Intro note

Just because I wrote this article focused on AWS certifications does not mean that I believe they offer enough knowledge on their own. Oftentimes, I question the value of these multiple-choice tests mainly because they test your ability to memorize large amounts of information and analyze a variety of scenarios in a fairly short amount of time (at least that is the case for the professional/specialty ones). Nowadays, with the increased popularity of LLMs, I am not sure if we need to memorize every single specific thing about services that we are unlikely to use but appear on the exam. I personally prefer hands-on certifications like Kubernetes or the RHEL administrator suite since they validate skills that are closer to what you are likely to do during your day-to-day work.

There are numerous entry-level people who believe that a certification alone can land you a job; however, that cannot be further from the truth. Experience and projects will always be the foundation of your knowledge and cannot be replaced with some theoretical material that you studied to pass a multiple-choice test. However, certifications are ’nice-to-haves’ that validate your interest in a specific domain and also paint the high-level picture, bringing awareness about the plethora of cloud services available. It is also a nice way to keep yourself up-to-date with the ever-changing cloud landscape.

Why this cert?

I have been working with AWS for 2 years now and, as most of the people new to cloud, I started with the Cloud Practitioner Cert, which in my opinion is simply useless (there were some rumours about AWS retiring it, however it did not happen yet 🥹). After that there was a combination of hands-on work, studying and passing all the associate certs and the DevOps Professional one. Looking back, I think that the SysOps associate followed by the DevOps Pro would have sufficed since there is a huge overlap between all the associate certs.

When working in an enterprise setting, you are very likely to encounter various implementations of hybrid networking connectivity. When it came to analyzing routes for complex inter-region connectivity and troubleshooting connectivity issues from cloud to on-prem and vice-versa, I always struggled because I simply lacked the knowledge to navigate the networking maze in a step-by-step, methodical manner. It felt like finding a needle in a haystack.

I will always remember a very senior engineer from my first DevOps role who was the go-to person for any networking troubleshooting queries. SSM agent cannot register via the interface endpoint? Go ask Jonathan. Cannot figure out which route is missing from your TGW route table? Go ask Jonathan. Traffic blocked on the firewall? Go ask Jonathan. Spent ages deciding which route needs propagating where? Go ask Jonathan. And the list went on. He spotted the issue every single time.

I left that role, but the way Jonathan troubleshot networking issues stuck in my mind. His skills made me envious (in a positive way; it motivated me 🤣), so I decided it was time to act. That is why I went for the AWS Advanced Networking certification and consequently wrote this article on passing it and how you can pass it as well.

Prior knowledge and prep time

Before taking this cert, I had 2 years of AWS experience and good foundational knowledge about VPC routing, R53, EC2 networking, Load balancers (excluding the Gateway Load Balancer), Cloudfront and TGW routing. However Direct Connect, VIFs, BGP, VLANs, Global Accelerator, Cloud WANs, Local Zones, Advanced TGW features (connect attachments, appliance mode), VPN tunnels, DNSSEC, VGW/DX-GW, were all unknown to me. I would say that I had decent knowledge about networking inside the VPC and maybe VPC peering and attachments via TGW, however I lacked all the knowledge required to understand the connectivity from cloud to onprem (and vice-versa). The AWS official guide recommends having ‘5 years of hands-on experience architecting and implementing network solutions’. This did not deter me since I saw it as a good opportunity to learn foundational networking concepts and improve my skillset. And, as always, it is better to overshoot rather than undershoot 😉.

The preparation time was 3 months. As usual, I went with Adrian’s course since I used his resources in the past and they were top-notch. He has very good theory lessons on BGP, IPSec, DNSSEC and OSI layer, which proved to be really valuable before taking the actual course. Apart from the theory I did all the hands on labs to cover the main services (primarily setting up VPN tunnels, VGW, private gateways, hybrid DNS with R53 resolver endpoints). The main downside of this certification is that you cannot practice DX setups (unless you were lucky enough to setup a DX connect at work). However, I found the theory available in Adrian’s courses and in AWS blog posts quite good to cover all DX connection scenarios. What you might find useful is drawing on a piece of paper (or using drawio if you are part of the modern era) different networking architectures involving DX and trying to understand how all components fit together (single direct connection with private/public/transit VIF, multiple connections with private/public/transit VIF, adding VPN on top of public/transit VIF, encryption between DX router and customer router, etc).

Apart from theory and hands-on labs, I did the tests from Whizlabs which were surprisingly better than the Tutorials Dojo tests. I found them more challenging and reflected better the difficulty level of the exam questions.

Tips for passing the cert

A list of the main services and features I came across in my exam are listed below. Obviously you should consult the exam curriculum for a full list of services you need to understand.

Load balancers

  • configure listeners and target groups
  • TLS termination on the ALB and how you can overcome that with a NLB
  • Gateway Load Balancers and use cases
  • sticky sessions for stateful applications
  • proxy protocol v2 and x-forwarded-for request header for finding source details

Transit Gateways

  • sharing TGW with RAM
  • peering intra-region TGW for multi-region network
  • route propagation/association in TGW route tables
  • connecting an appliance using TGW connect attachment

Direct Connect

  • private/public/transit VIFs
  • configuring BGP peering and understanding ASN (Autonomous System Numbers)
  • route advertisement and acceptance policies
  • using DXGW with Transit Gateway for extended connectivity
  • using LAG (Link Aggregation Groups) for higher bandwidth and redundancy

Route 53

  • creating and managing hosted zones
  • record types (A, CNAME, MX, etc.) and their uses
  • simple, weighted, latency-based, and geolocation routing policies. Failover routing for high availability
  • setting up health checks for endpoints
  • registering and transferring domains
  • managing DNSSEC (DNS Security Extensions)

Cloudfront

  • understanding edge locations and regional edge caches
  • configuring cache policies and behaviors
  • cache invalidation and controlling TTL (Time to Live)
  • using signed URLs and signed cookies for secure content delivery
  • geo-restriction to allow or block content based on the viewer’s location

The list above is not exhaustive but it should give you a baseline overview of what you can expect in the exam.

I’ll be taking a break from AWS certifications for a while to focus on more hands-on projects and explore other cloud platforms, with GCP at the top of my list. I hope you enjoyed this post and found it useful. Until next time, happy learning!