By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How to allow the Lambda functions to access the Neptune DB cluster in a different VPC?

0

A company is running a serverless application that consists of several AWS Lambda functions and Amazon DynamoDB tables. The company has created new functionality that requires the Lambda functions to access an Amazon Neptune DB cluster The Neptune DB cluster is located in three subnets in a VPC.

Which of the possible solutions will allow the Lambda functions to access the Neptune DB cluster and DynamoDB tables? (Select TWO )

A. Create three public subnets in the Neptune VPC and route traffic through an interne: gateway Host the Lambda functions m the three new public subnets

B. Create three private subnets in the Neptune VPC and route internet traffic through a NAT gateway Host the Lambda functions In the three new private subnets.

C. Host the Lambda functions outside the VPC. Update the Neptune security group to allow access from the IP ranges of the Lambda functions.

D. Host the Lambda functions outside the VPC. Create a VPC endpoint for the Neptune database, and have the Lambda functions access Neptune over the VPC endpoint

E. Create three private subnets in the Neptune VPC. Host the Lambda functions m the three new isolated subnets. Create a VPC endpoint for DynamoDB. and route DynamoDB traffic to the VPC endpoint.

The correct answer is A and C. My doubt is why B is not chosen instead of A.

  • C is actually an incorrect answer. Neptune (at the time of this writing) does not allow for public access outside of a VPC unless there is a proxy in place like a load balancer. Is this from an exam?

4 Answers
0

Is it because of NAT Gateway cost considerations?
I expected this to be because A and C would cost less than B, although it is certainly possible with B.
However, it is difficult to accurately consider this because there is no assumption from the problem statement to choose the one with the lowest cost.

profile picture
EXPERT
answered a year ago
0

If you need a Lambda function to access resources in a VPC, you can either expose those resources publicly , which is usually not recommended, or attach the function to the VPC.

Exposing the resource publicly, may indicate to answer C, however, for this to work it is not enough to change security groups, you actually need to locate the Neptune cluster in public subnets and assign public IPs to the cluster. Based on this, it is not possible, so option C is not a correct answer.

So this means that you must attach the function to the VPC. You can attach the function to a Public subnet (option A), but that actually will not let the functions communicate the internet, as they do not have a public IP address in this case. This eliminates answer A as well.

You must attach the function to private subnets and then you need to give it a way to communicate with DDB. There are only two options for that: Either use a NAT gateway (option B), or use a DynamoDB VPC end point (option E).

So the correct answers are B and E.

profile pictureAWS
EXPERT
answered a year ago
0

Hi, I concur that B and E should be correct, as hosting lambdas on public subnet is not really a good security practice, together with hosting data sources on public ones.

Typically these questions may depend on how things are asked, but the question does not really put any specific constraint.

profile picture
EXPERT
answered a year ago
0

B and E in my opinion as both require the Lambda to be hosted in private subnets.

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions