Neo4j – Securing Access on Azure

After installing Neo4j on Azure, you will notice that your Neo4j instance is publicly accessible without any security. Unfortunately, Neo4j does not come with a build-in user authentication. In order to access to Neo4j Server securely, you have to write a security plugin. This seems too much trouble for me,  all I want is to have my Web Role which is able to connect to it safely.

After exploring some different approaches, I decide to go with Azure internal endpoints. Internal Endpoints are designed for inter-role communications. You can expose Neo4j through internal endpoints by changing the port type to Internal in the settings:

One drawback is that no external machine will be able to connect outside of your Azure Web/Worker Roles. For example, if you need to access the Web Admin, you need to Remote Desktop to one of the Web/Worker Role instance at first, and then use the IE browser there. In additional, Azure internal endpoints have dynamic IPs, so you cannot hard-code the connection string from your other Web/Worker Roles. The code needs to dynamically retrieve the Neo4j Worker Role internal IP and port number. Here is an example of what you have to do on your other Web/Worker Roles:

var address = RoleEnvironment.Roles["Neo4jWorkerRole"].Instances[0].InstanceEndpoints[ConfigSettings.Neo4jEndpoint].IPEndpoint.Address;
var port = RoleEnvironment.Roles["Neo4jWorkerRole"].Instances[0].InstanceEndpoints[ConfigSettings.Neo4jEndpoint].IPEndpoint.Port;
var client = new GraphClient(new Uri(string.Format("http://{0}:{1}/data/db", address, port))));

I am able to have my Web Role communicates happily to the Neo4j Worker Role using this approach. I hope this article is helpful if you have a similar scenario.

Other Ideas:

  1. Neo4j supports security plugins, which can be integrated to other types of authentication or security systems. This obviously requires more work to write the java plugin. Here are some more information: http://docs.neo4j.org/chunked/stable/security-server.html
  2. Playing with the firewall rules may be a possible solution. We should be able to expose Neo4j on both public and internal endpoints, and then apply firewall rules to restrict IP access to public port. I haven’t try this approach yet, and will provide an update later.

Thanks, feel free to contact me if you have any questions or comments,
Raymond Tsang
t: @tsanglwr
e: raymond.tsang@ideanotion.net

By Raymond Tsang

Tagged with: ,
Posted in Azure, Technical

Leave a Reply