How do I configure Neo4j HA backup through NAT

Question

We have a production setup where our high available neo4j instances run in a private network. Within this network is also a firewall machine which has a public ip address which uses NAT to redirect certain ports back to the neo cluster machines.

What I am trying to accomplish is to run neo4j-backup from outside of that network, using using some firewall rules.

Our ports are the standard ports for ha.cluster_server (5001), ha.server (6001) and online_backup_server (6362) and we have established that when running telnet it goes to the first server in the cluster.

However when I try to backup I get a timeout:

./neo4j-backup -from ha://<public ip> -to /data/prod-neo
Could not find backup server in cluster neo4j.ha at <public ip>, operation timed out

I have installed neo4j enterprise on a machine within the private network and there it runs fine:

./neo4j-backup -from ha://192.168.0.1 -to /tmp
Performing incremental backup from 'backup://192.168.0.1:6362'
[0 Transactions applied]
Done

My guess is that from the outside machine it will try to connect to 192.168.0.1 instead of the public ip address, but I have no idea how I can verify that, let alone fix it so that neo4j-backup uses the public ip for doing the actual backup. Ideas anyone?

Answer 1

Map port 6362 from your NAT box to one of the cluster instances. On the outside machine doing the backup run:

./neo4j-backup -from single://<public_ip>:6362 -to /tmp

Using a "ha://" URL in "-from" requires the machine has full network access since multiple ports are involved. Going for "single://" should only require this one port.