Trying to open the browser of a db hosted on azure vm

Hello everyone, I wanted to host my graph db on azure, so I followed the steps (https://neo4j.com/developer/neo4j-cloud-azure-image/?_ga=2.174562272.371806894.1563778810-1110845290.1559046406) and I read all the documentation but I still can't open my browser when typing https://{ipaddress}:7473/ into my browser and Neo4j desktop gives me a "ServiceUnvailable" error when I tried to remotely connect using bolt. But when I check the db status azure's vm by typing in : systemctl status neo4j , it's telling me that the db is active.

Please have a look here first:

If these do not address your issue, please follow up with a screenshot and maybe a few more details of what you're seeing.

I saw this post and I tried to follow the steps yet did not end up solving my problem, I am still getting "access denied" when I checked the logs, I didn't get anything that helped. keep in mind that I am not that good at ubuntu.

it is saying that remote browser is ready to use but when I enter the url on chrome it's not working. (Site can't be reached / {ip address} took too long to respond ..

Need more information to help here. Access denied is a completely different error than service unavailable you reported before.

  • Are you accessing on 7474 or 7473? (HTTP or HTTPS)
  • Have you triple checked that your firewall egress rules permit this? You should investigate this first and post your firewall config, this would be a very likely source of the problem.

The logs you're showing are on the server side. A client-side screenshot might help, also try using cypher-shell locally and see what that gives you.

I dont think the issue is from my firewall, besides chrome is allowed to go through so does neo4j desktop, and I'm using 7474 (http)

this is what neo4j desktop is returning

although it's working fine on the VM:

SECOND POST
I can only enter two photos in one reply so here's the rest:

and when I check out the status it is active and running on the VM:

My issue is that I need to get it to work normally on my browser, because I have a project that is running on localhost and I need to get it up on the cloud to proceed.

Please triple check your firewall settings.

While Chrome can get through to the browser application clearly on port 7474, you also require TCP connections to port 7687 in order for browser to make a bolt connection to the database, and that seems to be the part that isn't happening.

Using cypher-shell on the VM is not a way to verify this, because that's inside of the cloud firewall. If you get the same connection errors from cypher-shell on your local machine (not the cloud VM) then the problem is almost certainly that network traffic isn't getting through on port 7687 / tcp / bolt.

1 Like

Can you please walk me through the process of trying it on cypher shell ?
I checked my firewall setting and allowed TCP connections to prot 7687, and it still did not work.

image

You need to check the Azure firewall settings, and not your own laptop.

Conceptually what's going on here is you're running an instance on Azure, and I think your problem is that network traffic isn't getting into the Azure instance. This explanation makes sense because it works on the VM but not from your machine. What's the difference? The network path between the two. By default, clouds typically block access to all ports except the ones you explicitly allow, so I'm asking you to demonstrate that you've configured Azure to allow traffic in on TCP 7687 to that IP address. If you haven't, then the problem you're seeing would be expected.

To try cypher-shell locally, simply install the neo4j tooling on your local machine using Neo4j's standard install instructions.

To do the azure firewalling bits, I recommend using the Azure docs to configure network ingresses.

Thanks, David - this seems to be the missing documentation (?). :-)

Correct me if I am wrong, please:

Given a firewall allows outgoing TCP traffic on port 7474 (http) or port 7473 (https), then a browser on the inside will be able to send a request through the firewall out to a remote host on IP:7474 or IP:7473 or hostname:7474 or hostname=7473 the Neo4j browser application, and receive a response from the remote host through the same port in the firewall.

Given the firewall also allows outgoing TCP traffic on port 7687, then a browser on the inside will be able to send another request through the firewall out to a remote host on IP:7687 or hostname:7687 to make Bolt connection to the database, and receive a response from the remote host through the same port in the firewall.

Is this correct?

If not, I have additional questions:

  1. Is Neo4j expecting to be allowed to send responses to any random port number? This will probably not be allowed by the firewall, and would require additional firewall rules. If so, in what port range?
  2. Is Neo4j expecting to be allowed to send responses to fixed port numbers? This will probably not be allowed by the firewall, and would require additional firewall rules. If so, in what port range?

Cheers,
Haakon

Neo4j cloud images, when launched in the default provided configurations, are allowed network egress to any IP, any port -- unless you configure it otherwise.

No - Neo4j can send from inside of Azure to any port external. But clients can only send into Neo4j on Azure on ports 7474, 7473, and 7687.

Sorry, my bad, David. My port and traffic questions were not limited to cloud images. I have my own Neo4j server, which I normally can reach at home or on my phone, but at work this is not allowed. My network manager at work confirms the 7xxx ports are closed. I can surf normally to all regular web sites on port 80 or 443. However, it did not help to change the ports on my Neo4j server to port 80 or 473, so I am not sure what to tell him do. Does he only have to allow connections going out on 7474 and 7687, and then allow the responses back through the same ports? He is willing to help out.

1 Like

Ah -- sure, you can configure Neo4j to listen on whichever ports you want. If you want HTTPS on 443, no problem.

Thank you, I know. What I do not know is the following: since my remote Neo4j server listened on regular ports 80 and 443 (sorry, 473 was a typo) and yet the firewall at work does not allow communication, why might that be? Perhaps it is because bolt is its own protocol, and there is a protocol restriction in our firewall as well?

Contact your local network administrator, there are too many variables to consider here, and I don't know what the answer is. Some companies have things like deep packet inspection on their networks that are smart enough to ban traffic that isn't of the right protocol even if it's on the right port. If you follow the config guidance for Neo4j you've probably done as much as you can on the Neo4j side, and you may need local network guidance.

Thank you, David - have a nice weekend! :smiley:

1 Like