Amazon Neptune
User Guide (API Version 2017-11-29)

Connecting to Neptune Using SSL

Amazon Neptune has enabled the option of HTTPS for any connection to an instance or cluster endpoint. HTTP connections are still allowed to clusters in the regions not marked as SSL Only in the table below.

Region SSL Enabled SSL Only
US East (N. Virginia) Yes No
US East (Ohio) Yes No
US West (Oregon) Yes No
EU (Ireland) Yes No
EU (London) Yes No
EU (Frankfurt) Yes No
Asia Pacific (Singapore) Yes Yes

Neptune automatically provides SSL certificates for your Neptune DB instances. You don't need to request any certificates; they are provided when you create a new instance.

Neptune assigns a single wildcard SSL certificate to the instances in your account for each AWS Region. The certificate provides entries for the cluster endpoints, cluster read-only endpoints, and instance endpoints.

Certificate Details

The following entries are included in the provided certificate:

  • Cluster endpoint — *

  • Read-only endpoint — *

  • Instance endpoints — *

Only the entries listed here are supported.

Proxy Connections

The certificates support only the hostnames that are listed in the previous section.

If you are using a load balancer or a proxy server (such as HAProxy), you must use SSL termination and have your own SSL certificate on the proxy server.

SSL passthrough doesn't work because the provided SSL certificates don't match the proxy server hostname.

Root CA Certificates

The certificates for Neptune instances are normally validated using the local trust store of the operating system or SDK (such as the Java SDK).

If you need to provide a root certificate manually, you can download the Amazon Root CA certificate in PEM format from the Amazon Services Trust Policy Repository.

More Information

For more information about connecting to Neptune endpoints with SSL, see Accessing the Neptune Graph with Gremlin and Accessing the Neptune Graph with SPARQL.