AWS Certified Advanced Networking Study Guide: Specialty (ANS-C01) Exam (Sybex Study Guide)

The book was delivered in perfect condition and brand new. I have yet to dive deep into the book outside of scanning a few chapters but happy with the purchase.

Compared to 1st edition (2018), the 2024 2nd edition is a complete re-write and an extremely helpful resource for study. Obviously, no single book could possibly provide a complete reference, there is no substitute for hands-on experience and labs. - The 2nd edition is a great overview including additional topics such as Transit Gateway, which is hardly mentioned in the 1st edition since it was brand new.Note, the actual exam also covers CIDR/subnetting, WorkSpaces, AppMesh, Private NAT Gateway, etc., some additional services.In case it might be useful for other students, this was my list of suspected errata:--------------------------------------------------------------------------------------------------------------------------Practice Test Corrections:(Page 493, Chapter 1, #13, correct answer is "B" rather than "A", the explanation of Sigv4 is correct)(Page 495, Chapter 2, Question #12, Correct answer is "C" rather than "B". Explanation is correct)(Page 496, Chapter 2, Question #16, Correct answer is "C" rather than "B". Explanation is correct)(Page 499, Chapter 3, Question #19, Correct answer is "C" rather than "B". Explanation is correct)(Page 499, Chapter 3, Question #20, Correct answer is "B" rather than "A". Explanation is correct)(page 512, Chapter 9, #4, correct answer is "B & C", rather than just "B". The question specifies "select two", both B & C are described as correct in the key)(page 318, Chapter 9, #20 "C" = "Create a DX between the VPC in different regions" is not correct. DX can support connectivity between regions using VIF, DX connects on-prem to VPC, creating DX between VPC is not supported.)(Page 515, Chapter 10, Question #3, Correct answer is C,E rather than C,D. Explanation is correct)(Page 521, Chapter 12, Question 5, Correct answer should be A,B rather than A,E; explanation is correct)(Page 523, Chapter 12, Question #16, C = Config is a better answer; a Lambda function can be triggered by a Config rule. Lambda is not used to create event triggers, it can "run code in response to specific events or triggers", as described on page 523)(page 524, Chapter 13, #4, A = Flow Logs is also true. The key specifies "Flow Logs will not capture remote data center traffic", which is true of traffic inside the data center; question #4 asks for capture of details related to traffic BETWEEN on-premises and AWS VPN/DX, which would be captured in Flow Logs)(Page 159, Chapter 14, #12 Answer should be "B" instead of "D". Client VPN uses TLS encryption, does not support IPSec)(page 488, Chapter 14, question #15. B and E are both true. The key on page 529 says "IAM is a service that can be used to control access to CAs in AWS...")--------------------------------------------------------------------------------------------------------------------------General Errata:(Page 29, chapter 1, 3rd paragraph, "Container supports load balancing over many ports on the same EC2 instance." replace with "Containers" remove "EC2" or note some containers do not run on EC2)(Page 29, chapter 1, 5th paragraph, remove "Auth"?)(Page 34, Chapter 1, 5th paragraph, "AWS Security Manager", this is not an AWS service. Replace with "AWS Secrets Manager")(Page 42, Chapter 1, #1, answer "C", the CloudFront has an API to invalidate a cached object, an object does not have an API (C is the best answer, this could be more clear))(Page 493, Chapter 1, #14. Replace "?" with ".")(Page 494, Chapter 1, #16, replace "in the stage" with "in cache"?)(Page 46, Chapter 1, #20, API Gateway could integrate with IAM, use IAM policy, does not return an IAM policy to the requestor?)(Page 495, Chapter 2, question #9, Replace "CloudFront" with "CloudWatch")(Page 132, Chapter 4, 3rd paragraph in the "Network Designs" section, "IAM Security Groups", Security Groups are not used with IAM)(Page 132, Chapter 4, 4th paragraph in the "Network Designs" section, replace "network firewall" with Network Load Balancer (this section is about ELB))(Page 134, Chapter 3, Figure 4.2 shows an ELB directing traffic between the application tier and data tier in two different AZ? This could work; it might be better to show both tiers in each AZ)(Page 139, Chapter 4, WAF section update "protect web applications and application security breaches" to "prevent" security breaches)(Page 139, Chapter 4, Route 53 section, "Create an alias record in the Route 53 hosted zone that points to your load balancer." should be part of the paragraph above?)(Page 194, Chapter 6, "...basic overview of the lower OSI networking layers of physical and data link are covered" replace with " "...basic overview of the lower OSI networking layers, physical and data link, are covered"?)(Page 220, 221, etc. Chapter 6, Note: Virtual Private Gateway abbreviated "VGW" rather than "VPG", even though VPG might have been a better choice. In one place the official docs mention "VPG" as "See virtual private gateway (VGW)." Reference: https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html#XYZ)(Page 506, Chapter 6, #15, "PGP-advertised outgoing traffic tells the remote network..." replace "traffic" with a description of routes or advertisements?)(Page 291, Chapter 9, 5th paragraph. Subnet mask for /24 network should be 255.255.255.0, rather than 25.255.255.0)(Page 296, Chapter 9, 3rd paragraph, last sentence "Then there is the public virtual interface that is used to connect to private IP address space..." should be "private VIF")(Page 306, Chapter 9, 6th paragraph. "implement a Direct Connect between regions" it is true that you can use "a single AWS Direct Connect connection to build multi-Region services" Reference: https://docs.aws.amazon.com/directconnect/latest/UserGuide/remote_regions.html But, this is achieved using DX with a public VIF.)(page 335, Chapter 10, 7th paragraph, replace "The Amazon Inspector" with "Amazon Inspector" to match service name)(Page 364, Chapter 11, first new paragraph, "Network Insights service" is not a service, network insights are used in Reachability Analyzer)(Page 393, Chapter 12, second paragraph; Page 394, 6th paragraph; page 405 first new paragraph; Route 53 can block malicious domains = False; this is not a feature of Route 53, it is a feature of DNS firewall)(Page 396, 405, 436, Chapter 12, Security groups filter traffic at the instance level = true for RDS; for EC2 SG are attached at the ENI level, which is important to know for multi-homed instances)(402, Chapter 12, last paragraph; replace "Insights" with "CloudWatch Insights"(405, Chapter 12, 4th paragraph: security groups allow you to "block traffic from known malicious sources" - SG cannot block, they can only allow; NACL can both ALLOW and DENY)(522, Chapter 12, #9, replace "naive" with "native" )(page 415, Chapter 12, this question would benefit from specifying "using an AWS service" since Splunk can also create graphical dashboards)(414, Chapter 12, #17 Service is "AWS Artifact", rather than "Artifacts")0(Page 436, Chapter 13, Figure 13.7 "VPC Security Group" shows an Internet Gateway and Traffic Mirroring, there are no security groups depicted)(page 459, Chapter 14, 3rd paragraph, "and only authorized entries" update to specify "and ensures that only authorized entries", or replace with "and requires that...")(page 465, Chapter 14, 7th paragraph "AWS also offers public sector customer exclusive regions that include specialized security services such as FedRAMP." - FedRAMP can be adopted by public sector customers but is not a service offered by AWS, FedRAMP may be required for GovCloud customers; the details of how this works are probably not in-scope for the ANS-C01 exam)(Page 478, Chapter 14, 3rd paragraph "...enable PrivateLink to encrypt traffic between the VPC attachments and the TGW." - PrivateLink does not encrypt traffic)(Page 478, Chapter 14, 4th paragraph "You can enable AWS WAF service to protect your TGW from web-based attacks." - TGW can integrate with Network Firewall, using WAF to protect TGW from web-based attacks is not an option)(Page 478, Chapter 14 last paragraph "...and use IPSec or PrivateLink to encrypt traffic between VPCs and VPN connections." - Reference PrivateLink FAQ: https://aws.amazon.com/privatelink/faqs/ "PrivateLink does not provide any encryption by default for data in transit.")