Amazon Neptune
User Guide (API Version 2017-11-29)

Encryption in Transit: Connecting to Neptune Using SSL/HTTPS

Amazon Neptune has enabled the option of using Secure Sockets Layer (SSL) through HTTPS for any connection to an instance or cluster endpoint. HTTP connections are still allowed to clusters in the Regions that are not marked as SSL Only in the following table.

To protect your data, we recommend that you always connect to Neptune endpoints; through SSL, using HTTPS instead of HTTP.

Region SSL Enabled SSL Only
US East (N. Virginia) Yes No
US East (Ohio) Yes No
US West (Oregon) Yes No
EU (Ireland) Yes No
EU (London) Yes No
EU (Frankfurt) Yes No
Asia Pacific (Singapore) Yes Yes
Asia Pacific (Sydney) Yes Yes
Asia Pacific (Tokyo) Yes Yes
Asia Pacific (Mumbai) Yes Yes
Asia Pacific (Seoul) Yes Yes
EU (Stockholm) Yes Yes

Neptune automatically provides SSL certificates for your Neptune DB instances. You don't need to request any certificates. The certificates are provided when you create a new instance.

Neptune assigns a single wildcard SSL certificate to the instances in your account for each AWS Region. The certificate provides entries for the cluster endpoints, cluster read-only endpoints, and instance endpoints.

Certificate Details

The following entries are included in the provided certificate:

  • Cluster endpoint — *.cluster-a1b2c3d4wxyz.region.neptune.amazonaws.com

  • Read-only endpoint — *.cluster-ro-a1b2c3d4wxyz.region.neptune.amazonaws.com

  • Instance endpoints — *.a1b2c3d4wxyz.region.neptune.amazonaws.com

Only the entries listed here are supported.

Proxy Connections

The certificates support only the hostnames that are listed in the previous section.

If you are using a load balancer or a proxy server (such as HAProxy), you must use SSL termination and have your own SSL certificate on the proxy server.

SSL passthrough doesn't work because the provided SSL certificates don't match the proxy server hostname.

Root CA Certificates

The certificates for Neptune instances are normally validated using the local trust store of the operating system or SDK (such as the Java SDK).

If you need to provide a root certificate manually, you can download the Amazon Root CA certificate in PEM format from the Amazon Trust Services Policy Repository.

More Information

For more information about connecting to Neptune endpoints with SSL, see Set up the Gremlin Console to Connect to a Neptune DB Instance and Using the HTTP REST Endpoint to Connect to a Neptune DB Instance.