Which of the possible solutions will allow the Lambda functions to access the Neptune DB cluster and DynamoDB tables?
(Choose two.)
Create three public subnets in the Neptune VPC, and route traffic through an internet gateway. Host the Lambda functions in the three new public subnets.
Create three private subnets in the Neptune VPC, and route internet traffic through a NAT gateway. Host the Lambda functions in the three new private subnets.
Host the Lambda functions outside the VPC. Update the Neptune security group to allow access from the IP ranges of the Lambda functions.
Host the Lambda functions outside the VPC. Create a VPC endpoint for the Neptune database, and have the Lambda functions access Neptune over the VPC endpoint.
Create three private subnets in the Neptune VPC. Host the Lambda functions in the three new isolated subnets. Create a VPC endpoint for DynamoDB, and route DynamoDB traffic to the VPC endpoint.
Explanations:
Creating public subnets and routing traffic through an internet gateway would expose the Neptune DB cluster to the public internet, which is not recommended for security reasons. Lambda functions should ideally be placed in private subnets to access the Neptune database securely.
Creating private subnets in the Neptune VPC allows the Lambda functions to access the Neptune DB cluster securely. A NAT gateway can be used to allow outbound internet access for the Lambda functions if needed. This setup provides the necessary security and access controls.
Hosting the Lambda functions outside the VPC would prevent them from accessing the Neptune DB cluster directly, as it is located within a VPC. Additionally, allowing access from IP ranges of the Lambda functions poses security risks.
Hosting the Lambda functions outside the VPC does not allow them to access the Neptune DB cluster, even with a VPC endpoint. VPC endpoints are for accessing AWS services privately without traversing the public internet, but they do not facilitate access to resources like Neptune that are inside the VPC when the functions are outside.
Creating private subnets for the Lambda functions ensures they can access the Neptune DB cluster securely. Using a VPC endpoint for DynamoDB allows Lambda functions in the private subnets to access DynamoDB without going through the internet, enhancing security and performance.