How to allow the Lambda functions to access the Neptune DB cluster in a different VPC?

Is it because of NAT Gateway cost considerations?
I expected this to be because A and C would cost less than B, although it is certainly possible with B.
However, it is difficult to accurately consider this because there is no assumption from the problem statement to choose the one with the lowest cost.

If you need a Lambda function to access resources in a VPC, you can either expose those resources publicly , which is usually not recommended, or attach the function to the VPC.

Exposing the resource publicly, may indicate to answer C, however, for this to work it is not enough to change security groups, you actually need to locate the Neptune cluster in public subnets and assign public IPs to the cluster. Based on this, it is not possible, so option C is not a correct answer.

So this means that you must attach the function to the VPC. You can attach the function to a Public subnet (option A), but that actually will not let the functions communicate the internet, as they do not have a public IP address in this case. This eliminates answer A as well.

You must attach the function to private subnets and then you need to give it a way to communicate with DDB. There are only two options for that: Either use a NAT gateway (option B), or use a DynamoDB VPC end point (option E).

So the correct answers are B and E.

Hi, I concur that B and E should be correct, as hosting lambdas on public subnet is not really a good security practice, together with hosting data sources on public ones.

Typically these questions may depend on how things are asked, but the question does not really put any specific constraint.

B and E in my opinion as both require the Lambda to be hosted in private subnets.