AWS Certified Solutions Architect – Professional (SAP-C02) — Question 372

A company is running a serverless application that consists of several AWS Lambda functions and Amazon DynamoDB tables. The company has created new functionality that requires the Lambda functions to access an Amazon Neptune DB cluster. The Neptune DB cluster is located in three subnets in a VPC.

Which of the possible solutions will allow the Lambda functions to access the Neptune DB cluster and DynamoDB tables? (Choose two.)

Answer options

• A. Create three public subnets in the Neptune VPC, and route traffic through an internet gateway. Host the Lambda functions in the three new public subnets.
• B. Create three private subnets in the Neptune VPC, and route internet traffic through a NAT gateway. Host the Lambda functions in the three new private subnets.
• C. Host the Lambda functions outside the VPUpdate the Neptune security group to allow access from the IP ranges of the Lambda functions.
• D. Host the Lambda functions outside the VPC. Create a VPC endpoint for the Neptune database, and have the Lambda functions access Neptune over the VPC endpoint.
• E. Create three private subnets in the Neptune VPC. Host the Lambda functions in the three new isolated subnets. Create a VPC endpoint for DynamoDB, and route DynamoDB traffic to the VPC endpoint.

Correct answer: B, E

Explanation

To access the Amazon Neptune DB cluster, the Lambda functions must be configured to run within the same VPC because Neptune does not support public endpoints. Once inside the VPC, the Lambda functions need a route to access DynamoDB; this can be achieved either by routing traffic through a NAT Gateway to the public DynamoDB service (Option B) or by keeping the subnets isolated and utilizing a DynamoDB VPC Gateway Endpoint (Option E). Running Lambda functions outside the VPC or in public subnets directly will not establish the required connectivity.