AWS Certified Solutions Architect – Professional — Question 828

A company is running a serverless application that consists of several AWS Lambda functions and Amazon DynamoDB tables. The company has created new functionality that requires the Lambda functions to access an Amazon Neptune DB cluster. The Neptune DB cluster is located in three subnets in a VPC.
Which of the possible solutions will allow the Lambda functions to access the Neptune DB cluster and DynamoDB tables? (Choose two.)

Answer options

• A. Create three public subnets in the Neptune VPC, and route traffic through an internet gateway. Host the Lambda functions in the three new public subnets.
• B. Create three private subnets in the Neptune VPC, and route internet traffic through a NAT gateway. Host the Lambda functions in the three new private subnets.
• C. Host the Lambda functions outside the VPC. Update the Neptune security group to allow access from the IP ranges of the Lambda functions.
• D. Host the Lambda functions outside the VPC. Create a VPC endpoint for the Neptune database, and have the Lambda functions access Neptune over the VPC endpoint.
• E. Create three private subnets in the Neptune VPC. Host the Lambda functions in the three new isolated subnets. Create a VPC endpoint for DynamoDB, and route DynamoDB traffic to the VPC endpoint.

Correct answer: B, E

Explanation

To allow Lambda functions to access a Neptune DB cluster inside a VPC, they must be configured to run within private subnets of that same VPC. Once inside the VPC, the Lambda functions need a way to reach DynamoDB, which is a public AWS service; this can be achieved either by routing traffic through a NAT Gateway (Option B) or by using a DynamoDB VPC gateway endpoint (Option E). Lambda functions cannot be assigned public IPs directly in a public subnet, and their dynamic public IP ranges cannot be securely whitelisted in a security group from outside the VPC.