AWS ANS-C01 cheat sheet for connectivity, resilience, failover, traps, and final review.
Use this cheat sheet for AWS Certified Advanced Networking - Specialty (ANS-C01) after you know the basics but before you start a timed practice block. The goal is not to memorize a vendor catalog; the goal is to classify the scenario and reject attractive wrong answers quickly.
Use this when the question feels like a route puzzle instead of a service-recognition question.
flowchart LR
S["Source"] --> D["Destination"]
D --> R["Route table / TGW / DX / VPN / BGP"]
R --> P["Security group / NACL / firewall / endpoint policy"]
P --> N["DNS / Resolver / Route 53"]
N --> E["Evidence: flow logs, health checks, metrics, packet capture"]
Rule: if the answer only changes a network component but never proves the path or return path, keep looking.
Use this when the stem feels like a connectivity or outage question.
flowchart TD
S["Scenario"] --> P["Prove the path"]
P --> R["Route table / TGW / DX / VPN"]
R --> F["Firewall / SG / NACL / endpoint policy"]
F --> D["DNS / Resolver / name resolution"]
D --> E["Evidence: logs, metrics, packet capture, health checks"]
| Lane | Decision rule | Reject when |
|---|---|---|
| VPC design and routing | Reason about subnets, route tables, NAT, gateways, endpoints, security groups, NACLs, and DNS. | Debugging packets without checking route target, return path, statefulness, and name resolution. |
| Hybrid connectivity | Choose VPN, Direct Connect, Transit Gateway, routing policy, redundancy, and failover patterns. | Choosing a single connection when the scenario requires resilient hybrid connectivity. |
| Multi-account and multi-Region networking | Design shared services, VPC sharing, peering, Transit Gateway, RAM, and segmentation. | Creating full-mesh peering when central routing or segmentation is required. |
| Load balancing and edge | Pick ALB, NLB, GWLB, CloudFront, Route 53, Global Accelerator, WAF, and failover routing. | Using DNS alone when health, latency, or protocol behavior needs a different layer. |
| Network security and observability | Use flow logs, packet mirroring, firewall patterns, inspection, private access, and monitoring. | Opening broad CIDRs instead of proving the required path and control point. |
| Trap | Better instinct |
|---|---|
| Route table tunnel vision | Check DNS, security group, NACL, endpoint policy, return route, and asymmetric path. |
| Peering for everything | Use Transit Gateway or shared services when scale and routing control matter. |
| No redundancy | For hybrid links, evaluate location diversity, BGP, failover, and monitoring. |
| Wrong load balancer layer | Match ALB to HTTP features, NLB to TCP/UDP performance, and GWLB to inspection appliances. |
| If the stem says | Start with |
|---|---|
| least privilege, private access, compliance, or audit | identity scope, data boundary, policy enforcement, logging, and ownership |
| least operational effort | managed service, native integration, simple workflow, and fewer moving parts |
| high availability, recovery, or outage | failure domain, recovery objective, health check, rollback, and validation |
| performance, scale, or cost | bottleneck evidence, traffic pattern, sizing, caching, batching, and quotas |
| troubleshoot, diagnose, or investigate | symptom, recent change, logs, metrics, status, dependency, and smallest safe test |
Use IT Mastery for the exact product route, practice status, spaced review when available, and close-answer explanation practice as coverage expands.
Open the exact IT Mastery route here: ANS-C01 on MasteryExamPrep.
Networking questions are path questions: source, destination, route, security, DNS, return path, health, and observability.