Custom domain for Neptune cluster endpoints

Question

I've created a Route 53 private hosted zone and added a CNAME record (**dbcluster.neptune.local**) for Neptune endpoints. However, when accessing the CNAME record from a Lambda function, I'm encountering the error "SSL_VALIDATION_FAILED".

The objective is to have a blue/green Neptune upgrade. For this, we create a new Neptune cluster with the latest version, test and promote it. So we update the default CNAME record to point to the new cluster endpoint.

What is the AWS best practice for replacing Neptune endpoints with a custom domain (with support of ssl validation)?

Taylor-AWS · Answer

The best method to use in this sort of scenario is to parameterize the endpoints within your application.  Perhaps use them as configuration parameters within a parameter store or configuration database.

Depending on the client library you're using, you could also use a load balancer or proxy and terminate the SSL connections at the proxy (allowing the load balancer or proxy to build backend connections to Neptune that would be validated connections).

Neptune does not support importing custom SSL certs, so there's no way to validate connections that use a hostname other than the endpoints provided by the Neptune cluster (cluster endpoint, reader endpoint, or instance endpoints).

Custom domain for Neptune cluster endpoints

回答を追加する

関連するコンテンツ