Neo4j GCP Deployment: WebSocket connection failure and Failed to establish connection

phillip_shao_ng · August 6, 2022, 6:51am

Goal: Automate creating Neo4j graph database on GCP, and then connect to it using a python driver (locally and hosted on Cloud Run). I have tried to use:

The "https://neo4j.com/docs/operations-manual/current/cloud-deployments/neo4j-gcp/automation-gcp/" documentation, but it lacks the ability to set configurations easily (it uses a remote cypher shell command, and I have to use a CALL function to change each configuration.)
The Docker Image using GCP's deployment from container images: https://cloud.google.com/compute/docs/containers/deploying-containers#gcloud. This is a preferred method since all configurations can be set using ENV variables.

I have had success with starting a neo4j database using a docker image. In order to test the bolt connection, I go to https://browser.neo4j.io/ and put in the external IP address of the VM, and try to connect. However, I get the error:

WebSocket connection failure.
Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver.
Please use your browsers development console to determine the root cause of the failure.
Common reasons include the database being unavailable, using the wrong connection URL or temporary network problems.
If you have enabled encryption, ensure your browser is configured to trust the certificate Neo4j is configured to use.
WebSocket readyState is: 3

When I use the python driver to connect to the VM, I get the error:

Failed to establish connection to ResolvedIPv4Address(('35.225.230.248', 7687)) (reason [Errno 61] Connection refused))

These are the environmental variables I've set:

NEO4J_dbms_default__listen__address=0.0.0.0

NEO4J_dbms_connector_bolt_listen__address=0.0.0.0:7687

NEO4J_dbms_connector_bolt_address=0.0.0.0:7687

NEO4J_dbms_connector_bolt_tls__level=OPTIONAL

I have configured GCP's firewall to allow the BOLT port.

I've reference all of the articles out there that have addressed this problem to no avail:

https://community.neo4j.com/t5/neo4j-graph-platform/explanation-of-error-quot-websocket-connection-failure-due-to/m-p/36473

https://medium.com/neo4j/getting-certificates-for-neo4j-with-letsencrypt-a8d05c415bbd

https://stackoverflow.com/questions/70424753/serviceunavailable-websocket-connection-failure-after-server-connect-for-neo4j

david_rosenblum · August 9, 2022, 4:22pm

I did launch a docker the same way - you can't use https://browser.neo4j.io/ on an instance without SSL setup. This is a restriction in the Web Browser standard, not Neo4j.
Setting TLS optional is not sufficient - you will need to do the whole get a cert, etc.
SO get rid of the env NEO4J_dbms_connector_bolt_tls__level=OPTIONAL

gcloud compute instances create-with-container drneodocker --container-image neo4j:4.4.9

Created [https://www.googleapis.com/compute/v1/projects/neo4j-se-team-201905/zones/us-east1-d/instances/drneodocker].

NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS

drneodocker us-east1-d n1-standard-1 10.142.0.10 35.229.62.xxx RUNNING

Neo4j came right up, and I was able to hit the external address directly
http://35.229.62.xxx:7474/browser/

you can, tho I don't know why you would, when you can hit the http port directly - you can use http://browser.graphapp.io which is not SSL - your web browser may try very hard to flip that to https.
or login directly with python on port 7687
HTH
David

michael.hunger · August 9, 2022, 1:29pm

The only thing I can imagine is that the bolt port is not properly forwarded within your GCP infrastructure to the from docker to the ingress of your instance?

phillip_shao_ng · August 9, 2022, 5:03pm

Hi David, thank you for your response. I was able to replicate your steps and create a Neo4j instance that connectable via browser and bolt. However, I would like to add a default password upon creation, instead of logging into the browser to change it. I was trying to add the argument to your gcloud command, --container-env=[NEO4J_AUTH=neo4j/PASSWORD] (https://cloud.google.com/sdk/gcloud/reference/compute/instances/create-with-container#--container-env), but it doesn't work (https://neo4j.com/docs/operations-manual/current/docker/ref-settings/). Do you know how to configure the password from the container image environment variables?

Command: gcloud compute instances create-with-container drneodocker --container-image neo4j:4.4.9 --container-env=[NEO4J_AUTH=neo4j/PASSWORD]

david_rosenblum · August 10, 2022, 12:37am

I used this
gcloud compute instances create-with-container rosenblumdocker1 --container-image neo4j:4.4.9 --container-env=NEO4J_AUTH=neo4j/Mypassword

I used a new container name. Once the password is set in the system db (with a permanent the disk attached) you can't change it with this method.
I noticed that you are not using a persistent disk, if you reboot the container, all your data will be LOST

jahidmailbox98 · August 1, 2025, 1:40pm

Hi David,

I'm facing an issue where Neo4j works perfectly in my local development environment, but after deployment to a remote server, it fails to connect.

Local Setup (Works Fine)

Protocol: bolt://host:7687
Also tried: neo4j+s://host
Using React frontend with Neo4j JavaScript driver
Neo4j connects correctly in local using WebSocket fallback (ws:// or wss://)

Deployed Setup (Not Working)

Frontend deployed over HTTPS in GCP Cloud run
Neo4j backend exposed on port 7687 and also created self signed certificate
Trying to connect using:
- ws://neo4j-host:7687 → Blocked (Mixed Content)
- wss://neo4j-host:7687 via neo4j+s:// → Fails to establish WebSocket connection

What I Tried:

Set REACT_APP_NEO4J_URI=neo4j+ssc://ip:7687
Enabled bolt connector in neo4j.conf
Enabled SSL policies for Bolt and added certificate
Used trust: "TRUST_ALL_CERTIFICATES" in driver config
Verified server firewall is open for port 7687

Despite trying multiple configurations, the frontend still cannot establish a WebSocket (wss://) connection after deployment.

Any advice on the next steps .

Thanks,
Mohamed Jahid Ameer

david_rosenblum · August 1, 2025, 2:42pm

This is most likely an SSL problem.
You are mixing a real cert (cloud run) with a self signed certificate on neo4j. I have never had any luck mixing those with javascript driver.
You could start an Aura Free account which will have full, real certs and try connecting to that with your react app.
Or port 7687 is blocked.

jahidmailbox98 · August 4, 2025, 6:35am

We tried using let’s encrypt certificate and working as expected. Thanks @david_rosenblum

Topic		Replies	Views
Neo4j-Python connection problem: Neo4j on GCP Drivers & Stacks gcp , neo4j-python-driver	0	264	February 23, 2024
Not able to authenticate neo4j browser on gcp Browser gcp , neo4j	0	322	November 7, 2021
Unable to establish remote connection : Neo4jError: WebSocket connection failure Neo4j Graph Platform connection	5	964	November 8, 2021
Neo4j Enterprise deploy issue (ServiceUnavailable: WebSocket connection failure) Neo4j Graph Platform migrated	3	308	December 27, 2022
Explanation of error "WebSocket connection failure. Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver Neo4j Graph Platform bolt , websocket , knowledge-base , migrated , browser-tagged	2	494	December 12, 2022

Take the Course Then Join The Aura Agent Hackathon

Neo4j GCP Deployment: WebSocket connection failure and Failed to establish connection

Related topics

Take the Course Then Join
The Aura Agent Hackathon