Resources like databases (RDS) must be in same VPC as the EC2 instances to be reachable.
Can EC2 instance reach RDS instance in the same VPC if they are in different CIDR blocks?
i.e. VPC has 2 CIDR blocks, a and b. Instance in block a, database in block b.
What about EC2 instance to Neptune?
Yes, this is doable by attaching the right security groups to your resources. As long as you setup a valid configuration via Security groups, it doesn't matter if your source and destination are in the same subnet or not. For example, take the following setup:
instance-1 in subnet-1 (CIDR: 10.0.0.0/16) in vpcA
instance-2 in subnet-2 (CIDR: 10.1.0.0/16) in vpcA (same VPC)
Create the following security groups:
security-group-client (no specific rules)
security-group-target (with Inbound rule that allows incoming requests from security-group-client at the required port)
Now attach security-group-client to your client instance (say instance-1) and security-group-target to your target (instance-2)
The fact that your instances are in different CIDR blocks (or subnets) does not matter. By default, they don't have access, but you can always set something up.
You should be able to apply the same logic with something like Amazon Neptune. You provision an instance in a DB Subnet Group, which is merely a set of subnets. Each Subnet has a CIDR associated with it. Your database instance gets provisioned in one of your subnets. (You can force-select a subnet/AZ during creation, but that is not relevant to this discussion).
Once you have your DB, create 2 security groups as mentioned above, one for the client and one for the db. The security group for the db should allow inbound connections from the other one. You can then attach the security group to your db cluster by issuing a modify-db-cluster request (or via Console, or just create the secruity groups upfront and associate it with the db during the create workflow itself).
Hope this helps.