1

I mean this question as a discussion. I'm looking for some rationale to pick the approach to use to authenticate access and encrypt traffic to and from our elasticsearch cluster on aws.

I've come across 3 methods:

  1. NGINX on every node - to manage SSL and provide auth
  2. Shield + SSL encryption set up on every node according to Elastic.co recommendations.
  3. Auth on every node (Shield or third-party) + SSL encryption using an Elastic Load Balancer (ELB). So, all client requests to the ES cluster go through the ELB.

The third method is interesting coz it means there's one node to set up SSL encryption and the certificate on. Methods 1 and 2 require separate set up on every new node.

However, from my experience, it is hard to connect the Java Client API (which works off custom TCP) to the ES Instance through an ELB.

What is the precedent here? Also, what considerations could I be missing?

On the basis of google search results, Method 3 seems to be rarest. Method 1 seems to be somewhat popular.

Andrei Stefan
  • 51,654
  • 6
  • 98
  • 89
Navneet
  • 9,590
  • 11
  • 34
  • 51
  • 1
    Method 1 is popular because Shield wasn't available when Elasticsearch was created. So, people were looking for alternatives to secure their cluster and Nginx was one of the options. – Andrei Stefan Oct 22 '15 at 00:29
  • @AndreiStefan Do you think Method 2 is a better/more stable option as compared to Method 1 now that Elastic maintains and upgrades Shield? – Navneet Oct 22 '15 at 01:48

0 Answers0