diff --git a/modules/ROOT/images/network_access.png b/modules/ROOT/images/network_access.png new file mode 100644 index 000000000..327243c62 Binary files /dev/null and b/modules/ROOT/images/network_access.png differ diff --git a/modules/ROOT/pages/platform/security/secure-connections.adoc b/modules/ROOT/pages/platform/security/secure-connections.adoc index a87624c1f..8a2257efd 100644 --- a/modules/ROOT/pages/platform/security/secure-connections.adoc +++ b/modules/ROOT/pages/platform/security/secure-connections.adoc @@ -7,24 +7,40 @@ label:AuraDB-Virtual-Dedicated-Cloud[] label:AuraDS-Enterprise[] -AuraDB Virtual Dedicated Cloud and AuraDS Enterprise run in a dedicated cloud Account (AWS), Subscription (Azure) or Project (GCP) to achieve complete isolation for your deployment. +AuraDB Virtual Dedicated Cloud and AuraDS Enterprise run in a dedicated AWS cloud account, Azure subscription, or GCP project to achieve complete isolation for your deployment. +Additional Virtual Private Cloud (VPC) boundaries enable you to operate within an isolated section of the service, where your processing, networking, and storage are further protected. +The Aura console resides in a separate VPC, isolated from the rest of the Aura services. -Additional VPC boundaries enable you to operate within an isolated section of the service, where your processing, networking, and storage are further protected. +== Network access -The Aura Console runs in a separate VPC, separate from the rest of Aura. +An Aura instance can be publicly available, completely private, or allow both public and private access. -== Network access +If private traffic is enabled, your Aura instances are public and traffic to them is allowed to traverse the public internet and they are accessible with the correct username and password. -An Aura instance can be publicly available, completely private, or both. -To configure this, you need to be authorized to access the part of the infrastructure that runs and handles these instances as well as the networking used to establish secure connections between the database and the application's VPC. +To make your instance completely private, you need to disable public traffic, use the cloud provider's network, and create a private endpoint inside your VPC, which gives you a private connection to Aura. +The only way to connect to your database is from inside your network (your VPC in your AWS/Azure/GCP account) using an internal IP address you choose and DNS records you create. + +To configure network access, you need to be authorized to access the part of the infrastructure that runs and handles these instances as well as the networking used to establish secure connections between the database and the application's VPC. This includes the ability to connect over the cloud provider's private link and private endpoint. -If your Aura instances are public, traffic to them is allowed to traverse the public internet and they are accessible with the correct username and password. +To configure settings for network access to your instance, go to *Aura console* > *Security* > *Network access* > *New network access configuration*. -For your instance to be completely private, turn public traffic off, use the cloud provider's network, and create a private endpoint inside your VPC, which gives you a private connection to Aura. -The only way to connect to your database is from inside your network (your VPC in your AWS/Azure/GCP account) using an internal IP address you choose and DNS records you create. +From there, you can either set up a new network access configuration, or edit current configuration settings. -To select network access settings go to *Aura Console* > *Security* > *Network Access*. +The Aura console provides a step-by-step configuration guide to: + +. Choose your Aura instance details +. Create an endpoint +. Accept endpoint connection requests and enable private DNS in the cloud provider's console +. *Disable public traffic (optional)* +If you disable public traffic it is highly recommended to test connectivity through the private endpoint before disabling public traffic. + +You can return to Step 4 at any time to disable public traffic, even if you’ve already completed the network access configuration and initially allowed public traffic. +To do this, click through the steps in the network access configuration guide until you reach Step 4, where there is the option to disable public traffic. +Disabling public traffic does not take effect immediately. +You can monitor the status change in the console to confirm when the process is complete. + +To continue accessing Browser and Bloom, you can configure a VPN in your VPC and connect to these services over the VPN. == Private endpoints @@ -260,6 +276,44 @@ The private ingress then directs the connection to the Aura instance with dbid: |role: read |=== +== Test connectivity through the private endpoint + +Use the `nslookup` command to confirm whether the Fully Qualified Domain Names (FQDNs) of your Aura instances are directed to the IP address of the PrivateLink endpoint (usually represented by an internal IP address, such as 10.0.0.0). + +[source,bash] +---- +nslookup .production-orch-.neo4j.io +---- + +Use cURL from a VM instance or a container located in the related VPC network. + +[source,bash] +---- +curl https://.production-orch-.neo4j.io +---- + +Use nc commands on one of your VM instances or container located in the related GCP Project VPC network, and make sure you get a successful response for all commands + +[source,bash] +---- +nc -vz .production-orch-.neo4j.io 443 +nc -vz .production-orch-.neo4j.io 7687 +nc -vz .production-orch-.neo4j.io 7474 +# if you are using AuraDS +nc -vz .production-orch-.neo4j.io 8491 +---- + +On Windows, you can get https://nmap.org/download.html[Netcat] or use PowerShell + +[source,bash] +---- +Test-NetConnection .production-orch-.neo4j.io -Port 7687 +Test-NetConnection .production-orch-.neo4j.io -Port 7474 +Test-NetConnection .production-orch-.neo4j.io -Port 443 +# if you are using AuraDS +Test-NetConnection .production-orch-.neo4j.io -Port 8491 +---- + == Supported TLS cipher suites For additional security, client communications are carried via TLS v1.2 and TLS v1.3.