AWS certified advanced networking specialty practice Test
The AWS Certified Advanced Networking – Specialty Certification is a prestigious credential designed for IT professionals who specialize in complex networking tasks. This exam validates your expertise in designing, deploying, and managing advanced AWS and hybrid network architectures at scale. It is ideal for cloud engineers, network architects, and system administrators aiming to prove their skills in secure and efficient cloud networking.
🎯 Who Should Take This Exam?
This certification is intended for professionals who already possess:
At least five years of hands-on experience in network architecture and implementation
A solid understanding of AWS networking services and hybrid connectivity
Experience with routing protocols, network optimization, and security best practices
Whether you’re a Solutions Architect, Network Engineer, or DevOps Professional, this exam helps validate your ability to support enterprise-level cloud infrastructure.
📚 Covered Topics
This practice exam is designed to comprehensively cover all major domains tested on the real certification, including:
Design and Implementation of Hybrid IT Network Architectures
Advanced Networking in AWS (VPCs, Route 53, Direct Connect, VPNs)
Network Automation using AWS CLI, SDKs, and CloudFormation
Troubleshooting, Monitoring, and Optimization of Network Architectures
Security and Compliance in Cloud Networking
Integration with Third-Party Network Appliances
Disaster Recovery, High Availability, and Fault Tolerance for Network Infrastructure
All questions reflect the latest AWS best practices and exam blueprint updates.
Sample Questions and Answers
Which AWS service enables private connectivity between VPCs and on-premises networks using AWS’s global network?
A) AWS VPN
B) AWS Direct Connect
C) AWS Global Accelerator
D) AWS Transit Gateway
Answer: B) AWS Direct Connect
Explanation: AWS Direct Connect allows you to establish a dedicated network connection between your premises and AWS. This offers more consistent network performance and reduced bandwidth costs compared to VPN over the internet.
What feature of AWS Transit Gateway simplifies VPC-to-VPC routing?
A) VPC Peering
B) Route Tables
C) Centralized Route Propagation
D) NAT Gateway
Answer: C) Centralized Route Propagation
Explanation: AWS Transit Gateway supports centralized route propagation, which allows automatic route distribution between connected VPCs and on-premises networks, simplifying network management.
Which DNS routing policy in Route 53 is best for distributing traffic evenly across multiple endpoints?
A) Weighted
B) Latency
C) Failover
D) Geolocation
Answer: A) Weighted
Explanation: Weighted routing allows you to distribute traffic across multiple resources in proportions that you specify, which is ideal for load balancing.
In AWS, what does Border Gateway Protocol (BGP) primarily do in networking setups?
A) Encrypts traffic
B) Automates DNS resolution
C) Advertises and exchanges routing information
D) Monitors packet loss
Answer: C) Advertises and exchanges routing information
Explanation: BGP is used in AWS Direct Connect and VPN to exchange routing information between AWS and on-premises networks.
Which AWS service is best suited for controlling and auditing access to your VPC subnets?
A) IAM
B) NACL
C) Security Groups
D) AWS Firewall Manager
Answer: B) NACL
Explanation: Network ACLs (NACLs) provide stateless filtering of traffic into and out of subnets in your VPC, useful for controlling access at the subnet level.
You need to connect multiple VPCs in different AWS regions using high bandwidth and minimal latency. What’s the best solution?
A) VPC Peering
B) AWS Direct Connect
C) AWS VPN
D) AWS Transit Gateway with Inter-Region Peering
Answer: D) AWS Transit Gateway with Inter-Region Peering
Explanation: Transit Gateway Inter-Region Peering enables efficient VPC interconnectivity across regions using AWS’s backbone network.
What is the default MTU size for an Ethernet frame on an EC2 instance?
A) 9000 bytes
B) 1500 bytes
C) 1200 bytes
D) 1600 bytes
Answer: B) 1500 bytes
Explanation: The default MTU for EC2 instances is 1500 bytes, unless Jumbo Frames (MTU 9001) are specifically configured for enhanced networking.
Which AWS service supports centralized DNS resolution for multiple VPCs?
A) Route 53 Resolver Inbound Endpoint
B) Amazon CloudFront
C) AWS Shield
D) AWS WAF
Answer: A) Route 53 Resolver Inbound Endpoint
Explanation: Route 53 Resolver Inbound and Outbound Endpoints enable DNS queries between AWS and on-premises or between VPCs.
What is the maximum number of prefixes allowed per BGP session on AWS Direct Connect without requesting a limit increase?
A) 100
B) 200
C) 1,000
D) 50
Answer: C) 1,000
Explanation: AWS allows up to 1,000 prefixes advertised over BGP on Direct Connect unless you request a quota increase.
You have multiple applications in the same VPC that need to access S3 securely. What’s the most efficient way?
A) Internet Gateway
B) NAT Gateway
C) VPC Endpoint (Gateway Type)
D) S3 Transfer Acceleration
Answer: C) VPC Endpoint (Gateway Type)
Explanation: Gateway VPC Endpoints allow private access to S3 without traversing the internet, improving security and reducing costs.
Which option enables scalable and resilient routing for global applications?
A) CloudFront
B) Global Accelerator
C) ELB
D) VPC Peering
Answer: B) Global Accelerator
Explanation: AWS Global Accelerator uses the AWS global network to improve performance and availability by routing traffic to the optimal endpoint.
Which protocol is used by AWS Site-to-Site VPN to establish secure connections?
A) TCP
B) BGP
C) IPsec
D) TLS
Answer: C) IPsec
Explanation: AWS VPN uses IPsec to establish encrypted connections between AWS and on-premises environments.
What AWS component allows centralized control over security group rules across multiple accounts?
A) AWS Shield
B) AWS Firewall Manager
C) AWS Config
D) IAM Policy
Answer: B) AWS Firewall Manager
Explanation: AWS Firewall Manager simplifies management of firewall rules and security policies across multiple accounts using AWS Organizations.
What tool can help detect route hijacking and misconfigurations in your AWS network?
A) Amazon Inspector
B) AWS Config
C) VPC Flow Logs
D) Route Analyzer
Answer: D) Route Analyzer
Explanation: Route Analyzer (available through third-party or partner tools) helps monitor and troubleshoot routing configurations.
In AWS Direct Connect, what is the purpose of a virtual interface (VIF)?
A) Encrypts data in transit
B) Simulates VPC endpoints
C) Provides BGP configuration
D) Connects Direct Connect to AWS resources
Answer: D) Connects Direct Connect to AWS resources
Explanation: Virtual interfaces are configured over Direct Connect connections to route traffic to AWS VPCs or public services.
Which AWS service helps mitigate DDoS attacks at Layer 3/4 and Layer 7?
A) AWS Shield
B) AWS WAF
C) Route 53
D) CloudTrail
Answer: A) AWS Shield
Explanation: AWS Shield (Standard and Advanced) protects against DDoS attacks, providing real-time attack detection and mitigation.
Which VPC feature allows secure and scalable outbound internet access from private subnets?
A) VPC Peering
B) Internet Gateway
C) NAT Gateway
D) VPN Gateway
Answer: C) NAT Gateway
Explanation: NAT Gateways allow instances in private subnets to access the internet without allowing unsolicited inbound traffic.
Which type of BGP route attribute determines the preferred route among multiple paths?
A) MED
B) AS Path
C) Weight
D) Local Preference
Answer: D) Local Preference
Explanation: Local Preference influences path selection within an autonomous system—higher values are preferred.
Which tool would you use to monitor TCP handshake failures in your VPC?
A) CloudTrail
B) GuardDuty
C) VPC Flow Logs
D) AWS Inspector
Answer: C) VPC Flow Logs
Explanation: VPC Flow Logs capture IP traffic data including connection attempts, TCP flags, and rejection reasons.
When should you use AWS PrivateLink instead of VPC Peering?
A) For full bi-directional communication
B) For DNS resolution across VPCs
C) To expose specific services securely to other VPCs
D) To connect VPCs across regions
Answer: C) To expose specific services securely to other VPCs
Explanation: AWS PrivateLink exposes services over private connections without sharing the full VPC, ensuring tight control.
What AWS feature enables inspection and mirroring of network traffic for security purposes?
A) VPC Flow Logs
B) Network Access Analyzer
C) VPC Traffic Mirroring
D) AWS CloudTrail
Answer: C) VPC Traffic Mirroring
Explanation: VPC Traffic Mirroring captures packet-level traffic for deep inspection, debugging, and threat detection.
You want to monitor latency and packet loss in a hybrid setup. What should you use?
A) Amazon CloudWatch
B) AWS CloudTrail
C) AWS Network Performance Monitor
D) AWS Site-to-Site VPN
Answer: C) AWS Network Performance Monitor
Explanation: Network Performance Monitor helps you assess latency and packet loss between on-premises and AWS.
What is the key difference between Gateway Load Balancer and Network Load Balancer?
A) Protocol support
B) Stateful inspection
C) Packet-level load balancing for appliances
D) TLS termination
Answer: C) Packet-level load balancing for appliances
Explanation: Gateway Load Balancer routes traffic at the packet level to third-party appliances for inspection or processing.
Which DNS service feature protects against recursive query hijacking?
A) Resolver Rules
B) DNSSEC
C) Inbound Endpoints
D) Conditional Forwarding
Answer: B) DNSSEC
Explanation: DNS Security Extensions (DNSSEC) protect DNS responses from being tampered with.
What AWS service enables private, secure access to services hosted in another AWS account?
A) NAT Gateway
B) VPC Peering
C) AWS PrivateLink
D) VPN Gateway
Answer: C) AWS PrivateLink
Explanation: PrivateLink allows private connectivity to services across accounts without exposing the entire network.
Which configuration allows BGP failover between two VPN tunnels to AWS?
A) Equal AS Paths
B) Differing Local Preference
C) Asymmetric Routing
D) ECMP
Answer: D) ECMP
Explanation: Equal Cost Multi-Path (ECMP) routing allows traffic to be distributed across multiple tunnels, enabling redundancy.
How does Transit Gateway route priority work?
A) First in, first out
B) Static routes always override propagated
C) More specific prefixes take precedence
D) Shorter AS paths preferred
Answer: C) More specific prefixes take precedence
Explanation: In routing, more specific CIDR blocks always take priority over broader ones in Transit Gateway routing.
What is the maximum number of Transit Gateway attachments per region?
A) 50
B) 100
C) 5000
D) 10,000
Answer: B) 100
Explanation: The default soft limit is 100 attachments per region per Transit Gateway, subject to increase by request.
Which protocol allows AWS Direct Connect to exchange routes dynamically with on-premises routers?
A) RIP
B) OSPF
C) BGP
D) EIGRP
Answer: C) BGP
Explanation: Border Gateway Protocol (BGP) is the standard protocol used in AWS Direct Connect for route exchange.
Which AWS service enables hybrid DNS resolution between on-premises and AWS networks?
A) CloudFront
B) Route 53 Resolver
C) Direct Connect
D) Lambda@Edge
Answer: B) Route 53 Resolver
Explanation: Route 53 Resolver with inbound and outbound endpoints supports DNS queries from AWS to on-premises and vice versa.
What is the main advantage of using AWS Global Accelerator over Amazon Route 53 latency-based routing for global applications?
A) DNS caching improvements
B) IP address persistence with automatic failover
C) Route control at the subnet level
D) Support for hybrid cloud
Answer: B) IP address persistence with automatic failover
Explanation: AWS Global Accelerator provides static IP addresses that act as a fixed entry point to your applications, with intelligent routing and automatic failover for improved availability and performance.
Which of the following does not require a public IP address to access AWS services securely?
A) Internet Gateway
B) NAT Gateway
C) VPC Endpoint
D) ELB (Internet-facing)
Answer: C) VPC Endpoint
Explanation: VPC Endpoints allow private connections to supported AWS services without requiring public IPs or traversing the public internet.
Which protocol is used by AWS Site-to-Site VPN to establish dynamic routing?
A) OSPF
B) RIP
C) BGP
D) IS-IS
Answer: C) BGP
Explanation: AWS Site-to-Site VPN supports BGP for dynamic routing, allowing automatic route updates and failover between VPN tunnels.
Which of the following supports packet-level inspection and appliance chaining in AWS?
A) Network Load Balancer
B) Gateway Load Balancer
C) Application Load Balancer
D) Classic Load Balancer
Answer: B) Gateway Load Balancer
Explanation: Gateway Load Balancer allows for the transparent deployment of third-party virtual appliances for deep packet inspection, firewalling, and intrusion detection.
Which security tool allows organizations to set baseline compliance and automatically remediate network security issues?
A) AWS Firewall Manager
B) AWS Security Hub
C) AWS Shield Advanced
D) AWS Inspector
Answer: A) AWS Firewall Manager
Explanation: AWS Firewall Manager works with AWS Organizations to centrally configure and manage firewall rules across multiple accounts and automatically enforce security policies.
What is the main benefit of using AWS Network Firewall in a VPC?
A) SSL termination
B) Static IP enforcement
C) Stateful traffic inspection and intrusion prevention
D) Automatic load balancing
Answer: C) Stateful traffic inspection and intrusion prevention
Explanation: AWS Network Firewall provides deep packet inspection, intrusion detection/prevention, and granular traffic control at the subnet level.
Which networking component allows encrypted traffic routing between AWS services in different accounts or regions via PrivateLink?
A) VPC Peering
B) NAT Gateway
C) Interface VPC Endpoint
D) Transit Gateway
Answer: C) Interface VPC Endpoint
Explanation: Interface VPC Endpoints provide a secure, private link to AWS services or third-party SaaS products within or across accounts, using elastic network interfaces (ENIs).
When designing multi-region failover for a hybrid architecture using AWS Direct Connect, what should be included for high availability?
A) A single Direct Connect connection
B) Multiple connections in one region
C) Redundant connections in multiple regions with Direct Connect Gateways
D) Route 53 health checks only
Answer: C) Redundant connections in multiple regions with Direct Connect Gateways
Explanation: To ensure high availability in a multi-region hybrid setup, use redundant Direct Connect connections and associate them with Direct Connect Gateways linked to Transit Gateways in each region.
In a multi-account AWS environment, which service allows central configuration and enforcement of security group rules?
A) AWS IAM
B) AWS Organizations
C) AWS Firewall Manager
D) AWS Config
Answer: C) AWS Firewall Manager
Explanation: AWS Firewall Manager allows centralized management of firewall rules (like security groups and WAF rules) across multiple AWS accounts via AWS Organizations.
What does the Transit Gateway route table do in AWS?
A) Assigns public IPs to connected VPCs
B) Manages EC2 traffic
C) Controls how traffic is directed between attachments
D) Stores flow logs for auditing
Answer: C) Controls how traffic is directed between attachments
Explanation: Each Transit Gateway attachment can be associated with one route table, which determines how traffic flows between VPCs, VPNs, and Direct Connect connections.
What protocol does AWS Direct Connect support for dynamic routing?
A) RIP
B) OSPF
C) BGP
D) EIGRP
Answer: C) BGP
Explanation: Direct Connect uses Border Gateway Protocol (BGP) to dynamically exchange routes between on-premises routers and AWS.
What is one limitation of using VPC Peering across regions?
A) No DNS resolution
B) Bandwidth is limited to 1 Gbps
C) No support for transitive routing
D) Requires an Internet Gateway
Answer: C) No support for transitive routing
Explanation: VPC Peering does not support transitive routing. If VPC A peers with B, and B peers with C, A cannot automatically route to C.
What AWS service helps reduce latency by caching web content closer to end-users?
A) AWS App Mesh
B) AWS Global Accelerator
C) Amazon CloudFront
D) Amazon S3 Transfer Acceleration
Answer: C) Amazon CloudFront
Explanation: CloudFront is a CDN that caches web content at edge locations globally to reduce latency and improve performance for users.
Which VPC component is stateful and impacts both inbound and outbound traffic rules?
A) Security Group
B) Network ACL
C) NAT Gateway
D) Internet Gateway
Answer: A) Security Group
Explanation: Security Groups are stateful, meaning if an inbound rule allows traffic, the response is automatically allowed, whereas Network ACLs are stateless.
You want to allow an EC2 instance to connect to the internet but prevent inbound access. What should you use?
A) VPC Peering
B) NAT Gateway
C) VPN Connection
D) Route 53 Resolver
Answer: B) NAT Gateway
Explanation: NAT Gateway allows instances in a private subnet to access the internet while blocking inbound traffic initiated from outside.
Which service enables creating and enforcing custom network policies in container-based workloads in AWS?
A) AWS Fargate
B) Amazon ECS
C) Amazon EKS with Kubernetes Network Policies
D) AWS Cloud Map
Answer: C) Amazon EKS with Kubernetes Network Policies
Explanation: Amazon EKS supports Kubernetes Network Policies to control communication between pods and services at the IP and port level.
Which service integrates with third-party virtual appliances to support deep packet inspection?
A) AWS Shield
B) Gateway Load Balancer
C) NAT Instance
D) Application Load Balancer
Answer: B) Gateway Load Balancer
Explanation: Gateway Load Balancer allows for deploying third-party virtual appliances for advanced security, inspection, and filtering.
What is the recommended high availability setup for AWS Direct Connect?
A) Single connection in one region
B) Multiple VPN tunnels
C) Redundant connections in multiple locations
D) Multiple NAT gateways
Answer: C) Redundant connections in multiple locations
Explanation: AWS recommends redundant Direct Connect connections across different facilities for high availability and resilience.
Which type of Amazon Route 53 routing policy is used for active-passive failover configurations?
A) Latency-based
B) Geolocation
C) Weighted
D) Failover
Answer: D) Failover
Explanation: Failover routing is used to designate a primary and secondary resource, enabling traffic redirection when the primary becomes unhealthy.
Which of the following best describes the use of a Private Hosted Zone in Route 53?
A) Resolve internet domains
B) DNS resolution for on-premises
C) DNS resolution within a VPC
D) Create domain forwarding rules
Answer: C) DNS resolution within a VPC
Explanation: A Private Hosted Zone allows DNS resolution for internal AWS resources within a specific VPC or VPCs.
Which AWS service provides NAT capabilities and scales automatically with traffic?
A) NAT Instance
B) VPC Peering
C) NAT Gateway
D) Internet Gateway
Answer: C) NAT Gateway
Explanation: NAT Gateway provides scalable, managed NAT services for outbound internet access from private subnets.
What feature of Transit Gateway enables inter-region VPC communication?
A) Route Propagation
B) Cross-Region Peering
C) BGP Tunnel
D) Global Accelerator
Answer: B) Cross-Region Peering
Explanation: Transit Gateway Cross-Region Peering enables VPCs in different AWS regions to communicate through Transit Gateways.
What AWS feature helps optimize latency-sensitive traffic between AWS and on-premises using Amazon Direct Connect?
A) Route 53 failover
B) Global Accelerator
C) BGP route preference
D) Traffic Mirroring
Answer: C) BGP route preference
Explanation: By tuning BGP metrics such as AS_PATH and MED, you can optimize routing for low-latency and preferred paths.
Which AWS service allows automatic resolution of DNS queries from on-premises to AWS private hosted zones?
A) AWS Cloud Map
B) Route 53 Resolver Inbound Endpoint
C) VPC Peering
D) Lambda@Edge
Answer: B) Route 53 Resolver Inbound Endpoint
Explanation: Inbound Endpoints let DNS queries from on-premises be forwarded to AWS, allowing private DNS resolution.
What component is required to establish VPC-to-VPC communication when using Transit Gateway?
A) Elastic IP
B) NAT Gateway
C) TGW Attachment
D) Direct Connect Gateway
Answer: C) TGW Attachment
Explanation: VPCs must be attached to the Transit Gateway via TGW Attachments to enable routing between them.
You need to provide internet access to a private subnet. Which two components are essential?
A) Route Table + NAT Gateway
B) Security Group + VPN
C) Network ACL + Transit Gateway
D) Internet Gateway + VPC Peering
Answer: A) Route Table + NAT Gateway
Explanation: A route to the NAT Gateway is required in the private subnet’s route table to enable internet access.
Which service allows policy-based routing of traffic between AWS and on-prem networks?
A) CloudFront
B) Transit Gateway with BGP
C) Route 53
D) Direct Connect Gateway
Answer: B) Transit Gateway with BGP
Explanation: BGP in Transit Gateway allows dynamic route control and policy-based routing between AWS and on-prem.
What AWS service enables traffic redirection at the IP layer?
A) CloudFront
B) Application Load Balancer
C) Global Accelerator
D) NAT Gateway
Answer: C) Global Accelerator
Explanation: Global Accelerator uses Anycast IPs and operates at Layer 3 to redirect user traffic to the optimal AWS endpoint.
How does AWS PrivateLink enhance security?
A) It enables public IP access to services
B) It allows traffic over the public internet
C) It uses interface endpoints to keep traffic within the AWS network
D) It encrypts S3 objects
Answer: C) It uses interface endpoints to keep traffic within the AWS network
Explanation: PrivateLink ensures traffic remains within the AWS network, eliminating exposure to the public internet.
Which tool enables visualization of network reachability within a VPC?
A) VPC Flow Logs
B) Reachability Analyzer
C) CloudTrail
D) Security Hub
Answer: B) Reachability Analyzer
Explanation: Reachability Analyzer simulates network paths and analyzes connectivity between source and destination resources.
