Security
Encryption
All data stored in Neo4j Aura is encrypted using intra-cluster encryption between the various nodes comprising your instance and encrypted at rest using the underlying cloud provider’s encryption mechanism.
By default, each cloud provider encrypts all backup buckets (including the objects stored inside) using either Google-managed encryption, AWS SSE-S3 encryption, or Azure Storage encryption.
VPC isolation
AuraDB Enterprise AuraDS Enterprise
AuraDB Enterprise and AuraDS Enterprise run within a Virtual Private Cloud (VPC) isolation for your deployment.
The VPC enables you to operate within an isolated section of the service, where your processing, networking, and storage are further protected.
Please note that the Aura Console runs in a separate VPC.
AWS Private endpoints
AuraDB Enterprise
AuraDB Enterprise supports private endpoints on AWS using AWS PrivateLink.
Once activated, you can create an endpoint in your VPC that connects to Aura.

All applications running Neo4j workloads inside the VPC are routed directly to your isolated environment in Aura without traversing the public internet. You can then disable public traffic, ensuring all traffic to the instance remains private to your VPC.
|
Browser and Bloom access over private endpoints
To connect to your instance via Browser or Bloom, you must use a dedicated VPN. This is because when you disable public access to your instance, this applies to all connections, including those from your computer when using Browser or Bloom.
Without private endpoints, you access Browser and Bloom over the internet:

When you have enabled private endpoints and disabled public internet access, you can no longer connect Browser or Bloom to your instances over the internet:

To continue accessing Browser and Bloom, you can configure a VPN (Virtual Private Network) in your VPC and connect to Browser and Bloom over the VPN.
To access Bloom and Browser over a VPN, you must ensure that:
|

Enabling private endpoints
To enable private endpoints using AWS PrivateLink, please raise a support ticket, and we’ll be in touch.
You will need an AWS account with permissions to create, modify, describe and delete endpoints. Please see the AWS Documentation for more information.
GCP Private endpoints
AuraDB Enterprise AuraDS Enterprise
Aura Enterprise supports private endpoints on GCP using GCP Private Service Connect.
Once activated, you can create an endpoint in your VPC that connects to Aura.

All applications running Neo4j workloads inside the VPC are routed directly to your isolated environment in Aura without traversing the public internet. You can then disable public traffic, ensuring all traffic to the instance remains private to your VPC.
|
Browser and Bloom access over private endpoints
To connect to your instance via Browser or Bloom, you must use a dedicated VPN. This is because when you disable public access to your instance, this applies to all connections, including those from your computer when using Browser or Bloom.
Without private endpoints, you access Browser and Bloom over the internet:

When you have enabled private endpoints and disabled public internet access, you can no longer connect Browser or Bloom to your instances over the internet:

To continue accessing Browser and Bloom, you can configure a GCP Cloud VPN (Virtual Private Network) in your VPC and connect to Browser and Bloom over the VPN.
To access Bloom and Browser over a VPN, you must ensure that:
|

Enabling private endpoints
To enable private endpoints using GCP Private Service Connect, please raise a support ticket, and we’ll be in touch.
Please see the GCP Documentation for required roles and permissions.
Azure Private endpoints
AuraDB Enterprise
Aura Enterprise supports private endpoints on Azure using Azure Private Link.
Once activated, you can create an endpoint in your Virtual Network (VNet) that connects to Aura.

All applications running Neo4j workloads inside the VNet are routed directly to your isolated environment in Aura without traversing the public internet. You can then disable public traffic, ensuring all traffic to the instance remains private to your VNet.
|
Browser and Bloom access over private endpoints
To connect to your instance via Browser or Bloom, you must use a dedicated VPN. This is because when you disable public access to your instance, this applies to all connections, including those from your computer when using Browser or Bloom.
Without private endpoints, you access Browser and Bloom over the internet:

When you have enabled private endpoints and disabled public internet access, you can no longer connect Browser or Bloom to your instances over the internet:

To continue accessing Browser and Bloom, you can configure a VPN (Virtual Private Network) in your VNet and connect to Browser and Bloom over the VPN.
To access Bloom and Browser over a VPN, you must ensure that:
|

Enabling private endpoints
To enable private endpoints using Azure Private Link, please raise a support ticket.
Please see the Azure Documentation for required roles and permissions.
Single Sign-On
AuraDB Enterprise AuraDS Enterprise
Aura Enterprise supports Single Sign-On (SSO) at both the Console level and for accessing Workspace, Bloom and Browser clients directly at the instance level.
Aura requires Authorization Code Flow with PKCE to ensure best practice security. |
Console SSO
Console SSO allows users to log in to the Aura Console using their company IdP credentials and grants Public Access privileges to all instances in the tenant.
The following OpenID Connect (OIDC) certified Identity Providers (IdPs) are currently supported for Console-level Authentication:
-
Microsoft Azure Active Directory (AAD)
-
Okta
To enable Console SSO on your Aura Enterprise tenant(s), please raise a support ticket including the following information:
-
The Tenant ID of the tenant(s) you want to use SSO. See Tenants for more information on how to find your Tenant ID.
-
The name of your IdP.
Instance SSO
Instance SSO allows you to directly map groups of users (as defined in your IdP) to DBMS RBAC roles when launching Workspace, Bloom and Browser clients from an Aura instance.
The following OIDC certified IdPs are currently supported for instance-level Authentication:
-
Microsoft Azure Active Directory (AAD)
-
Okta
-
Keycloak
-
Google Authentication
To add SSO for Workspace, Bloom, and Browser to your Aura Enterprise instances, please raise a support ticket including the following information:
-
The Connection URI of the instance(s) you want to use SSO.
-
Whether or not you want Workspace, Bloom, Browser, or a combination of them enabled.
-
The name of your IdP.
If you have to specify an application type when configuring your client, Neo4j is a Single-page application. For more information on configuring your client, see Neo4j Single Sign-On (SSO) Configuration. |
Supported TLS cipher suites
For additional security, client communications are carried via TLS v1.2 and TLS v1.3.
AuraDB has a restricted list of cipher suites accepted during the TLS handshake, and does not accept all of the available cipher suites. The following list conforms to safety recommendations from IANA, the OpenSSL, and GnuTLS library.
TLS v1.3:
-
TLS_CHACHA20_POLY1305_SHA256 (RFC8446)
-
TLS_AES_128_GCM_SHA256 (RFC8446)
-
TLS_AES_256_GCM_SHA384 (RFC8446)
TLS v1.2:
-
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (RFC5288)
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (RFC5289)
-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (RFC5289)
-
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (RFC7905)
-
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (RFC5288)
Was this page helpful?