Security

Encryption

All data stored in Neo4j Aura is encrypted using intra-cluster encryption between the various nodes comprising your database, as well as encrypted at rest using the underlying cloud provider’s encryption mechanism.

VPC isolation

AuraDB Enterprise AuraDS Enterprise

AuraDB Enterprise and AuraDS Enterprise run within a Virtual Private Cloud (VPC) isolation for your deployment.

The VPC enables you to operate within an isolated section of the service, where your processing, networking, and storage are further protected.

Please note that the Aura console runs in a separate VPC.

Private endpoints

AuraDB Enterprise

AuraDB Enterprise supports private endpoints on AWS using AWS PrivateLink.

Once activated, you can create an endpoint in your VPC that connects to Aura.

private link
Figure 1. VPC connectivity with AWS PrivateLink

All applications running Neo4j workloads inside the VPC are routed directly to your isolated environment in Aura without traversing the public internet. You can then disable public traffic, ensuring all traffic to the database remains private to your VPC.

  • When activated, PrivateLink applies to all databases in the region.

  • If you disable public traffic, you must use a dedicated VPN to connect to your database via Browser or Bloom.

  • Connections using private endpoints are one-way. Aura VPCs can’t initiate connections back to your VPCs.

To enable private endpoints using AWS PrivateLink, please raise a support ticket, and we’ll be in touch.

You will need an AWS account with permissions to create, modify, describe and delete endpoints. Please see the AWS Documentation for more information.

Single Sign-On

AuraDB Enterprise

AuraDB Enterprise supports Single Sign-On (SSO) for accessing the Bloom and Browser clients from a database.

The following OpenID Connect (OIDC) certified Identity Providers (IdPs) are currently supported:

  • Microsoft Azure Active Directory (AAD)

  • Okta

  • Keycloak

  • Google Authentication

Aura supports Authorization Code Flow with PKCE to ensure best practice security.

To add SSO for Browser and Bloom to your AuraDB Enterprise databases, please raise a support ticket including the following information:

  1. The Connection URI of the database(s) you want to use SSO.

  2. Whether or not you want Browser, Bloom, or both enabled.

  3. The name of your IdP.

  4. Confirmation that the authorization flow is PKCE.

If you have to specify an application type when configuring your client, Neo4j is a Single-page application. For more information on configuring your client, see Neo4j Single Sign-On (SSO) Configuration.

Supported TLS cipher suites

For additional security, client communications are carried via TLS v1.2 and TLS v1.3.

AuraDB has a restricted list of cipher suites accepted during the TLS handshake, and does not accept all of the available cipher suites. The following list conforms to safety recommendations from IANA, the OpenSSL, and GnuTLS library.

TLS v1.3:

  • TLS_CHACHA20_POLY1305_SHA256 (RFC8446)

  • TLS_AES_128_GCM_SHA256 (RFC8446)

  • TLS_AES_256_GCM_SHA384 (RFC8446)

TLS v1.2:

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (RFC5288)

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (RFC5289)

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (RFC5289)

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (RFC7905)

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (RFC5288)