Accessing Neo4j
A Neo4j running on Kubernetes is accessible via Kubernetes Services. Neo4j has a number of different interfaces for different application and operational purposes. For more details, see Neo4j ports.
Supported Kubernetes services
Neo4j supports the following Kubernetes services:
-
Default Service — a ClusterIP service for application
neo4j
/bolt
andhttp(s)
connections to the Neo4j database, originating from inside the Kubernetes cluster. -
Admin Service — a “Headless” (DNS only) service that includes all Neo4j ports for admin connections to Neo4j inside Kubernetes. It is only available inside the Kubernetes cluster and access to it should be guarded. The Admin service can be used for Neo4j DBMS administration, performing backups, and collecting metrics.
-
Internal Service — a “Headless” (DNS only) internal service that includes all Neo4j ports required for the Neo4j cluster.
-
Neo4j — a LoadBalancer service for application
neo4j
/bolt
andhttp(s)
connections originating from outside the Kubernetes cluster.
The following is a list of the default Kubernetes services per Neo4j interface and deployment type:
Neo4j Interface | Default Port | Default Service | Admin Service | Neo4j Service |
---|---|---|---|---|
Bolt ( |
|
Yes |
Yes* |
Yes |
Neo4j Browser HTTP |
|
Yes |
Yes* |
Yes |
Neo4j Browser HTTPS |
|
Yes |
Yes* |
Yes |
Neo4j Cypher HTTP API |
|
Yes |
Yes* |
Yes |
Neo4j Cypher HTTPS API |
|
Yes |
Yes* |
Yes |
Neo4j Backup |
|
No |
Yes |
No but configurable |
Graphite Monitoring |
|
No |
Yes |
No |
Prometheus Metrics |
|
No |
Yes |
No |
Java Management Extensions (JMX) |
|
No |
No but configurable |
No |
Neo4j Interface | Default Port | Default Service | Admin Service | Internal Service | Neo4j Service |
---|---|---|---|---|---|
Bolt ( |
|
Yes |
Yes* |
Yes |
Yes |
Neo4j Browser HTTP |
|
Yes |
Yes* |
Yes |
Yes |
Neo4j Browser HTTPS |
|
Yes |
Yes* |
Yes |
Yes |
Neo4j Cypher HTTP API |
|
Yes |
Yes* |
Yes |
Yes |
Neo4j Cypher HTTPS API |
|
Yes |
Yes* |
Yes |
Yes |
Neo4j Backup |
|
No |
Yes |
Yes |
No |
Graphite Monitoring |
|
No |
No but configurable |
No but configurable |
No |
Prometheus Metrics |
|
No |
No but configurable |
No but configurable |
No |
Java Management Extensions (JMX) |
|
No |
No but configurable |
No but configurable |
No |
Cluster discovery management |
|
No |
No |
Yes |
No |
Cluster transaction |
|
No |
No |
Yes |
No |
Cluster RAFT |
|
No |
No |
Yes |
No |
Cluster routing connector |
|
No |
No |
Yes |
No |
*The Admin service bypasses health checks. This allows it to be used to make connections for administrative purposes when the database is in an unhealthy state. However, you must not use it to connect from applications that require the database to be in a healthy state.
Applications accessing Neo4j from inside Kubernetes
Access Neo4j using DNS
To access Neo4j from an application in the same Kubernetes cluster use the Neo4j service DNS address <release-name>.<namespace>.svc.<cluster domain>
.
The default cluster domain is cluster.local
and the default namespace is default
.
Generally, the Neo4j service DNS address is <release-name>.default.svc.cluster.local.
For example, if using the release name my-release
in the default
namespace, the cluster’s DNS address would be my-release.default.svc.cluster.local
, and the bolt
address for use with Neo4j drivers would be neo4j://my-release.default.svc.cluster.local:7687.
To allow for an application running inside Kubernetes to access a Neo4j cluster, you can also use the Neo4j headless service that is installed via the neo4j/neo4j-cluster-headless-service Helm chart. For more information and a detailed example, see Access the Neo4j cluster using headless service. |
Access Neo4j using K8s label selector
Alternatively, the Neo4j service (default) in Kubernetes can be located using Kubernetes service discovery by searching with the label selector:
helm.neo4j.com/service=default/admin/internals,helm.neo4j.com/instance=<release-name>
For example:
# install neo4j
helm install "my-release" …
# lookup installed service
kubectl get service -l helm.neo4j.com/service=default,helm.neo4j.com/instance=my-release
helm.neo4j.com/service=neo4j,helm.neo4j.com/instance=<release-name>
The following is an example of how to look up the installed services:
# Neo4j service:
kubectl get service -l helm.neo4j.com/service=default,helm.neo4j.com/instance=my-release
# Admin service:
kubectl get service -l helm.neo4j.com/service=admin,helm.neo4j.com/instance=my-release
# internals service:
kubectl get service -l helm.neo4j.com/service=internals,helm.neo4j.com/instance=my-release
Applications accessing Neo4j from outside Kubernetes
To access Neo4j from an application outside the Kubernetes cluster, you can use a LoadBalancer service or an Ingress controller.
Access Neo4j using a LoadBalancer
Neo4j Helm chart provides a LoadBalancer
service for accessing Neo4j from outside the Kubernetes cluster.
The LoadBalancer
service is created by default when installing the Neo4j Helm chart.
The LoadBalancer
service is configured to expose the Neo4j ports 7687
, 7474
, 7473
, and 6362
(backup) by default.
The external IP(s) of the LoadBalancer
can be found using kubectl
:
-
The service name is based on the value of the
neo4j.name
—<my-neo4j-name>-lb-neo4j
:kubectl get service `<my-neo4j-name>-lb-neo4j` -ocustom-columns=ip:.status.loadBalancer.ingress[].ip
-
Using a label selector:
kubectl get service -l helm.neo4j.com/service=neo4j,helm.neo4j.com/name=<release-name> -ocustom-columns=ip:.status.loadBalancer.ingress[].ip
If the Kubernetes LoadBalancer
implementation that you are using supports setting a static IP, the IP address of the LoadBalancer
can be configured in the Neo4j Helm release by setting externalService.loadBalancerIP
.
If a static IP address is not explicitly set, then Kubernetes does not guarantee that a dynamically assigned IP address will not change.
When exposing a Neo4j database on the Internet, it is recommended to use a static IP and configure SSL on the exposed services. For more information, see Configure SSL.
If you have static IPs, you can associate DNS with them and obtain trusted certificates.
The ports that are exposed on the external service can be configured in the Helm release by changing the services.neo4j
object.
The default values are:
services:
neo4j:
annotations: { }
loadBalancerIP: NULL
ports:
http:
enabled: true
# uncomment to publish http on port 80 (neo4j default is 7474)
# port: 80
# targetPort: 7474
# name: http
https:
enabled: true
# uncomment to publish http on port 443 (neo4j default is 7473)
# port: 443
# targetPort: 7473
# name: https
bolt:
enabled: true
# Uncomment to explicitly specify the port to publish Neo4j Bolt (7687 is the default)
# port: 7687
# targetPort: 7687
# name: tcp-bolt
backup:
enabled: false
# Uncomment to explicitly specify the port to publish Neo4j Backup (6362 is the default)
# port: 6362
# targetPort: 6362
# name: tcp-backup
Disabling/enabling a port on the services.neo4j
object removes it from the load balancer but does not affect whether it is disabled/enabled in Neo4j.
Backup is not secure unless SSL-with-client-auth is enforced in the Neo4j configuration. |
For a detailed example, see Access the Neo4j cluster from outside Kubernetes.
Customizing Kubernetes Resources
The Neo4j Helm chart creates various Kubernetes resources. Some of them can be customized by adding extra configuration to the helm deployment values file.
The following is a list of the supported K8s resources customizations:
Customization | values.yaml field | Type |
---|---|---|
Setting a pod securityContext for the Neo4j Pod |
|
|
Adding annotations to Services |
|
Annotations object for |
|
Annotations object for headless (DNS) service. |
|
|
Annotations object for |
Customization | values.yaml field | Type |
---|---|---|
Setting a pod securityContext for the Neo4j Pod |
|
|
Adding annotations to Services |
|
Annotations object for |
|
Annotations object for headless (DNS) service. |
|
|
Annotations object for internal service. |
|
Adding annotations to Load Balancer Service |
|
Annotations object for |
Accessing Neo4j for DBMS administration and monitoring
The Neo4j Helm chart creates the admin service for the purposes of Neo4j administration. The admin service is a “Headless” service in Kubernetes and does not depend on Neo4j health checks. Therefore, it permits connections to Neo4j even if Neo4j is not healthy. In general, that is not desirable for applications but can be useful for administration and debugging.
Access Neo4j using DNS
To access the admin service inside Kubernetes use the DNS address <release-name>-admin.<namespace>.svc.<cluster domain>.
For example, if using the release name my-release
in the default
namespace, the cluster’s DNS address would be my-release-admin.default.svc.cluster.local
.
The admin service can be used to access a range of Neo4j interfaces:
-
Neo4j Bolt for Neo4j administration via Cypher commands.
-
Neo4j Backup for taking database backups.
-
Graphite for metrics collection.
-
Prometheus for metrics collection.
-
Java Management Extensions (JMX) for metrics collection and JVM administration.
Access Neo4j using kubectl
for troubleshooting
To get an interactive cypher-shell
console for troubleshooting, use this command:
kubectl run -it --rm --image neo4j:5.26.1 cypher-shell -- cypher-shell -a bolt://my-release-admin.default.svc.cluster.local
Generally, the neo4j://
protocol is used for connecting to Neo4j.
For troubleshooting, though, the direct bolt://
protocol is used because it allows a connection in some situations where a neo4j://
connection will not succeed.