AWS ANS-C01: is the Advanced Networking specialty still worth it in 2026?
Who actually takes ANS-C01, what it tests beyond SAA and SAP, and the salary delta you can expect over SAP-C02 alone.
ANS-C01 is the AWS Advanced Networking specialty exam. $300 USD, 65 questions, 170 minutes, scaled passing score of 750/1000. It's one of the harder AWS exams in the catalog and one of the least taken β partly because it's narrow, partly because most cloud engineers can fake networking depth long enough to pass SAP-C02 without ever sitting ANS.
The question I get asked once a quarter: is it still worth bothering with in 2026, now that the cert lineup includes new things like AIP-C01 and the AWS Certified AI Practitioner? Honest answer: it depends entirely on whether your job touches BGP, Transit Gateway, or hybrid connectivity. If it does, ANS-C01 is the cleanest signal you can put on a rΓ©sumΓ©. If it doesn't, save the $300.
Who actually takes this exam
In ten years of working around AWS, I've met maybe two dozen ANS-C01 holders in the wild. They cluster into four camps:
- Network engineers crossing into cloud. Cisco / Juniper / Arista backgrounds, CCNP or CCIE in their past, now responsible for connecting on-prem to AWS via Direct Connect. ANS-C01 is the cleanest credential to prove they didn't just learn a few VPC concepts.
- Cloud architects at regulated enterprises. Banks, telcos, healthcare. Anywhere with a hub-and-spoke Transit Gateway topology, IPsec VPN, multi-account network segmentation, and an opinionated security team that wants documented expertise on the network architect.
- AWS Partner Network consultancies. Network competency is a partner-tier requirement. Having ANS-C01 holders on staff is directly billable, and consultancies often reimburse the exam plus a bonus.
- AWS employees in solutions architecture or TAM roles who have to support customer networking conversations and want the internal cred.
Notice who isn't on that list: SaaS startup engineers, devops people, ML platform folks. If you're at a Series-B SaaS company running a few VPCs and an ALB, ANS-C01 is overkill. SAA-C03 plus a Terraform repo is enough signal.
What it tests beyond SAA / SAP
SAA-C03 tests whether you know what a VPC is and can pick the right subnet topology for a multi-AZ web app. SAP-C02 goes a layer deeper β Transit Gateway vs. peering, hub-and-spoke design, hybrid DNS, edge services like CloudFront and Global Accelerator. ANS-C01 sits a layer below SAP and asks you to actually understand the protocols.
The current ANS-C01 exam guide breaks down into five domains:
| Domain | Weight |
|---|---|
| Network Design | 30% |
| Network Implementation | 26% |
| Network Management and Operation | 20% |
| Network Security, Compliance, and Governance | 14% |
| (Hybrid + edge folded into the above) | β |
What you'll actually be tested on, with no fluff:
- BGP, in detail. Path attributes, AS-path prepending, communities, MED, local preference. Direct Connect uses BGP for both private and public VIFs and the exam expects you to reason about path selection.
- Direct Connect in all its variants. Dedicated vs. hosted connections, LAG, public vs. private vs. transit VIFs, Direct Connect Gateway, MACsec encryption on dedicated 10/100 Gbps connections.
- Transit Gateway at architect level. Route tables, attachments, propagation vs. static routes, inter-region peering, multicast support (yes, that exists), TGW Connect attachments to SD-WAN appliances.
- VPN, including Site-to-Site IPsec, accelerated VPN, Client VPN, and the math of running redundant tunnels.
- DNS: Route 53 Resolver inbound/outbound endpoints, hybrid DNS to on-prem AD, Route 53 routing policies including geoproximity and traffic flow.
- Edge and content delivery: CloudFront origin failover, Lambda@Edge vs. CloudFront Functions, Global Accelerator, AWS WAF integration.
- Network security: Network Firewall, security groups vs. NACLs at the wire level, VPC traffic mirroring, Reachability Analyzer, IP Address Manager (IPAM).
The trap question pattern: a scenario with a Direct Connect, a TGW, two VPCs with overlapping CIDRs, and a request to reach a specific on-prem service. SAP-C02 candidates handwave; ANS-C01 expects you to know exactly which route propagation, which NAT trick, and which Resolver rule makes it work.
Salary delta over SAP-C02 alone
This is the part that determines whether the $300 is rational. The honest framing:
- levels.fyi 2025-2026 doesn't break out ANS-C01 specifically, but Senior Network Engineer / Cloud Network Architect roles at AWS, Google, and Microsoft cluster around $210kβ$280k total comp at L5/L6, which is roughly the same as Senior SDE at the same level. ANS-C01 is what gets you into the network-architect track instead of the generic-cloud track.
- U.S. BLS OEWS May 2024, occupation 15-1241 (Computer Network Architects): median $130k, 90th percentile around $190k. Cloud-flavored network architects sit at the upper end of that distribution.
- Glassdoor / Built In for "AWS Network Engineer" or "Cloud Network Architect": $140kβ$185k base in major US metros, with FAANG and finance pushing higher.
Versus a SAP-C02 holder doing general cloud architecture work, the typical delta is $10kβ$25k base for a network-specialist role, and it compounds at staff level because there are fewer people qualified to fill the seat. The cert isn't doing all that work β the niche knowledge is. ANS-C01 is just the cheapest way to prove the niche knowledge to a recruiter.
When to skip
Skip ANS-C01 if any of these are true:
- Your day job is application architecture, devops, or platform engineering and you don't touch hybrid connectivity.
- You haven't already passed SAP-C02. Doing ANS first is a weird order β it's harder, more niche, and the SAP-C02 foundations make ANS prep significantly faster.
- You don't have hands-on Direct Connect or BGP experience and aren't planning to get any. ANS-C01 is the rare exam where pure book knowledge struggles against scenario questions.
- The cert isn't on the qualifications list of the next job you'd take.
When to take it
Take it if you're a network engineer pivoting into cloud and need a credential that doesn't get dismissed as "just SAA". Take it if you're at an AWS Partner and the network competency matters to your tier. Take it if you've already accidentally specialized β you've spent the last two years debugging TGW route propagation and BGP communities, and you want a cert that reflects what you actually do all day.
If you're prepping, the reading list is short and load-bearing: the official ANS-C01 exam guide, the AWS networking whitepapers (especially "Hybrid Connectivity" and "AWS Multi-Region Network Architecture"), and re:Invent 2024-2025 networking deep-dive sessions on YouTube. Skip the Udemy bundles β most haven't been updated for the C01 revision.
When you're ready to drill scenario questions, browse the ANS-C01 question bank on CertLabPro. And if BGP path selection still feels fuzzy, fix that first β every other piece of the exam assumes it.