aws · dennis-ruhe-npo · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025
diff --git a/packages/@aws-cdk/aws-neptune-alpha/README.md b/packages/@aws-cdk/aws-neptune-alpha/README.md
@@ -149,6 +149,31 @@ new neptune.DatabaseInstance(this, 'Instance', {
 });
 ```
 
+## Publicly accessible
+
+You can make instances publicly accessible by setting the `publiclyAccessible` property to `true` on the cluster.
+Note that iam authentication is required for this to be enabled:
+
+```ts
+new neptune.DatabaseCluster(this, 'Cluster', {
+    vpc,
+    instanceType: neptune.InstanceType.R5_LARGE,
+    publiclyAccessible: true,
+    iamAuthentication: true,
+});
+```
+
+Alternatively, you can also make individual instances publicly accessible, by setting the respective property on 
+the instance:
+
+```ts fixture=with-cluster
+new neptune.DatabaseInstance(this, 'Instance', {
+    cluster,
+    instanceType: neptune.InstanceType.R5_LARGE,
+    publiclyAccessible: true,
+});
+```
+
 ## Port
 
 By default, Neptune uses port `8182`. You can override the default port by specifying the `port` property:

diff --git a/packages/@aws-cdk/aws-neptune-alpha/lib/cluster.ts b/packages/@aws-cdk/aws-neptune-alpha/lib/cluster.ts
@@ -400,6 +400,18 @@ export interface DatabaseClusterProps {
    * @default 8182
    */
   readonly port?: number;
+
+  /**
+   * If set to true, the database instances in this cluster will be publicly accessible.
+   *
+   * Note that iamAuthentication must be enabled.
+   *
+   * @see DatabaseInstanceProps.publiclyAccessible
+   * @see https://docs.aws.amazon.com/neptune/latest/userguide/neptune-public-endpoints.html
+   *
+   * @default - false
+   */
+  readonly publiclyAccessible?: boolean;
 }
 
 /**
@@ -746,6 +758,7 @@ export class DatabaseCluster extends DatabaseClusterBase implements IDatabaseClu
         dbInstanceClass: props.instanceType._instanceType,
         dbParameterGroupName: props.parameterGroup?.parameterGroupName,
         autoMinorVersionUpgrade: props.autoMinorVersionUpgrade === true,
+        publiclyAccessible: props.publiclyAccessible === true,
       });
 
       // We must have a dependency on the NAT gateway provider here to create

diff --git a/packages/@aws-cdk/aws-neptune-alpha/lib/instance.ts b/packages/@aws-cdk/aws-neptune-alpha/lib/instance.ts
@@ -412,6 +412,15 @@ export interface DatabaseInstanceProps {
    * @default undefined
    */
   readonly autoMinorVersionUpgrade?: boolean;
+
+  /**
+   * Indicates whether the DB instance is publicly accessible.
+   *
+   * Note that iamAuthentication must be enabled on the cluster.
+   *
+   * @default - false
+   */
+  readonly publiclyAccessible?: boolean;
 }
 
 /**
@@ -513,6 +522,7 @@ export class DatabaseInstance extends DatabaseInstanceBase implements IDatabaseI
       availabilityZone: props.availabilityZone,
       dbInstanceIdentifier: props.dbInstanceName,
       dbParameterGroupName: props.parameterGroup?.parameterGroupName,
+      publiclyAccessible: props.publiclyAccessible,
     });
 
     this.cluster = props.cluster;

diff --git a/packages/@aws-cdk/aws-neptune-alpha/test/cluster.test.ts b/packages/@aws-cdk/aws-neptune-alpha/test/cluster.test.ts
@@ -675,6 +675,41 @@ describe('DatabaseCluster', () => {
     });
   });
 
+  test('publiclyAccessible is enabled when configured', () => {
+    // GIVEN
+    const stack = testStack();
+    const vpc = new ec2.Vpc(stack, 'VPC');
+
+    // WHEN
+    new DatabaseCluster(stack, 'Cluster', {
+      vpc,
+      instanceType: InstanceType.R5_LARGE,
+      publiclyAccessible: true,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::Neptune::DBInstance', {
+      PubliclyAccessible: true,
+    });
+  });
+
+  test('publiclyAccessible is not enabled when not configured', () => {
+    // GIVEN
+    const stack = testStack();
+    const vpc = new ec2.Vpc(stack, 'VPC');
+
+    // WHEN
+    new DatabaseCluster(stack, 'Cluster', {
+      vpc,
+      instanceType: InstanceType.R5_LARGE,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::Neptune::DBInstance', {
+      PubliclyAccessible: false,
+    });
+  });
+
   test('cloudwatchLogsExports is enabled when configured', () => {
     // GIVEN
     const stack = testStack();

diff --git a/packages/@aws-cdk/aws-neptune-alpha/test/instance.test.ts b/packages/@aws-cdk/aws-neptune-alpha/test/instance.test.ts
@@ -125,6 +125,23 @@ describe('DatabaseInstance', () => {
     });
   });
 
+  test.each([true, false])('instance with publiclyAccessible', (publiclyAccessible) => {
+    // GIVEN
+    const stack = testStack();
+
+    // WHEN
+    new DatabaseInstance(stack, 'Instance', {
+      cluster: stack.cluster,
+      instanceType: InstanceType.R5_LARGE,
+      publiclyAccessible,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::Neptune::DBInstance', {
+      PubliclyAccessible: publiclyAccessible,
+    });
+  });
+
   test('instance type from CfnParameter', () => {
     // GIVEN
     const stack = testStack();

diff --git a/packages/@aws-cdk/aws-neptune-alpha/test/integ.instance-publicly-accessible.ts b/packages/@aws-cdk/aws-neptune-alpha/test/integ.instance-publicly-accessible.ts
@@ -0,0 +1,54 @@
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+import { DatabaseCluster, DatabaseInstance, InstanceType } from '../lib';
+import { ClusterParameterGroup, ParameterGroupFamily } from '../lib/parameter-group';
+
+/*
+ * Test creating a cluster without specifying engine version.
+ * This defaults to engine version >= 1.4.0.0 and associated parameter group with family neptune1.4
+ *
+ * Stack verification steps:
+ * * aws docdb describe-db-clusters --db-cluster-identifier <deployed db cluster identifier>
+ */
+
+const app = new cdk.App();
+
+const stack = new cdk.Stack(app, 'PubliclyAccessibleInstanceStack');
+
+const vpc = new ec2.Vpc(stack, 'VPC', { maxAzs: 2, natGateways: 1 });
+
+const clusterParameterGroup = new ClusterParameterGroup(stack, 'Params', {
+  description: 'A nice parameter group',
+  family: ParameterGroupFamily.NEPTUNE_1_4,
+  parameters: {
+    neptune_enable_audit_log: '1',
+    neptune_query_timeout: '100000',
+  },
+});
+
+const cluster = new DatabaseCluster(stack, 'Database', {
+  vpc,
+  instanceType: InstanceType.R5_LARGE,
+  clusterParameterGroup,
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+  iamAuthentication: true,
+});
+
+new DatabaseInstance(stack, 'EnabledInstance', {
+  cluster,
+  instanceType: InstanceType.R5_LARGE,
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+  publiclyAccessible: true,
+});
+
+new DatabaseInstance(stack, 'DisabledInstance', {
+  cluster,
+  instanceType: InstanceType.R5_LARGE,
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
+  publiclyAccessible: false,
+});
+
+new integ.IntegTest(app, 'PubliclyAccessibleInstanceInteg', {
+  testCases: [stack],
+});