Menu
Amazon Neptune
User Guide (API Version 2017-11-29)

Setting Up Amazon Neptune

Preview Release    Amazon Neptune Preview is available only to whitelisted customers. To request access to Neptune, see the information on the Amazon Neptune Preview page.

Before you create a Neptune DB instance, you must have an Amazon Virtual Private Cloud (VPC). If you want to access your Neptune DB instance from outside the VPC, you must also have a security group for the VPC with rules that allow you to connect to the Neptune DB instance.

You also need an IAM user with AmazonRDSFullAccess permissions. This is required to use the Neptune Beta console and create a Neptune cluster. For information about adding these permissions, see AWS Managed (Predefined) Policies.

Neptune VPC Requirements

If you created your AWS account after 2013-12-04, then you have a default VPC in each AWS Region. If you aren't sure whether you have a default VPC, see the Detecting Whether You Have a Default VPC section in the Amazon VPC User Guide.

For more information about the default VPC, see Default VPC and Default Subnets in the Amazon VPC User Guide.

If you have a default VPC, you can create a VPC security group to allow an Amazon EC2 instance to connect to the Neptune DB instance from within the VPC. Access from the internet is allowed only to the EC2 instance. The EC2 instance is allowed access to the graph database.


					Default VPC and multiple security groups.

There are many possible ways to configure a VPC or multiple VPCs. For information about creating your own VPCs, see the Amazon VPC User Guide.

An Amazon Neptune DB cluster can only be created in an Amazon VPC that has at least two subnets in at least two Availability Zones. By distributing your cluster instances across at least two Availability Zones, you help ensure that there are instances available in your DB cluster in the unlikely event of an Availability Zone failure. The cluster volume for your Neptune DB cluster always spans three Availability Zones to provide durable storage with less possibility of data loss.

If you're using the Amazon Neptune console to create your Neptune DB cluster, you can have Neptune automatically create a VPC for you. Alternatively, you can use an existing VPC or create a new VPC for your Neptune DB cluster. Your VPC must have at least two subnets in order for you to use it with an Amazon Neptune DB cluster.

Note

You can communicate with an Amazon EC2 instance that is not in a VPC and a Neptune DB cluster using ClassicLink.

If you don't have a default VPC, and you have not created a VPC, you can have Neptune automatically create a VPC for you when you create a Neptune DB cluster using the console. Neptune can also create a VPC security group and a DB subnet group for you.

Otherwise, you must do the following:

  • Create a VPC with at least two subnets in at least two Availability Zones.

  • Specify a VPC security group that authorizes connections to your Neptune DB cluster. You can do this in the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  • Specify a Neptune DB subnet group with at least two subnets with each subnet in a different Availability Zone. You can create a DB subnet group in the Neptune console at https://yukon.aws.amazon.com/neptune?region=us-east-1.

    You must create a Neptune DB subnet group using the console, RDS DB subnet groups do not work with Neptune.

    Note

    Amazon Neptune is not supported in every Availability Zone. If you receive the console error DB Subnet Group doesn't meet availability zone coverage requirement, try adding subnets in additional Availability Zones to the DB subnet group.

The following section walks you through setting up a security group for your default VPC, as shown in the preceding diagram.

Creating a Security Group to Provide Access to the Neptune DB Instance in the VPC

Your Neptune DB instance is launched in a VPC. Security groups provide access to the Neptune DB instance in the VPC. They act as a firewall for the associated Neptune DB instance, controlling both inbound and outbound traffic at the instance level. Neptune DB instances are created by default with a firewall and a default security group that prevents access to the Neptune DB instance. You must add rules to a security group that enable you to connect to your DB instance.

The security group you need to create is a VPC security group. Neptune DB instances in a VPC require that you add rules to a VPC security group to allow access to the instance.

The following procedure shows you how to add a custom TCP rule that specifies the port range and IP addresses that the EC2 instance uses to access the database. You can use the VPC security group assigned to the EC2 instance rather than the IP address.

To create a VPC security group for Neptune

  1. Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the upper-right corner of the console, choose the AWS Region in which you want to create the VPC security group and the Neptune DB instance. In the list of Amazon VPC resources for that Region, it should show that you have at least one VPC and several subnets. If it does not, you don't have a default VPC in that Region.

  3. In the navigation pane, choose Security Groups.

  4. Choose Create Security Group.

  5. In the Create Security Group window, type the Name tag, Group name, and Description of your security group. Choose the VPC that you want to create your Neptune DB instance in. Choose Yes, Create.

  6. The VPC security group that you created should still be selected. The details pane at the bottom of the console window displays the details for the security group, and tabs for working with inbound and outbound rules. Choose the Inbound Rules tab.

  7. On the Inbound Rules tab, choose Edit. In the Type list, choose Custom TCP Rule.

  8. In the PortRange text box, type 8182, the default port value for a Neptune DB instance. Then type the IP address range (CIDR value) from where you will be accessing the instance, or choose a security group name in the Source text box.

  9. If you need to add more IP addresses or different port ranges, choose Add another rule.

  10. When you have finished, choose Save.

    You will use the VPC security group you just created as the security group for your DB instance when you create it.

    Finally, a quick note about VPC subnets: If you use a default VPC, a default subnet group spanning all of the VPC's subnets is already created for you. When you use the Launch a Neptune DB instance wizard to create a DB instance, you can choose the default VPC and use default for the DB Subnet Group.

    After you complete the setup requirements, you can use your settings and the security group you created to launch a Neptune DB instance.