Create a public endpoint to AWS ElasticSearch domain which is inside a VPC

Question

I need to access a AWS ElasticSearch (AES) domain, which is inside a VPC, from the internet, so that I can do read/write testing from a local machine. Ultimately, the code will run on an EC2 instance inside the VPC, but for now I need direct access. It would be ideal if the same code would run both outside and inside the VPC (as we do with DynamoDB), but we may not be that lucky.

Thus, I want to create a public endpoint to access the AES domain that is inside the VPC. Since I have the AES internal endpoint name and the ENI connected to it, I thought I could just connect an Elastic IP address to the ENI, but that's not allowed -- I assume its because the internal IP address may change.

Alternatively, it would make sense that I could map a route in the route table from the IGW (Internet Gateway) to the internal address. But that would again be connected to the internal IP address, and thats bad.

I expect I could use Route53 to map an external facing domain name in to it. But that seems like overkill.

Is there way to map an address from the internet in to the AES domain name?

Answer 1

Is there way to map an address from the internet in to the AES domain name?

Sadly, there is no direct way. You have to setup a VPN connection between your home and your VPC, or some other type of proxy server. However, for testing and development purposes, usually this is done using SSH tunnel is more then sufficient. Setting up the SSH tunnel is explain in Testing VPC Domains of AWS Docs.

There are also numerous other manuals and tutorials on how to do it, e.g.:

• How can I use an SSH tunnel to access Kibana from outside of a VPC with Amazon Cognito authentication?
• I want to use an SSH tunnel through AWS Systems Manager to access my private VPC resources. How can I do this?
• Elasticsearch api secure using SSH tunneling