When connecting to your instance over private link after turning public access off, you may see a behaviour whereby you can resolve the URI, but you aren't able to contact the database with queries.
One reason for this behaviour can be that there is a Network load balancer between your application and the Neo4j Aura Instance. This happens when using the Neo4j Protocol which is the recommended protocol.
You can verify if the symptom is the same as what is covered in this article by connecting via the Bolt Protocol instead. If the Bolt Protocol works but the Neo4j Protocol doesn't, then this article should help resolve your problem. If the Bolt Protocol doesn't work, please search our knowledge base for articles related to the error you are seeing.
The reason this behaviour happens is the Neo4j Protocol is aware of the Cluster Topology and it sends requests to particular cores of the instance, depending on if they are reads or writes. It does so by first contacting the instance, the instance then returns its topology including the core names / URIs to the driver. This setup may work before you disable public access, as the public URI is still resolvable at this point.
The cluster topology includes the core names along with whether the nodes are leaders or followers, which then allows the driver to route queries accordingly; writes will go to a leader, and reads typically to a follower.
Adding a Network Load Balancer in the middle adds additional complexity, as the URIs including the core names also need to be accounted for. Typically an A Record is added to your DNS, which resolves the Neo4j Instance URI to your Network Load Balancer, the Network Load Balancer is then configured to forward this traffic to the Private Endpoint as below:
As before, the Cluster Topology is returned to the Driver. However when it tries to access the URI, it cannot resolve it, as there is not a DNS Record for the core name. This results in the behaviour where it appears you can contact the instance, but you are unable to execute queries.
You will need to add another DNS Record for the core names using a wild card in the format below; you may prefer to use a wildcard for the dbid as well to save yourself from creating a record for each database, this is down to personal preference and internal policy:
*.dbid.databases.neo4j.io
You will also need to configure the Network Load Balancer to forward this traffic in the same way as the Neo4j Aura Instance URI.
Once this DNS Record has been created you should now be able to resolve the core name as in the diagram below:
This article is meant as general guidance only. Always consult your internal networking team and follow internal policies and best practices before implementing a solution.
Comments
0 comments
Please sign in to leave a comment.