Encryption in Transit: Connecting to Neptune Using SSL/HTTPS - Amazon Neptune

Encryption in Transit: Connecting to Neptune Using SSL/HTTPS

Amazon Neptune generally only allows Secure Sockets Layer (SSL) connections through HTTPS to an instance or cluster endpoint. Neptune has disabled some of the older, outdated TLS ciphers used in SSL to make sure that your HTTPS connections are truly secure. This will not affect you unless you are using older libraries.

Even in regions where HTTP connections are still allowed (the regions that are marked No in the SSL Only column in the table below), any DB cluster that uses a new DB cluster parameter group is required to use SSL by default. To protect your data, we recommend that you always connect to Neptune endpoints; through SSL, using HTTPS instead of HTTP.

However, in regions where HTTP connections are allowed, you can still enable them by setting the neptune_enforce_ssl parameter to 0 in the DB cluster parameter group. For information about how to edit the DB cluster parameter group for your database, see Editing a Parameter Group. Note that you cannot edit the default DB cluster parameter group. If you are using the default group, you must create a new DB cluster parameter group before you can set the neptune_enforce_ssl parameter to 0.

Region SSL Enabled SSL Only
US East (N. Virginia) Yes No
US East (Ohio) Yes No
US West (N. California) Yes Yes
US West (Oregon) Yes No
Canada (Central) Yes Yes
Europe (Stockholm) Yes Yes
Europe (Ireland) Yes No
Europe (London) Yes No
Europe (Paris) Yes Yes
Europe (Frankfurt) Yes No
Middle East (Bahrain) Yes Yes
Asia Pacific (Tokyo) Yes Yes
Asia Pacific (Seoul) Yes Yes
Asia Pacific (Singapore) Yes Yes
Asia Pacific (Sydney) Yes Yes
Asia Pacific (Mumbai) Yes Yes
China (Ningxia) Yes Yes
AWS GovCloud (US-West) Yes Yes
AWS GovCloud (US-East) Yes Yes

Neptune automatically provides SSL certificates for your Neptune DB instances. You don't need to request any certificates. The certificates are provided when you create a new instance.

Neptune assigns a single wildcard SSL certificate to the instances in your account for each AWS Region. The certificate provides entries for the cluster endpoints, cluster read-only endpoints, and instance endpoints.

Certificate Details

The following entries are included in the provided certificate:

  • Cluster endpoint — *.cluster-a1b2c3d4wxyz.region.neptune.amazonaws.com

  • Read-only endpoint — *.cluster-ro-a1b2c3d4wxyz.region.neptune.amazonaws.com

  • Instance endpoints — *.a1b2c3d4wxyz.region.neptune.amazonaws.com

Only the entries listed here are supported.

Proxy Connections

The certificates support only the hostnames that are listed in the previous section.

If you are using a load balancer or a proxy server (such as HAProxy), you must use SSL termination and have your own SSL certificate on the proxy server.

SSL passthrough doesn't work because the provided SSL certificates don't match the proxy server hostname.

Root CA Certificates

The certificates for Neptune instances are normally validated using the local trust store of the operating system or SDK (such as the Java SDK).

If you need to provide a root certificate manually, you can download the Amazon Root CA certificate in PEM format from the Amazon Trust Services Policy Repository.

More Information

For more information about connecting to Neptune endpoints with SSL, see Set up the Gremlin console to connect to a Neptune DB instance and Using the HTTP REST endpoint to connect to a Neptune DB instance.