Security

Encryption

All data stored in Neo4j Aura is encrypted using intra-cluster encryption between the various nodes comprising your database and encrypted at rest using the underlying cloud provider’s encryption mechanism.

By default, Google Cloud and AWS encrypt all backup buckets (including the objects stored inside) with either Google-managed encryption or AWS SSE-S3 encryption.

VPC isolation

AuraDB Enterprise AuraDS Enterprise

AuraDB Enterprise and AuraDS Enterprise run within a Virtual Private Cloud (VPC) isolation for your deployment.

The VPC enables you to operate within an isolated section of the service, where your processing, networking, and storage are further protected.

Please note that the Aura console runs in a separate VPC.

Private endpoints

AuraDB Enterprise

AuraDB Enterprise supports private endpoints on AWS using AWS PrivateLink.

Once activated, you can create an endpoint in your VPC that connects to Aura.

privatelink
Figure 1. VPC connectivity with AWS PrivateLink

All applications running Neo4j workloads inside the VPC are routed directly to your isolated environment in Aura without traversing the public internet. You can then disable public traffic, ensuring all traffic to the database remains private to your VPC.

  • When activated, PrivateLink applies to all databases in the region.

  • If you disable public traffic, you must use a dedicated VPN to connect to your database via Browser or Bloom.

  • Connections using private endpoints are one-way. Aura VPCs can’t initiate connections back to your VPCs.

  • In AWS region us-east-1, we do not support the Availability Zone with ID use1-az3 for private endpoints.

Browser and Bloom access over private endpoints

To connect to your database via Browser or Bloom, you must use a dedicated VPN. This is because when you disable public access to your database, this applies to all connections, including those from your computer when using Browser or Bloom.

Without private endpoints, you access Browser and Bloom over the internet:

privatelink 01 before enabling
Figure 2. Architecture overview before enabling private endpoints

When you have enabled private endpoints and disabled public internet access, you can no longer connect Browser or Bloom to your databases over the internet:

privatelink 02 enabled private traffic only
Figure 3. Architecture overview with private endpoints enabled and public traffic disabled

To continue accessing Browser and Bloom, you can configure a VPN (Virtual Private Network) in your VPC and connect to Browser and Bloom over the VPN.

To access Bloom and Browser over a VPN, you must ensure that:

  • The VPN server uses the VPC’s DNS servers.

  • You use the private URL provided by support when you completed setting up the private endpoint. It will be different from the URL you used before.

privatelink 03 browser bloom over vpn
Figure 4. Accessing Browser and Bloom over a VPN

Enabling private endpoints

To enable private endpoints using AWS PrivateLink, please raise a support ticket, and we’ll be in touch.

You will need an AWS account with permissions to create, modify, describe and delete endpoints. Please see the AWS Documentation for more information.

Single Sign-On

AuraDB Enterprise

AuraDB Enterprise supports Single Sign-On (SSO) for accessing the Bloom and Browser clients.

The following OpenID Connect (OIDC) certified Identity Providers (IdPs) are currently supported:

  • Microsoft Azure Active Directory (AAD)

  • Okta

  • Keycloak

  • Google Authentication

If the IdP you are currently using is not in our list of certified IdPs above, please let us know using the support ticket method mentioned below and we will evaluate the possibility of adding support.

Aura supports Authorization Code Flow with PKCE to ensure best practice security.

To add SSO for Browser and Bloom to your AuraDB Enterprise databases, please raise a support ticket including the following information:

  1. The Connection URI of the database(s) you want to use SSO.

  2. Whether or not you want Browser, Bloom, or both enabled.

  3. The name of your IdP.

  4. Confirmation that the authorization flow is PKCE.

If you have to specify an application type when configuring your client, Neo4j is a Single-page application. For more information on configuring your client, see Neo4j Single Sign-On (SSO) Configuration.

Supported TLS cipher suites

For additional security, client communications are carried via TLS v1.2 and TLS v1.3.

AuraDB has a restricted list of cipher suites accepted during the TLS handshake, and does not accept all of the available cipher suites. The following list conforms to safety recommendations from IANA, the OpenSSL, and GnuTLS library.

TLS v1.3:

  • TLS_CHACHA20_POLY1305_SHA256 (RFC8446)

  • TLS_AES_128_GCM_SHA256 (RFC8446)

  • TLS_AES_256_GCM_SHA384 (RFC8446)

TLS v1.2:

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (RFC5288)

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (RFC5289)

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (RFC5289)

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (RFC7905)

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (RFC5288)