Access Elastic Cluster Over VPN
Introduction
Elasticsearch is a popular search and analytics engine widely used in various applications. When deploying an Elasticsearch cluster, it’s essential to ensure proper access control measures are in place to protect sensitive data. In this blog post, we will guide you through the process of setting up a network filter to limit access to a specific Elastic Cluster. By following these steps, you can enhance the security of your Elasticsearch deployment.
Step 1: Create a Subnet in VNET
To begin, create a subnet within the Virtual Network (VNET) where your Elastic Cluster is deployed. This subnet will serve as the network boundary for accessing the cluster.
Step 2: Create a Private Endpoint
Next, set up a private endpoint using Azure Private Link Service Alias. This private endpoint establishes a secure connection between your VNET and the Elastic Cluster, ensuring that network traffic remains within the Azure network.
Use the correct alias from here based on your region during the private endpoint creation process.
Step 3: Create a Private DNS Zone
Create a private DNS zone to enable seamless access to the private endpoint. Use the following format: privatelink.<region>.azure.elastic-cloud.com
. For example, privatelink.eastus.azure.elastic-cloud.com
.
Add an A record in the private DNS zone, specifying the private IP address associated with the created private endpoint.
Link Private DNS zone with your VNet.
Step 4: Create a Network Filter in Elastic Cluster
Now it’s time to configure the network filter within the Elastic Cluster. Update the necessary fields, referring to the details of the setup private endpoint:
- Whitelist the private IP address of the private endpoint.
- Set appropriate rules and conditions to control inbound and outbound network traffic.
Step 5: Enable the Network Filter
Once the network filter is configured, enable it for the specific Elastic Cluster. This step activates the access control measures defined in the filter.
Note: Accessing the Cluster
Keep in mind that once the private link is enabled, the public cluster will no longer be accessible directly. To access the cluster, use the following URL format: https://<cluster_id>.<dns_zone_name>:9243
.
References:
[1] YouTube video: “Securing Access to Elastic Clusters with Azure Private Link”
[2] Azure Private Link traffic filters | Elasticsearch Service Documentation | Elastic