AWS Advanced Networking Specialty - 15 hands-on exercises for certification success
1: Embrace hands-on learning
Hands-on practice is a cornerstone of effective learning. Beyond merely understanding concepts, actively engaging with AWS services solidifies knowledge and ensures its practical application.
When I study for a certification exam, I take free workshops and create short exercises to see some services and settings in action.
I shared 24 exercises that helped me pass the AWS Security Specialty exam a while ago. Since the article’s reception was good, I’ll share 15 exercises for the AWS Advanced Networking Specialty (ANS) exam in this post.
2. Pre-requisites
Before diving into the exercises, you might want to have some pre-requisites in place.
2.1. AWS Organizations
Set up multiple accounts to simulate real-world scenarios inside AWS Organizations.
2.2. Domain name
Register a domain for DNS-based exercises. Any cheap domain name will do.
2.3. Cost Considerations
Be mindful of potential costs associated with provisioning resources.
3. Disclaimer
While these exercises cover significant concepts tested in the exam, they are not enough to pass it. You will need a comprehensive study and practice beyond these exercises.
4. 15 engaging exercises
The scenario descriptions intentionally are of high level. Anybody preparing for the exam should know, for example, how to create a VPC peering connection and configure it in the route table. :)
The list below doesn’t contain any Direct Connect or Site-to-Site VPN exercises although these domains contribute heavily to the exam. Unfortunately, I don’t have any access to on-premise data centres to connect to my cloud environment.
- Create two VPCs, VPC A and VPC B, and peer them together. Create an interface endpoint to KMS in VPC B. Create two instances. One should be in an isolated subnet (i.e., no internet access from the subnet) in VPC A and one in an isolated subnet in VPC B. Can we connect to KMS from the VPC B instance? How about from the instance in VPC A? Why?
- Using the same two VPCs, subnets and instances, can we connect to the internet from the instance in VPC A via VPC B?
- VPC A has a CIDR block of 10.0.0.0/16. VPC B's CIDR block is 10.0.0.0/20 with a secondary CIDR of 10.1.0.0/16. Can we peer VPC A and VPC B?
- Create a PrivateLink connection between VPC A and VPC B, where VPC A is the service consumer and VPC B is the service provider. Use the correct load balancer type.
- Create a Cloud WAN global and core network. Set up two VPCs in us-east-1, eu-central-1 and ap-southeast-2 each. The first VPC in each region is for development, and the second is for the production environment. Configure the set-up to allow traffic between the development VPCs. Production VPCs should also be able to connect to each other, but there should be no traffic allowed between dev and prod VPCs.
- Create three VPCs. Dedicate one of them to be the egress VPC. Configure the internet access from the other two VPCs via the egress VPC. Repeat the exercise with the egress VPC being in a different region.
- Set up two VPCs with overlapping CIDR ranges. How many different ways can you connect them without using an internet gateway?
- Configure a connection between two private instances in two VPCs in different regions using transit gateways. Visualize the architecture in Network Manager.
- Set up a Client VPN connection. Ping a private instance in a VPC from your laptop. Ping a public website through the VPN connection. You can use the AWS Client VPN for Desktop application to manage the connection.
- Create a networking account and share one of the subnets. Configure an internet connection from a private subnet in a different account through the shared subnet using a transit gateway.
- Repeat the previous exercise without sharing the subnet. That is, create an egress VPC in the networking account and connect to the internet from a different account.
- Share a subnet from another account inside an Organization using Resource Access Manager. What are the shared resources? Can you delete these resources from the other account? Can you launch an EC2 instance in the shared subnet from the other account?
- If you have a domain name registered, create split-view DNS in Route 53.
- Launch an EC2 instance that has a custom private hostname.
- Configure DNSSEC in Route 53 for your domain if you have one.
5. Summary
By completing these exercises, you’ll take a significant step towards learning key networking concepts required for the AWS Advanced Networking Specialty certification.
I hope you’ll find them at least as helpful as I did.
Enjoy!
6. Further reading and learning
AWS Certified Advanced Networking - Specialty - Everything official about the exam
Exam Prep Standard Course: AWS Certified Advanced Networking - Specialty (ANS-C01) - Exam readiness course in Skill Builder
Exam Prep Official Practice Question Set: AWS Certified Advanced Networking - Specialty (ANS-C01 - English) - A pretty good official practice exam set
AWS Workshops - Workshops at all levels and domains (go for networking in the search bar)