diff --git a/modules/ROOT/images/network_access.png b/modules/ROOT/images/network_access.png new file mode 100644 index 000000000..327243c62 Binary files /dev/null and b/modules/ROOT/images/network_access.png differ diff --git a/modules/ROOT/pages/platform/security/secure-connections.adoc b/modules/ROOT/pages/platform/security/secure-connections.adoc index a87624c1f..1094a8d0e 100644 --- a/modules/ROOT/pages/platform/security/secure-connections.adoc +++ b/modules/ROOT/pages/platform/security/secure-connections.adoc @@ -7,24 +7,45 @@ label:AuraDB-Virtual-Dedicated-Cloud[] label:AuraDS-Enterprise[] -AuraDB Virtual Dedicated Cloud and AuraDS Enterprise run in a dedicated cloud Account (AWS), Subscription (Azure) or Project (GCP) to achieve complete isolation for your deployment. +AuraDB Virtual Dedicated Cloud and AuraDS Enterprise run in a dedicated AWS cloud account, Azure subscription or GCP project to achieve complete isolation for your deployment. +Additional Virtual Private Cloud (VPC) boundaries enable you to operate within an isolated section of the service, where your processing, networking, and storage are further protected. +The Aura console resides in a separate VPC, isolated from the rest of the Aura services. -Additional VPC boundaries enable you to operate within an isolated section of the service, where your processing, networking, and storage are further protected. +== Network access -The Aura Console runs in a separate VPC, separate from the rest of Aura. +An Aura instance can be publicly available, completely private, or configured to allow both public and private access. +To configure network access, you need to be authorized to access the part of [your system's?] infrastructure that runs and handles these instances as well as the networking used to establish secure connections between the database and the application's VPC. This includes the ability to connect over the cloud provider's private link and private endpoint. -== Network access +To configure settings for network access to your instance go to *Aura console* > *Security* > *Network access* > *New network access configuration* -An Aura instance can be publicly available, completely private, or both. -To configure this, you need to be authorized to access the part of the infrastructure that runs and handles these instances as well as the networking used to establish secure connections between the database and the application's VPC. -This includes the ability to connect over the cloud provider's private link and private endpoint. +From there, you can either set up a new network access configuration, or edit current configuration settings. -If your Aura instances are public, traffic to them is allowed to traverse the public internet and they are accessible with the correct username and password. +The Aura console provides a step-by-step configuration guide to: -For your instance to be completely private, turn public traffic off, use the cloud provider's network, and create a private endpoint inside your VPC, which gives you a private connection to Aura. -The only way to connect to your database is from inside your network (your VPC in your AWS/Azure/GCP account) using an internal IP address you choose and DNS records you create. +. Choose your Aura instance details +. Create an endpoint +. Accept endpoint connection requests and enable private DNS in the cloud provider's console +. Disable public traffic (optional) +If you disable public traffic it is highly recommended to link:https://support.neo4j.com/s/article/13174783967507-How-To-Test-Connectivity-Through-The-Private-Endpoint[Test Connectivity Through The Private Endpoint] + +==== Disabling public traffic + +You can return to Step 4 at any time to disable public traffic, even if you’ve already completed the network access configuration and initially allowed public traffic. +To do this, click through the steps in the network access configuration guide until you reach Step 4, where there is the option to disable public traffic. + +Note: Disabling public traffic does not take effect immediately. You can monitor the status change in the console to confirm when the process is complete. + +To continue accessing Browser and Bloom, you can configure a VPN in your VPC and connect to these services over the VPN. +There’s more information available in the KB https://support.neo4j.com/s/article/13174783967507-How-To-Test-Connectivity-Through-The-Private-Endpoint[How to test connectivity through the private endpoint]. + +=== Public traffic + +If private traffic is enabled, your Aura instances are public and traffic to them is allowed to traverse the public internet and they are accessible with the correct username and password. + +=== Private traffic -To select network access settings go to *Aura Console* > *Security* > *Network Access*. +To make your instance completely private, disable public traffic, use the cloud provider's network and create a private endpoint inside your VPC, which gives you a private connection to Aura. +The only way to connect to your database is from inside your network (your VPC in your AWS/Azure/GCP account) using an internal IP address you choose and DNS records you create. == Private endpoints @@ -65,7 +86,7 @@ Aura VPCs can't initiate connections back to your VPCs. ==== Browser and Bloom access over private endpoints To connect to your instance via Browser or Bloom, you must use a dedicated VPN. -This is because when you disable public access to your instance, this applies to all connections, including those from your computer when using Browser or Bloom. +This is because when you xref:[disable public access] to your instance, this applies to all connections, including those from your computer when using Browser or Bloom. Without private endpoints, you access Browser and Bloom over the internet: @@ -124,7 +145,7 @@ Aura VPCs can't initiate connections back to your VPCs. ==== Browser and Bloom access over private endpoints To connect to your instance via Browser or Bloom, you must use a dedicated VPN. -This is because when you disable public access to your instance, this applies to all connections, including those from your computer when using Browser or Bloom. +This is because when you xref[disable public access] to your instance, this applies to all connections, including those from your computer when using Browser or Bloom. Without private endpoints, you access Browser and Bloom over the internet: @@ -182,7 +203,7 @@ Aura VNets can't initiate connections back to your VNets. ==== Browser and Bloom access over private endpoints To connect to your instance via Browser or Bloom, you must use a dedicated VPN. -This is because when you disable public access to your instance, this applies to all connections, including those from your computer when using Browser or Bloom. +This is because when you xref[disable public access] to your instance, this applies to all connections, including those from your computer when using Browser or Bloom. Without private endpoints, you access Browser and Bloom over the internet: @@ -260,6 +281,40 @@ The private ingress then directs the connection to the Aura instance with dbid: |role: read |=== +== Test connectivity through the private endpoint + +Utilize the `nslookup` command to confirm whether the Fully Qualified Domain Names (FQDNs) of your Aura instances are directed to the IP address of the PrivateLink endpoint (usually represented by an internal IP address, such as 10.0.0.0). + +[source,bash] +---- +nslookup .production-orch-.neo4j.io +---- + +. Use curl from a VM instance or a container located in the related VPC network. + +[source,bash] +---- +curl https://.production-orch-.neo4j.io +---- + +. Use nc commands on one of your VM instances or container located in the related GCP Project VPC network, and make sure you get a successful response for all commands + +[source,bash] +---- +nc -vz .production-orch-.neo4j.io 443 +nc -vz .production-orch-.neo4j.io 7687 +nc -vz .production-orch-.neo4j.io 7474 +---- + +. On Windows, you can get https://nmap.org/download.html[Netcat] or use PowerShell + +[source,bash] +---- +Test-NetConnection .production-orch-.neo4j.io -Port 7687 +Test-NetConnection .production-orch-.neo4j.io -Port 7474 +Test-NetConnection .production-orch-.neo4j.io -Port 443 +---- + == Supported TLS cipher suites For additional security, client communications are carried via TLS v1.2 and TLS v1.3.