0

We have an elasticsearch service deployment at elastic.co. During the creation of the deployment "AWS" was chosen as the cloud platform. We are given an endpoint URL that resolves to a public IP address. Also, we have an AWS account that has multiple ec2 instances running. When we access elasticsearch service from ec2 instances, the traffic goes through the internet.

Is it possible to make elasticsearch service visible to ec2 instances, as if both are in the same network?

Sajeeva Lakmal
  • 157
  • 3
  • 17
  • what do you mean by traffic goes through the internet, can u explain this in detail and tell us, how you are checking it. –  Apr 05 '20 at 16:28

1 Answers1

2

If you want to use a secure connection, you have to use a special subscription called Elasticsearch Service Private. It is mentioned in the FAQs [1]:

We support secure peering using AWS Private Link. To run Elasticsearch Service in a dedicated VPC with a secure connection from your environment, use the Elasticsearch Service Private subscription. For more information, see Set up Elasticsearch Service Private.

There is a guide which outlines all the steps you need to take. [2] I do not know the pricing details though. In the guide, they state that you need to contact their team in order to get more information. After you get in touch with them and order the Elasticsearch Service Private subscription, they set up a VPC inside their account for you. Next, they create a VPC PrivateLink Endpoint Service and whitelist your account. Finally, they give you the Elasticsearch Service Private Endpoint Service name which you can use to create an Interface VPC Endpoint (powered by PrivateLink). [3]
You should create an interface endpoint in each of the subnets used by your EC2 instances. After creating the interface endpoints, you are able to access the Elasticsearch endpoint via a DNS name which is added to the AWS DNS servers automatically by PrivateLink. You just have to make sure that your EC2 instances are using the VPC's DNS servers. It should be the default configuration if you did not change the VPC's default DHCP option set.

References

[1] https://www.elastic.co/guide/en/cloud/current/ec-faq.html (see question: "Do you support VPC peering to Elasticsearch Service?")
[2] https://www.elastic.co/guide/en/cloud/current/ec-getting-started-private.html
[3] https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html

Martin Löper
  • 6,471
  • 1
  • 16
  • 40