Access Elastic Cluster Over VPN

Tiroshan Madushanka
zero-to
Published in
3 min readJul 21, 2023

--

Introduction

Elasticsearch is a popular search and analytics engine widely used in various applications. When deploying an Elasticsearch cluster, it’s essential to ensure proper access control measures are in place to protect sensitive data. In this blog post, we will guide you through the process of setting up a network filter to limit access to a specific Elastic Cluster. By following these steps, you can enhance the security of your Elasticsearch deployment.

Step 1: Create a Subnet in VNET

Check the region of your elastic cluster.

To begin, create a subnet within the Virtual Network (VNET) where your Elastic Cluster is deployed. This subnet will serve as the network boundary for accessing the cluster.

Step 2: Create a Private Endpoint

Next, set up a private endpoint using Azure Private Link Service Alias. This private endpoint establishes a secure connection between your VNET and the Elastic Cluster, ensuring that network traffic remains within the Azure network.

Use the correct alias from here based on your region during the private endpoint creation process.

Select Azure Private Link Service Alias for Eastus

Step 3: Create a Private DNS Zone

Create a private DNS zone to enable seamless access to the private endpoint. Use the following format: privatelink.<region>.azure.elastic-cloud.com. For example, privatelink.eastus.azure.elastic-cloud.com.

Add an A record in the private DNS zone, specifying the private IP address associated with the created private endpoint.

Link Private DNS zone with your VNet.

Step 4: Create a Network Filter in Elastic Cluster

Now it’s time to configure the network filter within the Elastic Cluster. Update the necessary fields, referring to the details of the setup private endpoint:

  • Whitelist the private IP address of the private endpoint.
  • Set appropriate rules and conditions to control inbound and outbound network traffic.
Create a filter in the elastic cluster
Update resource name and resource id from private endpoint resource JSON as below.

Step 5: Enable the Network Filter

Once the network filter is configured, enable it for the specific Elastic Cluster. This step activates the access control measures defined in the filter.

Select the created filter from the drop-down.

Note: Accessing the Cluster

Keep in mind that once the private link is enabled, the public cluster will no longer be accessible directly. To access the cluster, use the following URL format: https://<cluster_id>.<dns_zone_name>:9243.

References:

[1] YouTube video: “Securing Access to Elastic Clusters with Azure Private Link”

[2] Azure Private Link traffic filters | Elasticsearch Service Documentation | Elastic

--

--

Tiroshan Madushanka
zero-to

Cloud, Distributed Systems, Data Science, Machine Learning Enthusiastic | Tech Lead- Rozie AI Inc. | Research Assistant - NII |Lecturer - University of Kelaniya