first put the things in perspective here.

The main components of the VPC are - VPC, CIDR, Subnet, Route tables, Internet gateway, Security group, Network ACL and DNS.

Please note that there is no official definition of core components of the VPC that AWS provides and it need not be categorized as core components but its good to understand the purpose and functionality of these component as they form the base of VPC working.

We will start with basics of Network Private address space. Earlier the network address ranges were defined in the form of Address classes e.g Class A, Class B, Class C etc. The different classes defines how many bits out of 32 bits of IPv4 address are used for network address and how many bits are available for host addressing.

However with CIDR (Classless Interdomain Routing), we can represent all types of IPv4 addresses using IP Prefix. In this lecture, let's understand how Amazon VPC addressing works and how to calculate Classless Inter domain routing (CIDR) for your VPC and subnets.

Route table defines the routing rules which are used to route traffic through different network paths e.g through internet gateway or nat gateway or any other networking component inside VPC.

Let's understand how routing works inside VPC and deep dive into VPC Main route table and custom route tables.

In AWS, you can assign Public or Private or both addresses to EC2 instances. This will depend on your architecture. In this lecture lets understand different types of IP addresses i.e Private, Public and Elastic and also understand IPv4 and IPv6 addresses.

Security group is first level of defense for EC2 instances. These are stateful firewalls and must be configured while setting up EC2 instances. In this lecture, let's understand Security groups, Inbound/outbound rules, statefulness of traffic and more.

Network ACL (NACL) is the 2nd level of defence. These are stateless firewall which works at subnet level. In this lecture, let's understand Network Access Control List, difference between Security group and Network ACL and when to use what depending on the traffic you want to allow or deny.

AWS creates default VPC in every region so that you can start launching EC2 instances right away. Let's understand how the subnets and route tables are configured in default VPC and what it means.

Create VPC and single Public subnet. Launch EC2 instance in this subnet and connect over SSH.

Add private subnet into existing VPC (Created earlier) and see inbound and outbound connectivity for the instance launched inside Private subnet.

Understand the NAT concept and AWS managed NAT Gateway. See how to route the outbound internet traffic from instances inside Private subnet through NAT gateway. Also understand the benefits of NAT gateway.

Add NAT gateway to existing setup (that we created earlier) and route the outbound internet traffic from private subnet via the NAT gateway.

NAT gateways are HA within single AZ. Learn about the architecture for Highly Available NAT Gateway across AZs.

You can also setup NAT on EC2 instance. For this you should use NAT AMI and also you need to disable the Source/Destination check so that NAT EC2 instance can accept traffic from other EC2 instances (in private subnet) and forward the traffic to internet. Also see the benefits and downside of using EC2 based NAT.

Important points to remember for the exam

In this section, we will cover the topics which are somewhere between VPC basics and advance but important for your exam.

You can extend the VPC CIDR by adding secondary CIDRs. However there are certain restrictions while you add secondary CIDR. It's important to know these restrictions for the exam.

Let's revisit the Elastic Network Interface and its features. Its important topic in the exam.

AWS allows you to bring your own IPv4 and IPv6 public IP address ranges. You can assign these IP addresses to EC2, NLB or NAT gateways.

DHCP option sets are used for the DHCP configurations for the VPC. In this lecture, let's understand how you can change the DHCP Options set for VPC and how the change is propagated for EC2 instances inside VPC. Also we will cover important points with respect to DHCP Options sets that you need to remember for your exam.

We want to have corp.internal domain name for EC2 instances. For this we will configure custom DHCP Options set and Route53 Private Hosted zone. This is a hands on (demo) exercise.

For organizations which operate in hybrid mode where some workloads run on-premises and some in cloud, its important to have seamless DNS resolutions across both sides of the network. For this, AWS provides Route53 Resolver endpoints (inbound & outbound) which can be used to configure the DNS queries to be sent to on-premises to AWS Private hosted zone and from AWS VPC to on-premises DNS server.

Let's recap all the important concepts and features with respect to DNS resolution within the VPC. Note that we are yet not talking about Amazon Route53 service and it has wider scope beyond the VPC. We will have dedicated session covering Amazon Route53 service.

Let's understand the basics of network performance. First we will understand the common terms used while talking about network performance e.g bandwidth, latency, jitter, throughput, PPS, MTU etc and then we understand how MTU (Maximum Transmission Unit) affects the network performance.

In this lecture, we will setup the ground for lectures coming next where we will see various network performance optimization techniques.

When you need to have lowest network latency and highest network bandwidth between EC2 instances its recommended to launch EC2 instances within a cluster placement group. Placement group launches EC2 instances at one go and possible on the same physical hardware in same AZ in same region. This obviously helps reduce multiple network hops and provides the lowest possible latency between EC2 instances. In order to have the dedicated network bandwidth its also recommended to use EBS optimized EC2 instances where EC2 is allocated dedicated bandwidth to access EBS volumes and hence the EC2 uses its full network bandwidth for communication with other hosts.

One of the most important lecture for your exam. AWS provides various ways to further enhance the network performance of EC2 instances. With enhanced networking you can get upto 25 Gbps bandwidth between EC2 instances. There are different ways in which you can enable enhanced networking and that depends on EC2 instance type, AMI and network driver support.

Data plane development kit  (DPDK) is a set of libraries using which you can bypass the kernel (OS) while sending the network packets over the network. This improves your Packer per second performance and helps reduce network latency further.

Elastic Frabric Adapter (EFA) is ENA with added networking capabilities. It also provides the functionality to bypass OS there by lowering network latency. EFA is used in case of High Performance computing (HPC) workloads.

For exam, its essential to know all the bandwidth limits when communication happens between various AWS resources inside VPC and outside VPC. In this lecture we will summarize the maximum bandwidth EC2 can get when it communicates with other EC2 instances which are located inside same VPC or across VPC peering or its communicating with on-premise server over VPN or direct connect. We will also cover some more scenarios e.g bandwidth for accessing S3.

Like there are EC2 instances which receives CPU credits for not using allocated CPU for long period of time, there are also EC2 instances which receives Network I/O credits for not using the full bandwidth. These instances are good candidate for the use cases where you want to have higher network bandwidth during small amount of time in a day and otherwise low network bandwidth is required. Make sure that you don't use these EC2 instances for Network performance benchmark testing because they might perform over and above the allocated network bandwidth due to accumulated credits and when deployed in production they might fall back to the base performance causing sub-optimal inconsistent experience.

Let's recap what we learnt about Network performance in AWS and various techniques to improve the performance.

This lecture covers the important points with respect to Network performance and optimization and its good to remember these points for your exam.

Section introduction

- VPC Flow logs

- VPC traffic mirroring

- VPC Reachability Analyzer

- Network Access Analyzer

You can capture the traffic flowing in/out of VPC using VPC Flow logs. These logs can be sent to CloudWatch or S3 or Kinesis Firehose and can be later analyzed using Athena or CloudWatch Insights or 3rd party logs analysis tools. Flow logs are collected at ENI level, Subnet level or VPC level.

VPC Traffic mirroring allows to mirror the traffic from source ENI to destination ENI or NLB without any performance impact on your source network. Traffic mirroring can be used to copy network traffic from an elastic network interface of Amazon EC2 instances. You can then send the traffic to out-of-band security and monitoring appliances for content inspection or threat monitoring. The security and monitoring appliances can be deployed as individual instances, or as a fleet of instances behind a Network Load Balancer with a UDP listener. Traffic Mirroring supports filters and packet truncation, so that you only extract the traffic of interest to monitor by using monitoring tools of your choice.

Next, let's see couple of VPC features which helps you analyze the traffic reachability and compliance using newly launched VPC features such as VPC reachability Analyzer and VPC Network Access Analyzer.

VPC Reachability Analyzer can be used to troubleshoot the network connectivity issues such as you are not able to access EC2 instance or EC2 instance is not able to access internet or traffic is not flowing through the vpc peering connection likewise. It provides you hop-by-hop analysis of the traffic flow and tell what is blocking the traffic.

In this lab, let's troubleshoot the network connectivity issue to our EC2 instance. In this lab we will misconfigure route table, NACL and Security group and see how Reachability Analyzer detects the problem.

In this lecture, let's understand how Network Access Analyzer helps detect the non-compliant network configurations in your AWS account by analyzing all the network components such as Route tables, Security Groups, Network ACL, VPC peering, Transit Gateway etc.

In this lecture, lets see why private connectivity is important and what are some of the ways in which you can establish private connectivity between AWS VPC and other AWS services/components. We will primarily cover VPC peering in this section. Other options like VPC endpoints will be covered in the following section.

Let's understand what is VPC peering and why you should use VPC peering when you want the VPCs to communicate with each other over AWS private network or say AWS backbone network. We will also talk about the pre-requisites and limitations when you want to setup VPC peering connection between VPCs in the same region or VPCs across AWS regions.

Let's setup a VPC peering connection between VPCs across AWS regions and then verify that traffic is actually flowing through the peering connection.

Note: Remember to delete all AWS resources that you create during this exercise.

VPC peering does not support transitive routing and hence you can't access various networking components from peered VPCs. This lectures presents all those scenarios where VPC peering won't allow the traffic to flow through. Its important for your exam to understand where VPC peering connection won't be sufficient to have the required connectivity.

VPC endpoints provides the private connectivity between VPC and AWS services endpoints. With endpoints you don't need to have the Internet gateway or NAT gateway provisioned inside VPC to access AWS services like S3, DynamoDB, SQS, API Gateway or more. VPC endpoint improves the security posture and also provides consistent and robust network connectivity between VPC and AWS services endpoints.

Let's understand VPC Gateway endpoint which provides the private connectivity to access S3 and DynamoDB from your VPC. For using VPC gateway endpoints you need to modify the subnet route table and add a rule so that traffic to S3 or DynamoDB in the same AWS region will flow through the gateway endpoint.

Let's setup VPC and create VPC gateway endpoint to access S3 bucker from EC2 instance. We will check that EC2 can't access internet but it can still reach to S3 endpoint and download/upload data from S3 bucket. This connectivity is established using VPC gateway endpoint.

VPC endpoints provides additional layer of security in the form of IAM policies for endpoints where you can define which S3 bucket can be accessed from given endpoint. This limits the blast radius in case network intrusion happens.

Also, you can restrict access using S3 bucker policy where access can be granted to a specific endpoint using endpoint id.

Because VPC gateway endpoint is actually a gateway managed by AWS its not possible to access gateway endpoint from remote network like via VPC peering connection or Virtual Private Network (VPN) or DirectConnect.

VPC interface endpoint is technically different than VPC gateway endpoint in the sense that it creates an ENI into your Subnet and you access the AWS service endpoint via the ENI. Hence you don't really modify the route table to access the VPC interface endpoint but rather send the traffic to ENI and it will reach the AWS service endpoint for which VPC interface endpoint is created.

In this exercise we will create VPC interface endpoint for SQS service and then put message into the SQS from EC2 instance. The traffic from EC2 to SQS goes over interface endpoint and does not go through internet.

Let's understand some important features of interface endpoints which are good to know for your exam and general best practices for designing right architecture considering high availability and cost.

While VPC interface endpoint can be used to privately access supported AWS services, it can also be used to access the applications hosted in different VPC. For this the service provider VPC should host the application behind the Network Load Balancer and then you should create VPC interface endpoint pointing to that Network Load Balancer. This is called PrivateLink connection to customer service. VPC privatelink is better than exposing your application over the internet or having VPC peering connection with the consumer VPC and then allowing the application access over VPC peering connection. VPC privatelink is much more scalable and secure network architecture to allow access to thousands of consumer VPCs.

In this lecture we will see the architecture for using VPC interface endpoint (PrivateLink) to grant private network access to consumer VPCs.

Here we host the customer service (Test webserver) on EC2 instances in one VPC and attach EC2 instance behind NLB. Both EC2 instance NLB will be created in Private subnets. We will then create VPC interface service in Service provider VPC using NLB and then create VPC interface endpoint in the consumer VPC which points to VPC interface service that we created earlier. In this fashion we can access the Webserver service from consumer VPC privately.

When you create VPC interface endpoint, AWS creates various DNS names for the interface endpoint. There is a regional DNS and zonal DNS. In order to be able to resolve these DNS you must have enableDnsHostnames and enableDnsSupport  for your VPC. You can also customize this DNS name by creating Route53 private hosted zone.

In case VPC Gateway endpoint as you know it can not be accessed from remote network like peered VPCs or VPN connection. However as VPC interface endpoint provisions an ENI into your VPC/Subnet you can route the traffic to other networking components which are attached to your VPC. For example, if your VPC is connected to on-premises network using site-to-site VPN connection then you can access VPC interface endpoint from on-premises network. Likewise you can also access VPC interface endpoint from the peered VPC.

The question is - shall we use VPC peering or VPC PrivateLink when we want to access some customer service (hosted in customer VPC) privately? The answer depends on some considerations which more or less related to security and scaling. With VPC PrivateLink you get more scalable architecture and also its considered to more secure as it opens the access for particular service from customer VPC and does not open full bi-directional traffic between two VPCs.

Let's recap everything we talked about Private Connectivity using VPC Peering, VPC endpoints and PrivateLink

For your exam, its important that you understand the details about VPC Peering, peering pre-requisites, limitations, peering invalid scenarios, VPC gateway endpoints, VPC interface endpoints, DNS resolution, access from remote network  etc. This lecture captures all those required details.

In this lecture let's understand "Why Transit Gateway?", how it simplifies the network architecture and connections and which all network links you can connect to Transit gateway.

Let's understand how can you connect Transit gateway to multiple VPCs and how can you control the traffic routing through Transit gateway and spoke VPCs.

In this hands on lab, we will setup the full mesh connectivity between spoke VPCs using Transit Gateway default route table

In this lab let's see how can you setup the Transit gateway attachment specific route table to use VRF (Virtual Routing and Forwarding) functionality. In this way you get a granular level routing control over how traffic flows from one attachment to the other. You can allow or restrict traffic as required.

Transit gateway routing domain allows us to create different network VPC patterns like flat network where all the VPCs can communicate with each other and a segmented network where VPCs can only communicate with on-premises network and inter-VPC communication is blocked. Likewise, more such customized patterns can be created.

Transit gateway behave little differently when it comes to provisioning the attachments in Availability Zones. You can only access the Transit gateway from the subnets in the AZ in which TGW attachment has been created. If you want the subnets across different AZs to connect to the transit gateway then you also need to create the attachments in those AZs.

Transit gateways try to keep the traffic in the same AZ from which the traffic has originated. This is both good and bad depending on the use case. In this lecture, we will cover the scenarios where AZ affinity is useful and how it can create an issue otherwise. Transit Gateway Appliance mode keeps the traffic with same virtual appliance irrespective of the AZ and that prevents asymmetric routing.

Transit gateway peering allows the Transit gateway across the AWS regions to have the private connectivity. In case of Transit gateway peering connection the routes are not automatically propagated. You have to create the static route in the Transit gateway route tables at both the ends. Also, the traffic across the AWS region is encrypted.

Transit Gateway Connnect attachment allows you to connect 3rd party virtual appliances . This is useful when you have to extend your existing SD-Wan network to AWS.

There are some differences and benefits when you terminate your site-to-site VPN over a Transit Gateway instead of Virtual Private Gateway. Using transit gateway with Site-to-Site VPN definitely provides many-to-many network connectivity between multiple VPCs and multiple branch offices. Additionally you can use VPN features like Accelerated VPN (using Global Accelerator) and Equal-cost-multi-path (ECMP) which provides higher aggregated bandwidth over multiple VPN connections. In this lecture, let's go through all these architecture patterns and features.

In this lecture let's understand different ways in which you can connect Transit Gateway over a Direct connect. We are going to cover Transit VIF and supported architectures in more depth in the Direct Connect section, so in this lecture we will just see some of the architectures at high level.

Transit gateway supports Multicast traffic. You can create multicast domain which is consisting of the subnets inside VPCs and can create multicast group using the EC2 instance ENIs. Transit gateway supports IGMPv2 protocol for dynamically joining and leaving the multicast group. In this lecture, we will understand what is multicast and how can you setup multicast within VPCs and across hybrid network.