Lambda function in Amazon Neptune

0

Hi all. I've set up a Lambda function in the same VPC as a Neptune Cluster but I am unable to connect both:

neptune_client = boto3.client('neptune')
response = neptune_client.describe_db_clusters(DBClusterIdentifier=NEPTUNE_CLUSTER_ARN)

getting error:

[ERROR] ConnectTimeoutError: Connect timeout on endpoint URL: "https://rds.eu-central-1.amazonaws.com/"

I've double-checked Security Groups and Lambda IAM Role and everything looks correct. Any thoughts on what's going on? Thanks

asked 5 months ago205 views
1 Answer
3
Accepted Answer

Neptune has two different interfaces - both a control plane and a data plane. The control plane is accessible via public endpoints, so you'll need access to the Internet from your Lambda function to access these endpoints.

The data plane requires direct access to the Neptune instances within your Neptune cluster. These can only be accessed from within the VPC where Neptune is hosted.

What you're attempting to access is the DescribeDbClusters API, which is a control plane API. Your Lambda function will either need Internet access for this, or you'll need an RDS VPC Endpoint to allow access to these APIs: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/vpc-interface-endpoints.html. (Note that RDS is referenced here as Neptune shares a control plane with the RDS service)

profile pictureAWS
answered 5 months ago
profile picture
EXPERT
reviewed 5 months ago
profile picture
EXPERT
reviewed 5 months ago
  • I don't understand why the same code executed in a Jupyter Notebook (deployed in the same VPC and subnet) works, but in the Lambda function it returns that error. I understand that if the Lambda function doesn't have internet access, the Jupyter Notebook shouldn't either. Am I wrong?

  • If you're using a Neptune Notebook instance (which is based on a SageMaker Notebook instance), the Internet egress is separate from VPC access. The underlying instance is hosted in a SageMaker service-team-owned VPC and Internet (by default) egresses through the service team VPC. Access to the user VPC goes through an ENI attached to the notebook instance and there's a separate network route configured at the OS level to direct traffic destined for the VPC CIDR through that ENI.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions