Question #929
A company operates a serverless application using AWS Lambda functions and Amazon DynamoDB. They introduced new features requiring Lambda to access an Amazon Neptune cluster located in three subnets within a VPC.
Which solutions enable the Lambda functions to access both the Neptune cluster and DynamoDB? (Choose two.)
Deploy the Lambda functions outside the VPC. Configure the Neptune security group to allow inbound traffic from the Lambda functions' IP ranges.
Deploy the Lambda functions outside the VPC. Establish a VPC endpoint for Neptune and configure Lambda to access Neptune through this endpoint.
Create three private subnets in the Neptune VPC. Deploy the Lambda functions in these subnets. Set up a VPC endpoint for DynamoDB and route DynamoDB traffic through it.
Create three public subnets in the Neptune VPC with an internet gateway. Deploy the Lambda functions in these public subnets.
Create three private subnets in the Neptune VPC with a NAT gateway for internet access. Deploy the Lambda functions in these private subnets.
Explanation
Answer B and E are correct because:
- B: Lambda in private subnets with NAT gateway can access Neptune (same VPC) and DynamoDB via the internet through NAT. This ensures VPC connectivity for Neptune and internet access for DynamoDB.
- E: Lambda in private subnets with a VPC endpoint for DynamoDB allows private, secure access to DynamoDB without internet, while Neptune is accessible within the VPC.
Other options are incorrect because:
- C: Relies on Lambda's ephemeral IP ranges, which are unreliable for security group rules.
- D: Neptune requires proper security group rules allowing VPC CIDR or the VPC endpoint, which may not be configured.
- A: Public subnets are unnecessary for VPC access and expose Lambda to the internet.
Key Points:
1. Lambda in a VPC can access Neptune directly.
2. DynamoDB access requires internet (via NAT) or a VPC endpoint.
3. VPC endpoints (Gateway/Interface) enable private connectivity to AWS services.
Answer
The correct answer is: BE