Neo4j GCP Deployment: WebSocket connection failure and Failed to establish connection

Neo4j Graph Platform
1

Goal: Automate creating Neo4j graph database on GCP, and then connect to it using a python driver (locally and hosted on Cloud Run). I have tried to use:

  1. The "https://neo4j.com/docs/operations-manual/current/cloud-deployments/neo4j-gcp/automation-gcp/" documentation, but it lacks the ability to set configurations easily (it uses a remote cypher shell command, and I have to use a CALL function to change each configuration.)
  2. The Docker Image using GCP's deployment from container images: https://cloud.google.com/compute/docs/containers/deploying-containers#gcloud. This is a preferred method since all configurations can be set using ENV variables.

I have had success with starting a neo4j database using a docker image. In order to test the bolt connection, I go to https://browser.neo4j.io/ and put in the external IP address of the VM, and try to connect. However, I get the error:

WebSocket connection failure.
Due to security constraints in your web browser, the reason for the failure is not available to this Neo4j Driver.
Please use your browsers development console to determine the root cause of the failure.
Common reasons include the database being unavailable, using the wrong connection URL or temporary network problems.
If you have enabled encryption, ensure your browser is configured to trust the certificate Neo4j is configured to use.
WebSocket readyState is: 3

When I use the python driver to connect to the VM, I get the error:

Failed to establish connection to ResolvedIPv4Address(('35.225.230.248', 7687)) (reason [Errno 61] Connection refused))

These are the environmental variables I've set:

NEO4J_dbms_default__listen__address=0.0.0.0

NEO4J_dbms_connector_bolt_listen__address=0.0.0.0:7687

NEO4J_dbms_connector_bolt_address=0.0.0.0:7687

NEO4J_dbms_connector_bolt_tls__level=OPTIONAL

I have configured GCP's firewall to allow the BOLT port.

phillip_shao_ng_0-1659768580948.png

I've reference all of the articles out there that have addressed this problem to no avail:

https://community.neo4j.com/t5/neo4j-graph-platform/explanation-of-error-quot-websocket-connection-failure-due-to/m-p/36473

https://medium.com/neo4j/getting-certificates-for-neo4j-with-letsencrypt-a8d05c415bbd

https://stackoverflow.com/questions/70424753/serviceunavailable-websocket-connection-failure-after-server-connect-for-neo4j

2

I did launch a docker the same way - you can't use https://browser.neo4j.io/ on an instance without SSL setup. This is a restriction in the Web Browser standard, not Neo4j.
Setting TLS optional is not sufficient - you will need to do the whole get a cert, etc.
SO get rid of the env NEO4J_dbms_connector_bolt_tls__level=OPTIONAL

gcloud compute instances create-with-container drneodocker --container-image neo4j:4.4.9

Created [https://www.googleapis.com/compute/v1/projects/neo4j-se-team-201905/zones/us-east1-d/instances/drneodocker].

NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS

drneodocker us-east1-d n1-standard-1 10.142.0.10 35.229.62.xxx RUNNING

Neo4j came right up, and I was able to hit the external address directly
http://35.229.62.xxx:7474/browser/

you can, tho I don't know why you would, when you can hit the http port directly - you can use http://browser.graphapp.io which is not SSL - your web browser may try very hard to flip that to https.
or login directly with python on port 7687
HTH
David

3

The only thing I can imagine is that the bolt port is not properly forwarded within your GCP infrastructure to the from docker to the ingress of your instance?

4

Hi David, thank you for your response. I was able to replicate your steps and create a Neo4j instance that connectable via browser and bolt. However, I would like to add a default password upon creation, instead of logging into the browser to change it. I was trying to add the argument to your gcloud command, --container-env=[NEO4J_AUTH=neo4j/PASSWORD] (https://cloud.google.com/sdk/gcloud/reference/compute/instances/create-with-container#--container-env), but it doesn't work (https://neo4j.com/docs/operations-manual/current/docker/ref-settings/). Do you know how to configure the password from the container image environment variables?

Command: gcloud compute instances create-with-container drneodocker --container-image neo4j:4.4.9 --container-env=[NEO4J_AUTH=neo4j/PASSWORD]

5

I used this
gcloud compute instances create-with-container rosenblumdocker1 --container-image neo4j:4.4.9 --container-env=NEO4J_AUTH=neo4j/Mypassword

I used a new container name. Once the password is set in the system db (with a permanent the disk attached) you can't change it with this method.
I noticed that you are not using a persistent disk, if you reboot the container, all your data will be LOST