Access a Neo4j cluster
A Neo4j cluster is accessible via Kubernetes Services. Neo4j has a number of different interfaces for different application and operational purposes. For more details, see Neo4j ports.
Supported Kubernetes services
The Neo4j Helm chart publishes four K8s services:
-
Default Service — a ClusterIP service for application
neo4j/boltandhttp(s)connections to the Neo4j database, originating from inside the Kubernetes cluster. -
Admin Service — a “Headless” (DNS only) service that includes all Neo4j ports for admin connections to Neo4j inside Kubernetes. It is only available inside the Kubernetes cluster and access to it should be guarded. The Admin service can be used for Neo4j DBMS administration, performing backups, and collecting metrics.
-
Internal Service — a “Headless” (DNS only) internal service that includes all Neo4j ports required for causal clustering.
-
Neo4j — a LoadBalancer service for application
neo4j/boltandhttp(s)connections originating from outside the Kubernetes cluster.
| Neo4j Interface | Default Port | Default Service | Admin Service | Internal Service | Neo4j Service |
|---|---|---|---|---|---|
Bolt ( |
|
Yes |
Yes* |
Yes |
Yes |
Neo4j Browser HTTP |
|
Yes |
Yes* |
Yes |
Yes |
Neo4j Browser HTTPS |
|
Yes |
Yes* |
Yes |
Yes |
Neo4j Cypher HTTP API |
|
Yes |
Yes* |
Yes |
Yes |
Neo4j Cypher HTTPS API |
|
Yes |
Yes* |
Yes |
Yes |
Neo4j Backup |
|
No |
Yes |
Yes |
No |
Graphite Monitoring |
|
No |
No but configurable |
No but configurable |
No |
Prometheus Metrics |
|
No |
No but configurable |
No but configurable |
No |
Java Management Extensions (JMX) |
|
No |
No but configurable |
No but configurable |
No |
Cluster discovery management |
|
No |
No |
Yes |
No |
Cluster transaction |
|
No |
No |
Yes |
No |
Cluster RAFT |
|
No |
No |
Yes |
No |
Cluster routing connector |
|
No |
No |
Yes |
No |
*The Admin service bypasses health checks. This allows it to be used to make connections for administrative purposes when the database is in an unhealthy state. However, you must not use it to connect from applications that require the database to be in a healthy state.
Applications accessing Neo4j from inside Kubernetes
Access Neo4j using DNS
To access Neo4j from an application in the same Kubernetes cluster use the Neo4j service DNS address <release-name>.<namespace>.svc.<cluster domain>.
The default cluster domain is cluster.local and the default namespace is default.
Generally, the Neo4j service DNS address is <release-name>.default.svc.cluster.local.
For example, if using the release name my-release in the default namespace, the cluster’s DNS address would be my-release.default.svc.cluster.local, and the bolt address for use with Neo4j drivers would be neo4j://my-release.default.svc.cluster.local:7687.
To allow for an application running inside Kubernetes to access the Neo4j cluster, you can also use the Neo4j headless service that is installed via the neo4j/neo4j-cluster-headless-service Helm chart. For more information and a detailed example, see Access the Neo4j cluster using headless service.
Access Neo4j using K8s label selector
Alternatively, the Neo4j service (default) in Kubernetes can be located using Kubernetes service discovery by searching with the label selector:
helm.neo4j.com/service=default/admin/internals,helm.neo4j.com/instance=<release-name>.
The following is an example of how to look up the installed services:
# Neo4j service:
kubectl get service -l helm.neo4j.com/service=default,helm.neo4j.com/instance=my-release
# Admin service:
kubectl get service -l helm.neo4j.com/service=admin,helm.neo4j.com/instance=my-release
# internals service:
kubectl get service -l helm.neo4j.com/service=internals,helm.neo4j.com/instance=my-releaseAd-hoc external access using kubectl port-forward
In most cases, it is possible to access the Neo4j service from a developer machine outside the Kubernetes cluster using kubectl port-forward.
To access the Neo4j service for http(s) and neo4j/bolt from a developer machine, use the following command:
kubectl port-forward svc/<release-name> tcp-bolt tcp-http tcp-httpsNeo4j is accessible via the Neo4j browser at http://localhost:7474.
Applications accessing Neo4j from outside Kubernetes
To access a Neo4j cluster from an application outside the Kubernetes cluster, you can use a LoadBalancer service. For more information, see Access the Neo4j cluster from outside Kubernetes.
Customizing Kubernetes Resources
The Neo4j Helm chart creates various Kubernetes resources. Some of them can be customized by adding extra configuration to the helm deployment values file.
| Customization | values.yaml field | Type |
|---|---|---|
Setting a pod securityContext for the Neo4j Pod |
|
|
Adding annotations to Services |
|
Annotations object for |
|
Annotations object for headless (DNS) service. |
|
|
Annotations object for internal service. |
|
Adding annotations to Load Balancer Service |
|
Annotations object for |
Accessing Neo4j for DBMS administration and monitoring
The Neo4j Helm chart creates the admin service for the purposes of Neo4j administration. The admin service is a “Headless” service in Kubernetes and does not depend on Neo4j health checks. Therefore, it permits connections to Neo4j even if Neo4j is not healthy. In general, that is not desirable for applications but can be useful for administration and debugging.
Access Neo4j using DNS
To access the admin service inside Kubernetes use the DNS address <release-name>-admin.<namespace>.svc.<cluster domain>.
For example, if using the release name my-release in the default namespace, the cluster’s DNS address would be my-release-admin.default.svc.cluster.local.
The admin service can be used to access a range of Neo4j interfaces:
-
Neo4j Bolt for Neo4j administration via Cypher commands.
-
Neo4j Backup for taking database backups.
-
Graphite for metrics collection.
-
Prometheus for metrics collection.
-
Java Management Extensions (JMX) for metrics collection and JVM administration.
Access Neo4j using kubectl for troubleshooting
To get an interactive cypher-shell console for troubleshooting, use this command:
kubectl run -it --rm --image neo4j:5.6.0 cypher-shell -- cypher-shell -a bolt://my-release-admin.default.svc.cluster.localGenerally, the neo4j:// protocol is used for connecting to Neo4j.
For troubleshooting, though, the direct bolt:// protocol is used because it allows a connection in some situations where a neo4j:// connection will not succeed.
Was this page helpful?