# AWS PrivateLink for Neptune Analytics
AWS PrivateLink

 With AWS PrivateLink for Neptune Analytics, you can provision interface Amazon VPC endpoints (interface endpoints) in your virtual private cloud (Amazon VPC). These endpoints are directly accessible from applications that are on premises over VPN and AWS Direct Connect, or in a different AWS region over [Amazon VPC peering](https://docs.aws.amazon.com//vpc/latest/peering/what-is-vpc-peering.html). Using AWS PrivateLink and interface endpoints, you can simplify private network connectivity from your applications to Neptune Analytics. 

 Applications in your VPC do not need public IP addresses to communicate with Neptune Analytics interface VPC endpoints for Neptune Analytics operations. Interface endpoints are represented by one or more elastic network interfaces (ENIs) that are assigned private IP addresses from subnets in your Amazon VPC. Requests to Neptune Analytics over interface endpoints stay on the Amazon network. You can also access interface endpoints in your Amazon VPC from on-premises applications through AWS Direct Connect or AWS Virtual Private Network (Site-to-Site VPN). For more information about how to connect your Amazon VPC with your on-premises network, see the [AWS Direct Connect user guide](https://docs.aws.amazon.com//directconnect/latest/UserGuide/Welcome.html) and the [AWS Site-to-Site VPN user guide](https://docs.aws.amazon.com//vpn/latest/s2svpn/VPC_VPN.html). 

 For general information about interface endpoints, see [ Interface Amazon VPC endpoints (AWS PrivateLink)](https://docs.aws.amazon.com//vpc/latest/privatelink/vpce-interface.html) in the AWS PrivateLink guide. 

## Creating an Amazon VPC endpoint


 To create an Amazon VPC interface endpoint, see [ Create an Amazon VPC endpoint](https://docs.aws.amazon.com//vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws) in the AWS PrivateLink Guide. 

**Topics**
+ [

## Creating an Amazon VPC endpoint
](#gettingStarted-connecting-private-link-create)
+ [

# Types of interface endpoint services for Neptune Analytics
](gettingStarted-connecting-private-link-types.md)
+ [

# Considerations when using AWS PrivateLink for Neptune Analytics
](gettingStarted-connecting-private-link-considerations.md)
+ [

# Accessing Neptune Analytics interface endpoints
](gettingStarted-connecting-private-link-access.md)
+ [

# Accessing Neptune Analytics graph from Neptune Analytics interface endpoints
](gettingStarted-connecting-private-link-access-interface.md)
+ [

# Creating an Amazon VPC endpoint policy for Neptune Analytics data plane
](gettingStarted-connecting-private-link-create-policy.md)

# Types of interface endpoint services for Neptune Analytics


 Neptune Analytics supports two services via interface VPC endpoints on AWS PrivateLink: `neptune-graph` for accessing Neptune Analytics control plane API operations like `CreateGraph`, `DeleteGraph` etc. and `neptune-graph-data` for accessing Neptune Analytics data plane API operations like `GetQuery`, `ListQueries`, `ExecuteQuery` etc. For more information about Neptune Analytics API operations see [Neptune Analytics APIs](https://docs.aws.amazon.com//neptune-analytics/latest/apiref/Welcome.html). 

# Considerations when using AWS PrivateLink for Neptune Analytics


 Amazon VPC considerations apply to AWS PrivateLink for Neptune Analytics. For more information, see [ Interface endpoint considerations](https://docs.aws.amazon.com//vpc/latest/privatelink/vpce-interface.html#vpce-interface-limitations) and [AWS PrivateLink quotas](https://docs.aws.amazon.com//vpc/latest/privatelink/vpc-limits-endpoints.html) in the AWS PrivateLink guide. Additionally, the following restrictions apply: 

1.  The AWS PrivateLink for Neptune Analytics control plane i.e. `neptune-graph` service does not support [ VPC endpoint policies](https://docs.aws.amazon.com//vpc/latest/privatelink/vpc-endpoints-access.html). However, AWS PrivateLink for Neptune Analytics data plane i.e. `neptune-graph-data` service supports VPC endpoint policies. 

1.  The AWS PrivateLink for Neptune Analytics supports [Federal Information Processing Standard (FIPS)](https://aws.amazon.com/compliance/fips/) endpoints in US East (N. Virginia), US East (Ohio), and US West (Oregon) for control plane API operations under the service name `neptune-graph-fips`. FIPS endpoints are not supported in any AWS region for AWS PrivateLink for data plane API operations. 

1.  Transport Layer Security (TLS) 1.1 is **not** supported. 

1.  Private and Hybrid Domain Name System (DNS) services are **not** supported. 

# Accessing Neptune Analytics interface endpoints


 When you create an interface endpoint for Neptune Analytics, AWS PrivateLink generates two types of endpoint-specific, Neptune Analytics DNS names: Regional and zonal. 
+  A Regional DNS name includes a unique Amazon VPC endpoint ID, a service identifier, the AWS Region, and `vpce.amazonaws.com` in its name. For example, for Amazon VPC endpoint ID `vpce-1a2b3c4d`, the DNS name generated might be similar to `vpce-1a2b3c4d-5e6f.neptune-graph.us-east-1.vpce.amazonaws.com`. 
+  A Zonal DNS name includes the Availability Zone - for example, `vpce-1a2b3c4d-5e6f-us-east-1a.neptune-graph.us-east-1.vpce.amazonaws.com`. You might use this option if your architecture isolates availability zones. For example, you could use it for fault containment or to reduce regional data transfer costs. 

# Accessing Neptune Analytics graph from Neptune Analytics interface endpoints


 You can use the AWS CLI or AWS SDKs to access Neptune Analytics graph API operations through Neptune Analytics interface endpoints. 

## AWS CLI examples


 To access Neptune Analytics API operations through Neptune Analytics interface endpoints in AWS CLI commands, use the `--region` parameter. 

 **Example: Create a VPC endpoint** 

```
aws ec2 create-vpc-endpoint \
--region us-east-1 \
--service-name neptune-graph-service-name (for control APIs)/ neptune-graph-data-service-name (for data APIs) \
--vpc-id client-vpc-id \
--subnet-ids client-subnet-id \
--vpc-endpoint-type Interface \
--security-group-ids client-sg-id
```

 **Example: Modify a VPC endpoint** 

 Neptune Analytics VPC endpoint service uses private hosted zone to route requests to your Neptune Analytics graph. Ensure that you have enabled private dns on your VPC interface endpoint. 

```
aws ec2 modify-vpc-endpoint \
--region us-east-1 \
--vpc-endpoint-id client-vpc-endpoint-id \
--private-dns-enabled
```

**Note**  
 Ensure that the private dns is always enabled on your VPC interface endpoint otherwise you might see errors in routing requests to your Neptune Analytics graph. 

 **Example: List graphs using the region parameter** 

```
aws neptune-graph list-graphs --region us-east-1
```

 **Example: Execute a query using the region parameter** 

```
aws neptune-graph execute-query \
--graph-identifier g-0123456789 \
--region us-east-1 \
--query-string "MATCH (n) RETURN n LIMIT 1" \
--language open_cypher \
out.txt
```

## AWS SDK examples


 To access Neptune Analytics API operations through Neptune Analytics interface endpoints when using the AWS SDKs, update your SDKs to the latest version. Then, configure your clients to use the AWS region for accessing a Neptune Analytics API operation through Neptune Analytics interface endpoints. 

 **SDK for Python (Boto3)** 

 In this example, you will use an endpoint URL to access a Neptune Analytics graph. 

```
neptune_graph_client = session.client(
service_name='neptune-graph',
region_name='us-east-1'
)
```

 **SDK for Java 2.x** 

 In this example, you will use an endpoint URL to access a Neptune Analytics graph. 

```
//client build with endpoint config
final NeptuneGraphClient NeptuneGraphClient.builder()
        .region(software.amazon.awssdk.regions.Region.US_EAST_1)
        .credentialsProvider(credentialsProvider)
        .build();
```

# Creating an Amazon VPC endpoint policy for Neptune Analytics data plane


**Note**  
 AWS PrivateLink for Neptune Analytics does not support VPC endpoint policies for the control plane service `neptune-graph`. VPC endpoint policies are only supported for the Neptune Analytics data plane service `neptune-graph-data`. 

 You can attach an endpoint policy to your Amazon VPC endpoint that controls access to a Neptune Analytics graph. The policy specifies the following information: 
+  The AWS Identity and Access Management (IAM) principal that can perform actions. 
+  The actions that can be performed. 
+  The resources on which actions can be performed. 

 **Restricting access to a specific Neptune Analytics graph from an Amazon VPC endpoint.** 

 You can create an endpoint policy that restricts access to only specific Neptune Analytics graphs. This type of policy is useful if you have other AWS services in your Amazon VPC that use graphs. The following policy only provides access to the `GetGraphSummary` action/API from the VPC endpoint. 

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Id": "Policy1216114807515",
  "Statement": [
    {
      "Sid": "Access-to-specific-graph-only",
      "Principal": "*",
      "Action": [
        "neptune-graph:GetGraphSummary"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:neptune-graph:us-east-1:111122223333:graph/resource-id"
      ]
    }
  ]
}
```

------