AWS Certified SysOps Administrator - Associate (SOA-C03) Domain 5

Networking and Content Delivery

Official Exam Guide: Domain 5: Networking and Content Delivery
Skill Builder: AWS Certified SysOps Administrator - Associate (SOA-C03) Exam Prep

Note: Some Skill Builder labs require a subscription.

---

How to Study This Domain Effectively

Study Tips

1. Build VPCs from scratch multiple times - Don’t just read documentation; actually create VPCs with public and private subnets, configure route tables, set up internet gateways and Network Address Translation (NAT) gateways, and implement security groups and Network Access Control Lists (NACLs). The exam tests practical knowledge of how traffic flows through VPC components, and hands-on experience helps you visualize the traffic path when answering troubleshooting questions. Practice common patterns: public subnet with internet gateway for web servers, private subnet with NAT gateway for application servers, database subnet with no internet access.

2. Master the difference between Security Groups and NACLs - This is one of the most tested topics. Security Groups are stateful (return traffic automatically allowed), operate at instance level, support allow rules only, and evaluate all rules. NACLs are stateless (must explicitly allow return traffic), operate at subnet level, support allow and deny rules, and process rules in numbered order. Create scenarios where you configure both for defense-in-depth security, and practice troubleshooting scenarios where one is misconfigured causing connectivity issues.

3. Understand Route 53 routing policies deeply - Each routing policy serves different use cases and exam questions test your ability to select the appropriate policy. Simple (single resource), Weighted (A/B testing, gradual migration), Latency (performance optimization), Failover (active-passive disaster recovery), Geolocation (content localization), Geoproximity (geographic traffic distribution with bias), and Multi-value (simple load balancing with health checks). Practice configuring each type and understand how health checks affect traffic routing for automated failover.

4. Learn VPC Flow Logs analysis systematically - VPC Flow Logs are essential for troubleshooting network connectivity and security issues. Understand the log format (srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, action), how to filter logs for specific traffic patterns, and common troubleshooting scenarios (REJECT means security group/NACL denied traffic, NODATA means no traffic attempted). Practice using CloudWatch Logs Insights to query flow logs and identify blocked traffic, unusual patterns, or bandwidth consumption.

5. Practice cost optimization for network architectures - Networking costs can be significant, and the exam tests knowledge of cost reduction strategies. Understand that data transfer out to the internet is charged, data transfer between Availability Zones (AZs) costs money, NAT Gateway charges per hour plus data processing, and VPC endpoints eliminate NAT Gateway costs for AWS services. Learn when to use VPC endpoints (save on NAT Gateway costs for S3/DynamoDB), PrivateLink (private connectivity to services), and Direct Connect (reduce data transfer costs for large volumes).

Recommended Approach

1. Start with VPC fundamentals and build progressively - Begin with the VPC User Guide, understanding Classless Inter-Domain Routing (CIDR) blocks, subnets (public versus private), route tables (how routes are evaluated), and internet connectivity (Internet Gateway versus NAT Gateway versus Egress-only Internet Gateway for IPv6). Create a simple VPC with one public subnet and one private subnet, then expand to multi-AZ deployments. Understanding traffic flow through VPC components is essential before moving to advanced topics like Transit Gateway, PrivateLink, and VPC peering.

2. Deep dive into VPC security controls - Study security groups thoroughly (default deny, stateful behavior, rule evaluation), then Network ACLs (numbered rules, stateless, explicit deny), and understand when to use each. Practice defense-in-depth security by configuring both security groups (granular instance-level control) and NACLs (subnet-level protection, deny rules). Learn common patterns like database security group allowing only application tier security group, web tier in public subnet with NACL allowing HTTP/HTTPS.

3. Master hybrid connectivity options - Study AWS Direct Connect (dedicated fiber connection, consistent performance, reduced costs), Site-to-Site VPN (encrypted tunnel over internet, quick setup), Client VPN (remote user access), and Transit Gateway (hub for connecting VPCs and on-premises). Understand when to use each option based on requirements (latency, bandwidth, security, cost, setup time). Practice troubleshooting hybrid connectivity issues using VPC Flow Logs, CloudWatch metrics, and Direct Connect/VPN logs.

4. Comprehensive Route 53 and CloudFront study - Learn Route 53 hosted zones (public versus private), record types (A, AAAA, CNAME, ALIAS), routing policies, and health checks. For CloudFront, understand origins (S3, custom HTTP/HTTPS, ALB), cache behaviors (path patterns, TTL settings), invalidations, and signed URLs/cookies for restricted content. Practice configuring CloudFront distributions with custom origins, implementing caching strategies, and troubleshooting cache misses using CloudFront logs and real-time logs.

5. Practice systematic network troubleshooting - Develop a methodical approach to troubleshooting network issues: check security groups (most common issue), verify NACL rules (especially return traffic for stateless), examine route tables (correct route to destination), confirm internet/NAT gateway configuration, analyze VPC Flow Logs (identify REJECT actions), and test connectivity using VPC Reachability Analyzer. Create broken network configurations intentionally and practice diagnosing and fixing them using AWS tools.

---

Task 5.1: Implement and optimize networking features and connectivity

Skills & Corresponding Documentation

Skill 5.1.1: Configure a VPC (for example, subnets, route tables, network ACLs, security groups, NAT gateways, internet gateway, egress-only internet gateway)

Why: VPC configuration is absolutely fundamental to AWS networking and is one of the most heavily tested skills in the SysOps exam. You must understand how to design VPCs with appropriate CIDR blocks (avoiding conflicts with on-premises networks), create public subnets (with internet gateway route) and private subnets (with NAT gateway route), configure route tables (main versus custom, route priority evaluation), implement security groups (stateful, allow rules only, rule evaluation), and configure Network ACLs (stateless, numbered rules, allow and deny). The exam extensively tests traffic flow scenarios requiring you to trace the path from source to destination through security groups, NACLs, route tables, and gateways, and troubleshoot why connectivity fails when components are misconfigured.

AWS Documentation:

• Amazon VPC User Guide
• What Is Amazon VPC?
• How Amazon VPC Works
• VPCs and Subnets
• Subnet CIDR Blocks
• Route Tables
• Internet Gateways
• NAT Gateways
• Egress-Only Internet Gateways
• Control Traffic to Subnets Using Network ACLs
• Control Traffic to Resources Using Security Groups
• Security Group Rules
• Network ACL Rules
• Comparison of Security Groups and Network ACLs
• VPC Endpoints
• Example VPC Configurations

Skill 5.1.2: Configure private networking connectivity

Why: Private connectivity enables secure communication between VPCs, to on-premises networks, and to AWS services without traversing the public internet. The exam tests your knowledge of VPC peering (private connectivity between VPCs, non-transitive), AWS Transit Gateway (hub-and-spoke architecture, transitive routing, connects VPCs and on-premises), AWS PrivateLink (private access to services, powered by VPC endpoints), Direct Connect (dedicated network connection, consistent performance), and Site-to-Site VPN (encrypted IPsec tunnels over internet). Understanding when to use each option based on requirements (latency, bandwidth, security, cost, complexity, transitive routing needs) and how to configure routing for private connectivity is critical for enterprise AWS architectures and disaster recovery scenarios.

AWS Documentation:

• VPC Peering
• What Is VPC Peering?
• VPC Peering Basics
• VPC Peering Limitations
• AWS Transit Gateway
• What Is a Transit Gateway?
• How Transit Gateways Work
• Transit Gateway Route Tables
• AWS PrivateLink
• What Is AWS PrivateLink?
• VPC Endpoint Services (AWS PrivateLink)
• AWS Direct Connect User Guide
• What Is AWS Direct Connect?
• AWS Site-to-Site VPN User Guide
• What Is AWS Site-to-Site VPN?
• VPN Routing Options
• AWS Client VPN

Skill 5.1.3: Audit AWS network protection services (for example, Amazon Route 53 Resolver DNS Firewall, AWS WAF, AWS Shield, AWS Network Firewall) in a single account

Why: Network protection services defend against threats at different layers and the exam tests your understanding of what each service protects and how to audit their configurations. Route 53 Resolver DNS Firewall blocks DNS queries to known malicious domains, AWS WAF (Web Application Firewall) protects web applications from common exploits (SQL injection, cross-site scripting), AWS Shield protects against Distributed Denial of Service (DDoS) attacks (Standard is automatic and free, Advanced provides enhanced protection and DDoS Response Team support), and AWS Network Firewall provides stateful network filtering at the VPC level. Understanding how to review WAF rules, Shield protections, DNS Firewall domain lists, and Network Firewall rule groups to ensure proper protection and compliance is critical for security operations.

AWS Documentation:

• Route 53 Resolver DNS Firewall
• Getting Started with Route 53 Resolver DNS Firewall
• Managing Rule Groups and Rules
• AWS WAF Developer Guide
• What Is AWS WAF?
• AWS WAF Web ACLs
• AWS Managed Rules for AWS WAF
• AWS WAF Logging
• AWS Shield
• AWS Shield Standard
• AWS Shield Advanced
• AWS Network Firewall Developer Guide
• What Is AWS Network Firewall?
• Network Firewall Rule Groups
• Network Firewall Policies

Skill 5.1.4: Optimize the cost of network architectures

Why: Network costs can be substantial in AWS architectures, and the exam tests your knowledge of cost optimization strategies. Understanding data transfer costs is critical: data transfer IN is free, data transfer OUT to internet is charged, data transfer between AZs costs money, data transfer between regions is expensive, and NAT Gateway charges include both hourly costs and data processing fees. VPC endpoints eliminate NAT Gateway costs for accessing S3 and DynamoDB, PrivateLink reduces data transfer costs for service access, Direct Connect offers lower data transfer rates for large volumes, and CloudFront reduces origin requests through caching. The exam tests scenarios requiring you to recommend cost-optimized architectures while maintaining performance and security requirements.

AWS Documentation:

• Amazon VPC Pricing
• Data Transfer Pricing
• NAT Gateway Pricing
• VPC Endpoints - Gateway Endpoints
• Reducing Data Transfer Costs
• AWS Direct Connect Pricing
• CloudFront Pricing
• Optimizing Network Costs
• VPC Sharing
• Cost Optimization Best Practices

---

Task 5.2: Configure domains, DNS services, and content delivery

Skills & Corresponding Documentation

Skill 5.2.1: Configure DNS (for example, Route 53 Resolver)

Why: DNS is critical for name resolution and the exam tests your understanding of how Route 53 Resolver enables DNS resolution between VPCs and on-premises networks. Route 53 Resolver provides DNS resolution for VPCs (queries to public DNS and private hosted zones), inbound endpoints enable on-premises networks to resolve AWS resources via DNS queries, and outbound endpoints enable VPCs to forward DNS queries to on-premises DNS servers using forwarding rules. Understanding conditional forwarding rules (forward specific domains to target resolvers) and system rules (automatic queries for AWS services) helps you implement hybrid DNS architectures for seamless name resolution across hybrid environments.

AWS Documentation:

• Amazon Route 53 Developer Guide
• What Is Amazon Route 53?
• Route 53 Resolver
• Resolving DNS Queries Between VPCs and Your Network
• Route 53 Resolver Endpoints
• Forwarding Inbound DNS Queries to Your VPCs
• Forwarding Outbound DNS Queries to Your Network
• Managing Forwarding Rules
• Working with Private Hosted Zones
• DNS Support in Your VPC

Skill 5.2.2: Implement Route 53 routing policies, configurations, and query logging

Why: Route 53 routing policies control how DNS queries are answered and are heavily tested through scenarios requiring you to select the appropriate policy for specific requirements. Simple routing (single resource), Weighted routing (distribute traffic by percentage for A/B testing or gradual migrations), Latency-based routing (route to lowest latency endpoint), Failover routing (active-passive disaster recovery with health checks), Geolocation routing (route based on user location for content localization), Geoproximity routing (route based on geographic distance with bias adjustment), and Multi-value answer routing (simple load balancing across multiple resources). Query logging captures all DNS queries for troubleshooting and security analysis, helping you identify unusual DNS patterns or validate routing behavior.

AWS Documentation:

• Working with Hosted Zones
• Working with Records
• Choosing a Routing Policy
• Simple Routing
• Weighted Routing
• Latency-Based Routing
• Failover Routing
• Geolocation Routing
• Geoproximity Routing
• Multivalue Answer Routing
• Creating Health Checks
• How Health Checks Work
• Query Logging
• Monitoring Route 53 with Amazon CloudWatch

Skill 5.2.3: Configure content and service distribution (for example, Amazon CloudFront, AWS Global Accelerator)

Why: Content delivery networks and global acceleration services improve application performance for distributed users and are tested through configuration and optimization scenarios. CloudFront is a CDN that caches content at edge locations worldwide, supports multiple origin types (S3, custom HTTP/HTTPS, ALB, API Gateway), uses cache behaviors to control caching for different URL patterns, and implements Time To Live (TTL) settings to balance freshness with cache hit ratio. AWS Global Accelerator improves availability and performance using the AWS global network with static anycast IP addresses that route to optimal endpoints based on health and proximity. Understanding when to use CloudFront (cacheable HTTP/HTTPS content) versus Global Accelerator (non-HTTP/UDP/TCP applications, static IPs, instant regional failover) helps you optimize application delivery.

AWS Documentation:

• Amazon CloudFront Developer Guide
• What Is Amazon CloudFront?
• How CloudFront Delivers Content
• Creating a Distribution
• Working with Origins
• Cache Behaviors
• Managing How Long Content Stays in Cache
• Invalidating Files
• Using Origin Failover
• CloudFront Access Logs
• AWS Global Accelerator Developer Guide
• What Is AWS Global Accelerator?
• How AWS Global Accelerator Works
• Standard Accelerators in AWS Global Accelerator
• Endpoints for Standard Accelerators

---

Task 5.3: Troubleshoot network connectivity issues

Skills & Corresponding Documentation

Skill 5.3.1: Troubleshoot VPC configurations (for example, subnets, route tables, network ACLs, security groups, transit gateways, NAT gateways)

Why: Network troubleshooting is one of the most tested skills because connectivity issues are common operational problems. The exam presents scenarios with connectivity failures requiring you to systematically diagnose the issue: verify security group rules (most common issue, stateful), check NACL rules (especially return traffic, stateless), examine route tables (correct route exists, most specific route wins), confirm gateway configuration (internet gateway, NAT gateway, transit gateway attachment), and validate subnet associations. Understanding the troubleshooting methodology (test each layer, use VPC Reachability Analyzer, check VPC Flow Logs for REJECT actions) and common misconfigurations (security group missing return rule, NACL blocking ephemeral ports, route table missing default route) is essential for operational efficiency.

AWS Documentation:

• Troubleshoot VPC Connectivity
• VPC Reachability Analyzer
• Getting Started with Reachability Analyzer
• Troubleshoot Security Groups
• Troubleshoot Network ACLs
• Troubleshoot NAT Gateways
• Troubleshoot Internet Gateway
• Troubleshoot VPC Peering
• Troubleshoot Transit Gateway
• Test VPC Network Connectivity

Skill 5.3.2: Collect and interpret networking logs to troubleshoot issues (for example, VPC flow logs, Elastic Load Balancing [ELB] access logs, AWS WAF web ACL logs, CloudFront logs, container logs)

Why: Network logs provide detailed information about traffic patterns, security events, and connectivity issues, and the exam tests your ability to analyze logs for troubleshooting. VPC Flow Logs capture IP traffic going to and from network interfaces (identify rejected traffic, unusual patterns, bandwidth consumption), ELB access logs record all requests (troubleshoot application errors, analyze traffic patterns), WAF logs show inspected requests and rule matches (identify attack patterns, tune rules), and CloudFront logs detail viewer requests (optimize caching, identify popular content). Understanding log format, how to query logs efficiently using CloudWatch Logs Insights or Amazon Athena, and recognizing common patterns in logs (REJECT actions, error codes, cache misses) is critical for operational troubleshooting and security analysis.

AWS Documentation:

• VPC Flow Logs
• Working with Flow Logs
• Flow Log Records
• Query Flow Logs Using Amazon Athena
• Analyzing Flow Logs with CloudWatch Logs Insights
• Access Logs for Application Load Balancers
• Access Logs for Network Load Balancers
• Logging Web ACL Traffic Information
• Analyzing AWS WAF Logs
• CloudFront Standard Logs
• CloudFront Real-Time Logs
• Analyzing CloudFront Logs
• Container Insights for Amazon ECS

Skill 5.3.3: Identify and remediate CloudFront caching issues

Why: CloudFront caching issues cause performance problems and increased origin costs, and the exam tests troubleshooting scenarios. Common issues include low cache hit ratio (objects not cacheable, TTLs too short, query strings causing unique cache keys), stale content (TTL too long, invalidations not working), and origin overload (cache not working, all requests going to origin). Understanding cache behaviors (path patterns, TTL settings, query string handling), cache statistics (cache hit ratio from CloudWatch metrics), when to use invalidations versus versioned file names, and how cache keys affect caching (headers, cookies, query strings) helps you optimize CloudFront performance and reduce costs by maximizing cache efficiency.

AWS Documentation:

• Optimizing Caching and Availability
• Managing How Long Content Stays in Cache
• Invalidating Files
• Increasing the Proportion of Requests Served from CloudFront Edge Caches
• Understanding the Cache Key
• CloudFront Reports in the Console
• Monitoring CloudFront with Amazon CloudWatch
• Troubleshooting CloudFront Error Responses
• Troubleshooting CloudFront Distribution Issues

Skill 5.3.4: Identify and troubleshoot hybrid connectivity issues and private connectivity issues

Why: Hybrid connectivity issues affect business operations when on-premises networks cannot communicate with AWS, and the exam tests troubleshooting methodologies. For Direct Connect, common issues include physical connection problems (check port status), Virtual Interface (VIF) configuration errors (VLAN, Border Gateway Protocol (BGP) peering), and routing problems (BGP advertisements, prefix limits). For Site-to-Site VPN, issues include tunnel status (both tunnels down versus one down), IPsec parameters mismatch (phase 1/2 settings), routing configuration (static versus BGP), and firewall blocking (UDP 500, 4500). Understanding how to use Direct Connect alarms, VPN tunnel metrics, and BGP routing tables to diagnose connectivity failures helps you maintain reliable hybrid architectures.

AWS Documentation:

• Troubleshooting AWS Direct Connect
• Direct Connect Virtual Interfaces
• Direct Connect Alarms
• Troubleshooting AWS Site-to-Site VPN
• VPN Tunnel Status
• Testing the VPN Connection
• Site-to-Site VPN CloudWatch Metrics
• Troubleshooting VPC Peering
• Troubleshooting Transit Gateway
• Troubleshooting PrivateLink
• Network Connectivity Testing

Skill 5.3.5: Configure and analyze Amazon CloudWatch network monitoring services

Why: CloudWatch provides network metrics and alarms essential for proactive monitoring and troubleshooting, and the exam tests your ability to configure meaningful monitoring. Network metrics include VPC Flow Logs metrics (rejected packets, bytes), NAT Gateway metrics (connections, bytes processed, error ports), VPN tunnel metrics (tunnel state, data in/out), Direct Connect metrics (connection state, bits in/out), and load balancer metrics (active connections, request count, target response time). Understanding how to create CloudWatch alarms for network issues (VPN tunnel down, NAT Gateway errors, Direct Connect connection state), analyze metrics trends to identify capacity issues, and correlate metrics with application performance helps you maintain reliable network operations and optimize capacity planning.

AWS Documentation:

• Monitoring Your VPC Using CloudWatch
• Monitoring NAT Gateways Using CloudWatch
• CloudWatch Metrics for Your VPN Connection
• Monitoring AWS Direct Connect with CloudWatch
• CloudWatch Metrics for Application Load Balancers
• CloudWatch Metrics for Network Load Balancers
• Creating CloudWatch Alarms
• Using Amazon CloudWatch Dashboards
• Network Performance Metrics

---

AWS Service FAQs

• Amazon VPC FAQs
• Amazon Route 53 FAQs
• Amazon CloudFront FAQs
• AWS Direct Connect FAQs
• AWS Site-to-Site VPN FAQs
• AWS Transit Gateway FAQs
• AWS PrivateLink FAQs
• AWS Global Accelerator FAQs
• AWS WAF FAQs
• AWS Shield FAQs
• AWS Network Firewall FAQs
• Elastic Load Balancing FAQs

---

AWS Whitepapers

• AWS Networking Best Practices
• Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
• Hybrid Cloud Architecture for Government
• Amazon VPC Connectivity Options
• How AWS Pricing Works
• Performance Efficiency Pillar - AWS Well-Architected Framework
• AWS Best Practices for DDoS Resiliency

---

Final Thoughts

Domain 5 combines foundational networking knowledge with AWS-specific implementation and troubleshooting skills essential for every SysOps administrator. VPC configuration and troubleshooting skills are absolutely critical - practice building VPCs from scratch, implementing security controls at multiple layers, and systematically diagnosing connectivity issues using VPC Flow Logs and Reachability Analyzer. Route 53 routing policies and CloudFront caching optimization are heavily tested, so ensure you understand when to use each routing policy and how to maximize cache efficiency. The ability to troubleshoot hybrid connectivity (Direct Connect, VPN) and optimize network costs (VPC endpoints, data transfer patterns) distinguishes experienced SysOps administrators. Master the networking troubleshooting methodology, learn to interpret network logs efficiently, and practice with real scenarios to build the systematic problem-solving skills that the exam and real-world operations demand.