- Newest
- Most votes
- Most comments
There are a couple of different ways to architect this.
First approach - Exposing Neptune outside of a VPC
By default, Neptune can only be accessed within a VPC. We do not presently attach public IP addresses to the Neptune cluster. If you want to access Neptune directly from an application hosted outside of a VPC, then you would need to use some sort of proxy, such as a load balancer. More details on deploying this architecture can be found here: https://github.com/aws-samples/aws-dbs-refarch-graph/tree/master/src/connecting-using-a-load-balancer
Second approach - Build an API Layer
Another approach would be to build an API layer on top of Neptune using a combination of API Gateway and AWS Lambda functions. With this approach, your application would only need to make API requests and the Lambda functions (which can run within the same VPC with Neptune) can execute the related graph queries and return the responses to your application via the API response. This architecture has the benefit of using features such as API throttling and caching, which may be more advantageous as the usage of your application increases over time. It also allows you to incorporate other data services and extend your API-layer without a lot of refactoring on the application side. You can use this workshop (https://catalog.us-east-1.prod.workshops.aws/workshops/2ae99bf2-10df-444f-a21f-8ad0537a9bdd/en-US) to learn more about this architecture.
Regarding IAM
In either case, you would likely want to create or use an integration between the user auth you're designing for your app and the ability to federate those credentials with related IAM credentials. An easy service to use for this purpose is Amazon Cognito. The only difference regarding the two approaches above is that the IAM role that gets federated for the First Approach would have the policies for access Neptune directly. Whereas for the Second Approach, the role would contain the policies needed for accessing the APIs for API Gateway. Access to Neptune in that case would be done through the Lambda functions, so the Lambda functions would need an IAM role with attached policies for access Neptune.
You may also want to take a look at AWS Amplify, as this contains pre-built components (for Angular, React, and other frameworks) for performing authentication and integrating with Cognito: https://docs.amplify.aws/lib/auth/getting-started/q/platform/js/#option-1-use-pre-built-ui-components
Relevant content
- asked 2 years ago
- asked 5 months ago
AWS OFFICIALUpdated 3 months ago- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 2 years ago
Taylor, thank you for the clear answer. Out of the two, the second definitely sounds better for me. However, I'm sure I learned that access through an IAM account with a Programmatic access as the access type might also be an option. In the documentation, it is also described how to store and use of the Access Key and Secret Key with the aws-sdk package. I see you have not at all mentioned this as an option. Did I miss anything?
Updated the response to include information about IAM.