AWS Private VPC link with Elastic cloud

When securing your data on Elastic cloud is paramount and preeminent for your application, please do consider Elasticsearch Service Private.

When you deploy your indices on the Elastic cloud this secures your data rather than exposed on to the public network especially when you have users related info (PII) in your indices. Also, it provides a faster and secure way of communication between your hosted API and your elastic search cluster hosted on Elastic Cloud.

To get started with Elasticsearch Service Private:

1. This will require you to signup with Elastic cloud and use their 14-day trial version.
2. Choose the same region of your Elasticsearch Service Private environment as your application’s AWS region.
3. During the sign-up process, the Amazon account IDs of your enterprise will be added to the allow-list for your dedicated environment to ensure that only the VPC Endpoints created with those accounts will be permitted to access your deployments.
4. When the environment is ready, they will send you the VPC Endpoint Service name for your Elasticsearch Service Private environment.

Creating a VPC endpoint

1. Login to your AWS user console using your account details.
2. From the AWS user console, select the region and add a VPC endpoint to initiate a connection request. For this to be approved, it must be done with an AWS account ID that’s been added to our allow-list.
3. Choose “Find service by name”, In the us-east-1 region, for example, the service name would be com.amazonaws.vpce.us-east-1.vpce-svc-0e42e1e06ed010238or the one that elastic cloud sends you over. enter the name, and then click Verify.
4. Select your desired VPC
5. Select one or more availability zones.
6. Assign the security groups that should have access to the endpoint. Once completed, you will get an interface VPC Endpoint ID, which you will need later.
7. Click Create endpoint.

You should now see that the new endpoint status is “Available.” Save the DNS records as you will need them in the next step to configure a DNS record that resolves to those DNS names.

Configuring DNS

1. In the AWS user console, create a new Route 53 Hosted Zone.
2. Use the vpce.ENV_ID.elastic-cloud.com. as the domain name, select the type to be Private Hosted Zone for Amazon VPC, and associate with the relevant VPC.
3. Click on Create Record Set.
4. Use * as the record name, choose CNAME - Canonical name as the type. This is where you will use the saved list of DNS records from the previous section. In the value field, enter the first DNS name that appears in the saved list of DNS names.
5. Click Create.

Create PrivateLink endpoint on Elastic Cloud

1. In the Elastic Cloud console, navigate to Account > Traffic filters and click on Create filter.
2. Select PrivateLink.
3. Add a specific name for your link, add some meaningful description to it.
4. Add the vpc endpoint ID that you generated above.
5. Click Create Filter
6. You can select Include by default so that whenever you create a new deployment, this endpoint will be added by default to your deployments

Add the traffic filter to your deployment

Once you have created the above filter, you can associate the filter with one or more deployments either when creating the deployment or by editing an existing deployment.

References:

New on Elastic Cloud: AWS PrivateLink and IP filtering

Set up Elasticsearch Service Private | Elasticsearch Service Documentation | Elastic