Secure connections

VPC isolation

AuraDB Enterprise AuraDS Enterprise

AuraDB Enterprise and AuraDS Enterprise run in a dedicated cloud Account (AWS), Subscription (Azure) or Project (GCP) to achieve complete isolation for your deployment.

Additional VPC boundaries enable you to operate within an isolated section of the service, where your processing, networking, and storage are further protected.

Note that the Aura Console runs in a separate VPC, separate from the rest of Aura.

Network access

An Aura instance can be publicly available, completely private, or both. To configure this, you need to be authorized to access the part of the infrastructure that runs and handles these instances as well as the networking used to establish secure connections between the database and the application’s VPC. This includes the ability to connect over the cloud provider’s private link and private endpoint.

If your Aura instances are public, traffic to them is allowed to traverse the public internet and they are accessible with the correct username and password.

For your instance to be completely private, turn public traffic off, use the cloud provider’s network, and create a private endpoint inside your VPC, which gives you a private connection to Aura. The only way to connect to your database is from inside your network (your VPC in your AWS/Azure/GCP account) using an internal IP address you choose and DNS records you create.

To select network access settings go to Aura Console > Security > Network Access.

Private endpoints

Private endpoints are network interfaces inside your own VPC, which can only be accessed within your private network. The cloud provider connects them over their network to Neo4j Aura. By design they are not exposed to the public internet, ensuring that critical services are accessible only through private, secure networks.

AWS private endpoints

AuraDB Enterprise AuraDS Enterprise

AuraDB Enterprise supports private endpoints on AWS using AWS PrivateLink.

Once activated, you can create an endpoint in your VPC that connects to Aura.

privatelink
Figure 1. VPC connectivity with AWS PrivateLink

All applications running Neo4j workloads inside the VPC are routed directly to your isolated environment in Aura without traversing the public internet. You can then disable public traffic, ensuring all traffic to the instance remains private to your VPC.

  • PrivateLink applies to all instances in the region.

  • When activated, a Private Connection label, shield icon, and dedicated Private URI will appear on any instance tile using PrivateLink in the Aura Console.

  • If you disable public traffic, you must use a dedicated VPN to connect to your instance via Browser or Bloom.

  • Connections using private endpoints are one-way. Aura VPCs can’t initiate connections back to your VPCs.

  • In AWS region us-east-1, we do not support the Availability Zone with ID use1-az3 for private endpoints.

Browser and Bloom access over private endpoints

To connect to your instance via Browser or Bloom, you must use a dedicated VPN. This is because when you disable public access to your instance, this applies to all connections, including those from your computer when using Browser or Bloom.

Without private endpoints, you access Browser and Bloom over the internet:

privatelink 01 before enabling
Figure 2. Architecture overview before enabling private endpoints

When you have enabled private endpoints and disabled public internet access, you can no longer connect Browser or Bloom to your instances over the internet:

privatelink 02 enabled private traffic only
Figure 3. Architecture overview with private endpoints enabled and public traffic disabled

To continue accessing Browser and Bloom, you can configure a VPN (Virtual Private Network) in your VPC and connect to Browser and Bloom over the VPN.

To access Bloom and Browser over a VPN, you must ensure that:

  • The VPN server uses the VPC’s DNS servers.

  • You use the Private URI shown on the instance tile and in the instance details. It will be different from the Connection URI you used before.
privatelink 03 browser bloom over vpn
Figure 4. Accessing Browser and Bloom over a VPN

Enabling private endpoints

To enable private endpoints using AWS PrivateLink:

  1. Select Network Access from the sidebar menu of the Console.

  2. Select New network access configuration and follow the setup instructions.

You will need an AWS account with permissions to create, modify, describe and delete endpoints. Please see the AWS Documentation for more information.

GCP private endpoints

AuraDB Enterprise AuraDS Enterprise

Aura Enterprise supports private endpoints on GCP using GCP Private Service Connect.

Once activated, you can create an endpoint in your VPC that connects to Aura.

privateserviceconnect
Figure 5. VPC connectivity with GCP Private Service Connect

All applications running Neo4j workloads inside the VPC are routed directly to your isolated environment in Aura without traversing the public internet. You can then disable public traffic, ensuring all traffic to the instance remains private to your VPC.

  • Private Service Connect applies to all instances in the region.

  • When activated, a Private Connection label, shield icon, and dedicated Private URI will appear on any instance tile using Private Service Connect in the Aura Console.

  • If you disable public traffic, you must use a dedicated VPN to connect to your instance via Browser or Bloom.

  • Connections using private endpoints are one-way. Aura VPCs can’t initiate connections back to your VPCs.

Browser and Bloom access over private endpoints

To connect to your instance via Browser or Bloom, you must use a dedicated VPN. This is because when you disable public access to your instance, this applies to all connections, including those from your computer when using Browser or Bloom.

Without private endpoints, you access Browser and Bloom over the internet:

privateserviceconnect 01 before enabling
Figure 6. Architecture overview before enabling private endpoints

When you have enabled private endpoints and disabled public internet access, you can no longer connect Browser or Bloom to your instances over the internet:

privateserviceconnect 02 enabled private traffic only
Figure 7. Architecture overview with private endpoints enabled and public traffic disabled

To continue accessing Browser and Bloom, you can configure a GCP Cloud VPN (Virtual Private Network) in your VPC and connect to Browser and Bloom over the VPN.

To access Bloom and Browser over a VPN, you must ensure that:

  • You have setup GCP Cloud DNS, or an equivalent DNS service, inside of the VPC.

  • You use the Private URI shown on the instance tile and in the instance details. It will be different from the Connection URI you used before.
privateserviceconnect 03 browser bloom over vpn
Figure 8. Accessing Browser and Bloom over a VPN

Enabling private endpoints

To enable private endpoints using GCP Private Service Connect:

  1. Select Network Access from the sidebar menu of the Console.

  2. Select New network access configuration and follow the setup instructions.

Please see the GCP Documentation for required roles and permissions.

Azure private endpoints

AuraDB Enterprise AuraDS Enterprise

Aura Enterprise supports private endpoints on Azure using Azure Private Link.

Once activated, you can create an endpoint in your Virtual Network (VNet) that connects to Aura.

azure privatelink
Figure 9. VNet connectivity with Azure Private Link

All applications running Neo4j workloads inside the VNet are routed directly to your isolated environment in Aura without traversing the public internet. You can then disable public traffic, ensuring all traffic to the instance remains private to your VNet.

  • Private Link applies to all instances in the region.

  • When activated, a Private Connection label, shield icon, and dedicated Private URI will appear on any instance tile using Private Link in the Aura Console.

  • If you disable public traffic, you must use a dedicated VPN to connect to your instance via Browser or Bloom.

  • Connections using private endpoints are one-way. Aura VNets can’t initiate connections back to your VNets.

Browser and Bloom access over private endpoints

To connect to your instance via Browser or Bloom, you must use a dedicated VPN. This is because when you disable public access to your instance, this applies to all connections, including those from your computer when using Browser or Bloom.

Without private endpoints, you access Browser and Bloom over the internet:

azure privatelink 01 before enabling
Figure 10. Architecture overview before enabling private endpoints

When you have enabled private endpoints and disabled public internet access, you can no longer connect Browser or Bloom to your instances over the internet:

azure privatelink 02 enabled private traffic only
Figure 11. Architecture overview with private endpoints enabled and public traffic disabled

To continue accessing Browser and Bloom, you can configure a VPN (Virtual Private Network) in your VNet and connect to Browser and Bloom over the VPN.

To access Bloom and Browser over a VPN, you must ensure that:

  • You have setup Azure Private DNS, or an equivalent DNS service, inside of the VNet.

  • You use the Private URI shown on the instance tile and in the instance details. It will be different from the Connection URI you used before.
azure privatelink 03 browser bloom over vpn
Figure 12. Accessing Browser and Bloom over a VPN

Enabling private endpoints

To enable private endpoints using Azure Private Link:

  1. Select Network Access from the sidebar menu of the Console.

  2. Select New network access configuration and follow the setup instructions.

Please see the Azure Documentation for required roles and permissions.

Supported TLS cipher suites

For additional security, client communications are carried via TLS v1.2 and TLS v1.3.

AuraDB has a restricted list of cipher suites accepted during the TLS handshake, and does not accept all of the available cipher suites. The following list conforms to safety recommendations from IANA, the OpenSSL, and GnuTLS library.

TLS v1.3:

  • TLS_CHACHA20_POLY1305_SHA256 (RFC8446)

  • TLS_AES_128_GCM_SHA256 (RFC8446)

  • TLS_AES_256_GCM_SHA384 (RFC8446)

TLS v1.2:

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (RFC5288)

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (RFC5289)

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (RFC5289)

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (RFC7905)

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (RFC5288)