Configure Google Cloud Compute firewall to allow external access to DB server

1
votes

I've installed a neo4j database on a Google Cloud Compute instance and am wanting to connect to the database from my laptop.

[1] I have neo4j running on Google Cloud

● neo4j.service - Neo4j Graph Database
   Loaded: loaded (/lib/systemd/system/neo4j.service; disabled; vendor preset: enabled)
   Active: active (running) since Sat 2017-09-30 09:33:39 UTC; 1h 3min ago
 Main PID: 2099 (java)
    Tasks: 41
   Memory: 504.5M
      CPU: 18.652s
   CGroup: /system.slice/neo4j.service
           └─2099 /usr/bin/java -cp /var/lib/neo4j/plugins:/etc/neo4j:/usr/share/neo4j/lib/*:/var/lib/neo4j/plugins/* -server -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -XX:+AlwaysPreTouch -XX:+U
nlockExperimentalVMOptions -XX:+TrustFinalNonStaticFields -XX:+DisableExplicitGC -Djdk.tls.ephemeralDHKeySize=2048 -Dunsupported.dbms.udc.source=debian -Dfile.encoding=UTF-8 org.neo4j.server.Commu
nityEntryPoint --home-dir=/var/lib/neo4j --config-dir=/etc/neo4j
Sep 30 09:33:40 neo4j-graphdb-server neo4j[2099]:   certificates: /var/lib/neo4j/certificates
Sep 30 09:33:40 neo4j-graphdb-server neo4j[2099]:   run:          /var/run/neo4j
Sep 30 09:33:40 neo4j-graphdb-server neo4j[2099]: Starting Neo4j.
Sep 30 09:33:42 neo4j-graphdb-server neo4j[2099]: 2017-09-30 09:33:42.948+0000 INFO  ======== Neo4j 3.2.5 ========
Sep 30 09:33:42 neo4j-graphdb-server neo4j[2099]: 2017-09-30 09:33:42.988+0000 INFO  Starting...
Sep 30 09:33:44 neo4j-graphdb-server neo4j[2099]: 2017-09-30 09:33:44.308+0000 INFO  Bolt enabled on 127.0.0.1:7687.
Sep 30 09:33:47 neo4j-graphdb-server neo4j[2099]: 2017-09-30 09:33:47.043+0000 INFO  Started.
Sep 30 09:33:48 neo4j-graphdb-server neo4j[2099]: 2017-09-30 09:33:48.160+0000 INFO  Remote interface available at http://localhost:7474/
Sep 30 09:39:17 neo4j-graphdb-server neo4j[2099]: 2017-09-30 09:39:17.918+0000 WARN  badMessage: 400 No URI for HttpChannelOverHttp@27d4a9b{r=0,c=false,a=IDLE,uri=-}
Sep 30 09:46:18 neo4j-graphdb-server neo4j[2099]: 2017-09-30 09:46:18.374+0000 WARN  badMessage: 400 for HttpChannelOverHttp@6cbed0ca{r=0,c=false,a=IDLE,uri=-}

[2] I've created a firewall rule on Google Cloud to allow external access to the DB server

The network tag of "google-db-server" has been added to the Google Cloud Compute server.

My expectation is that the rule below will allow any external machine to connect to port 7474 on the Google Cloud Compute instance

user@machine:~/home$ gcloud compute firewall-rules create custom-allow-neo4j --action ALLOW --rules tcp:7474 --description "Enable access to the neo4j database" --direction IN --target-tags google-db-server

user@machine:~/home$ gcloud compute firewall-rules list --format json
[
  {
    "allowed": [
      {
        "IPProtocol": "tcp",
        "ports": [
          "7474"
        ]
      }
    ],
    "creationTimestamp": "2017-09-30T00:25:51.220-07:00",
    "description": "Enable access to the neo4j database",
    "direction": "INGRESS",
    "id": "5767618134171383824",
    "kind": "compute#firewall",
    "name": "custom-allow-neo4j",
    "network": "https://www.googleapis.com/compute/v1/projects/graphdb-experiment/global/networks/default",
    "priority": 1000,
    "selfLink": "https://www.googleapis.com/compute/v1/projects/graphdb-experiment/global/firewalls/custom-allow-neo4j",
    "sourceRanges": [
      "0.0.0.0/0"
    ],
    "targetTags": [
      "google-db-server"
    ]
  },

[3] Running nmap from the Google Cloud server instance shows that port 7474 is available locally, and I can telnet to that port locally

google_user@google-db-server:~$ nmap -p 22,80,443,7474 localhost
Starting Nmap 7.01 ( https://nmap.org ) at 2017-09-30 10:46 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000081s latency).
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
7474/tcp open   unknown
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

google-user@google-db-server:~$ telnet localhost 7474
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

[4] However I am unable to connect from my laptop and nmap shows port 7474 as unavailable

user@machine:~/home$ nmap -p 22,80,443,7474 35.201.26.52

Starting Nmap 7.01 ( https://nmap.org ) at 2017-09-30 20:50 AEST
Nmap scan report for 52.26.201.35.bc.googleusercontent.com (35.201.26.52)
Host is up (0.28s latency).
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  closed https
7474/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds

So despite the firewall rule being created to allow any IP address to connect to the Google Cloud Compute instance on tcp:7474, I'm still unable to access this port from my laptop.

Am I missing some additional steps?

1
neo4jgoogle-compute-enginefirewall

1 Answers

2
votes

It looks like neo4j is only listening on the loopback interface. This means it only accepts connections from the same machine. You can verify this by running sudo netstat -lntp. If you see 127.0.0.1:7474, it's only listening on loopback. It should be 0.0.0.0:7474.

you can fix this in the neo4j config by setting dbms.connector.bolt.listen_address to 0.0.0.0:7474. Your Linux distribution may also have a different place to set this configuration.