cancel
Showing results for 
Search instead for 
Did you mean: 

Head's Up! Site migration is underway. Phase 1: replicate users.

Enabling remote backup on GCE

tharshy
Node Link

@david.allen, I would like to know, if I want the remote backup to be enabled on my google cloud launcher VM, I should be only editing neo4j.templete file with following

By default the backup service will only listen on localhost.

To enable remote backups you will have to bind to an external

network interface (e.g. 0.0.0.0 for all interfaces).

dbms.backup.address=$dbms_backup_address --> instead replace with 0.0.0.0:6362

thank you

1 ACCEPTED SOLUTION

david_allen
Neo4j
Neo4j

Yes, you've got it right, you can just use:

dbms.backup.address=0.0.0.0:6362

However! There are several other important things to keep in mind. What that setting actually does is just open a port on localhost. By default in GCP, the backup address is not exposed to the internet. This would be a very bad idea for security, as you don't want anyone on the internet being able to take a backup of your database. As a result, that port is only available on localhost. If you try from your work laptop to do a backup, it will fail with connection timeout errors, as GCP's firewall blocks inbound traffic on this port.

The 0.0.0.0 part means the machine will listen on all interfaces, but practically speaking since yours will only have one, this means it will listen on the internet interface, probably a 10.*.*.* address inside of google.

To take a backup, you must SSH into the machine and run the backup locally, then copy the backup off machine somewhere else, like google storage.

View solution in original post

9 REPLIES 9

david_allen
Neo4j
Neo4j

Yes, you've got it right, you can just use:

dbms.backup.address=0.0.0.0:6362

However! There are several other important things to keep in mind. What that setting actually does is just open a port on localhost. By default in GCP, the backup address is not exposed to the internet. This would be a very bad idea for security, as you don't want anyone on the internet being able to take a backup of your database. As a result, that port is only available on localhost. If you try from your work laptop to do a backup, it will fail with connection timeout errors, as GCP's firewall blocks inbound traffic on this port.

The 0.0.0.0 part means the machine will listen on all interfaces, but practically speaking since yours will only have one, this means it will listen on the internet interface, probably a 10.*.*.* address inside of google.

To take a backup, you must SSH into the machine and run the backup locally, then copy the backup off machine somewhere else, like google storage.

yes, I think your last idea make sense , run the backup locally and transfer outside storage using scp.. however , in this case I may have to do it manually I guess, as my automation scripts are running on another vm.

If your automation scripts are running on another VM, they need to be in the same virtual network -- then you can use the 10..... address and it should work. If this does not work, you can always adjust your firewall rules to permit access to that port from the specific other machine that will take the backup.

Do not expose your backup port to the entire internet.

thank you and this makes sense.

tharshy
Node Link

thank you for the info, however If I have a script running on another server inside the google to automatic backup on my db, then I may need to consider enabling remote backup or should I give the internal ip ie: 10.0.0.1:6362?

@david.allen
I've referred to your blog on creating backups and storing them to Google Cloud Storage.
I've customized the container to use S3 and IBM COS. And, this container is running on the same kube cluster as of neo4j.
We've used neo4j helm chart to deploy the cluster and the conf settings are commented by default.

#dbms.backup.address=0.0.0.0:6362
#dbms.backup.enabled=true

  • I'm guessing these should uncommented to enable backups ?

  • And when we use the cluster internal DNS to take the backup, should the back up port (6362) be exposed inside the cluster using the service ?

  • If yes, is there an easy way to do this. I currently do not see any settings in the values.yaml file of helm chart through which the above can be done.

Let me know if a new post is better for this
Thank you.

The blog that covers backup/restore on kubernetes is intended to work with this helm chart: https://github.com/neo-technology/neo4j-google-k8s-marketplace and not the public helm repo chart, which can get a bit out of date as of when this comment was written.

Indeed, backup must be enabled in the config file. Refer to the Neo4j Operations Manual for instructions on how to configure this.

Backup should not be enabled on any port external to the cluster, for security reasons.

alexchantavy
Node Clone

@david.allen or anyone else, sorry to necro this thread but I have a small follow-up question: what protocol does the online backup port expect, UDP or TCP? I couldn't find this in the docs.

I have it set to TCP but I suspect my firewall is blocking the port. I'll start another thread to drill down more deeply once I know for sure one way or the other. Thanks!

Follow-up: I feel silly. It's TCP.

This bit of advice was helpful:

By default in GCP, the backup address is not exposed to the internet. This would be a very bad idea for security, as you don't want anyone on the internet being able to take a backup of your database. As a result, that port is only available on localhost . If you try from your work laptop to do a backup, it will fail with connection timeout errors, as GCP's firewall blocks inbound traffic on this port.

The 0.0.0.0 part means the machine will listen on all interfaces, but practically speaking since yours will only have one, this means it will listen on the internet interface, probably a 10.*.*.* address inside of google.

I set my listen address explicitly to 10.x.y.z:6362 instead of 0.0.0.0:6362 and I was able to run backups from a remote machine. I'm running in AWS and not GCE, but maybe there's some other default security group rule going on that forces me to use an explicit listen address?

Edit: This is so weird. I set my backup address back to 0.0.0.0:6362 and everything works. Oh well. Hopefully this helps someone coming from a Google search in future.