Configuring Neptune for HTTP requests using aws-sdk with an IAM account


I want to setup Neptune as my App DB (as a Property Graph using openCypher queries). My App is an Angular/Ionic App to be run on Mobile devices. I learned that once I define an IAM account with AmazonNeptuneFullAccess policy, I then have an Access Key and Secret Key to use with the aws-sdk in my Angular app. What I'm not sure, is what configuration is needed on the Neptune Instance/DB, to happily allow such HTTP requests coming in from the App. Do I need to define something in the default VPC security group? VPC endpoints? something else? Thank you! Mor

1 Answer

There are a couple of different ways to architect this.

First approach - Exposing Neptune outside of a VPC

By default, Neptune can only be accessed within a VPC. We do not presently attach public IP addresses to the Neptune cluster. If you want to access Neptune directly from an application hosted outside of a VPC, then you would need to use some sort of proxy, such as a load balancer. More details on deploying this architecture can be found here:

Second approach - Build an API Layer

Another approach would be to build an API layer on top of Neptune using a combination of API Gateway and AWS Lambda functions. With this approach, your application would only need to make API requests and the Lambda functions (which can run within the same VPC with Neptune) can execute the related graph queries and return the responses to your application via the API response. This architecture has the benefit of using features such as API throttling and caching, which may be more advantageous as the usage of your application increases over time. It also allows you to incorporate other data services and extend your API-layer without a lot of refactoring on the application side. You can use this workshop ( to learn more about this architecture.

Regarding IAM

In either case, you would likely want to create or use an integration between the user auth you're designing for your app and the ability to federate those credentials with related IAM credentials. An easy service to use for this purpose is Amazon Cognito. The only difference regarding the two approaches above is that the IAM role that gets federated for the First Approach would have the policies for access Neptune directly. Whereas for the Second Approach, the role would contain the policies needed for accessing the APIs for API Gateway. Access to Neptune in that case would be done through the Lambda functions, so the Lambda functions would need an IAM role with attached policies for access Neptune.

You may also want to take a look at AWS Amplify, as this contains pre-built components (for Angular, React, and other frameworks) for performing authentication and integrating with Cognito:

profile pictureAWS
answered a year ago
  • Taylor, thank you for the clear answer. Out of the two, the second definitely sounds better for me. However, I'm sure I learned that access through an IAM account with a Programmatic access as the access type might also be an option. In the documentation, it is also described how to store and use of the Access Key and Secret Key with the aws-sdk package. I see you have not at all mentioned this as an option. Did I miss anything?

  • Updated the response to include information about IAM.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions