This topic provides answers to commonly asked questions about access to an Alibaba Cloud Elasticsearch cluster from a classic network.

How do I access an Elasticsearch cluster deployed in a VPC from a classic network?

For network security, your Alibaba Cloud Elasticsearch cluster is deployed in your Virtual Private Cloud (VPC). If your business system is deployed in a classic network, you can use the ClassicLink feature supported by VPC to access the VPC.

What is ClassicLink?

A ClassicLink is a network connection provided by a VPC. It allows you to access the VPC from a classic network.

What are the limits of ClassicLink?

  • Up to 1,000 ECS instances of the classic network can be connected to the same VPC.

  • An ECS instance of the classic network can be connected to only one VPC, and the VPC must be under the same account and belong to the same region.

    For cross-account connection such as ones connecting an ECS instance under account A to a VPC under account B, you can transfer the ECS instance from account A to account B.

  • To enable the ClassicLink function of a VPC, the following conditions must be met:
    VPC CIDR block Limitations
    172.16.0.0/12 There is no custom route entry destined for 10.0.0.0/8 in the VPC.
    10.0.0.0/8
    • There is no custom route entry destined for 10.0.0.0/8 in the VPC.

    • Make sure that the CIDR block of the VSwitch to communicate with the ECS instance in the classic network is within 10.111.0.0/16.

    192.168.0.0/16
    • There is no custom route entry destined for 10.0.0.0/8 in the VPC.

    • Add a route entry, of which the destination CIDR block is 192.168.0.0/16 and the next hop is the private NIC, to the ECS instance of the classic network. Download the Route script.
      Note Before running the script, read the readme file in the script carefully.

How do I enable ClassicLink?

  1. Log on to the VPC console.
  2. Select the region where your VPC resides.
  3. On the VPCs page, find the target VPC and click Manage in the Actions column.

    We recommend that you select a VPC that is attached to the Classless Inter-Domain Routing (CIDR) block 172.16.0.0/12.

  4. In the upper-right corner of the VPC Details page, click Enable ClassicLink.
  5. In the Enable ClassicLink message, click OK.

    After ClassicLink is enabled, the value of the ClassicLink parameter changes to Enabled.

How do I create a ClassicLink?

Before you create a ClassicLink, make sure that you have completed the following operations:
  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select the region where your ECS instance resides.
  4. Find the target ECS instance. Then, click More in the Actions column and choose Network and Security Group > Set classic link.
  5. In the dialog box that appears, select the target VPC, click OK, and then click Go to the instance security group list and add ClassicLink rules.Add a ClassicLink rule
  6. Click Add ClassicLink Rule. In the dialog box that appears, specify the required parameters and click OK.
    Parameter Description
    Classic Security Group The name of the security group for the classic network.
    Select VPC Security Group Select a security group for the VPC.
    Mode Select one of the following authorization modes:
    • Classic <=> VPC: This mode allows ECS instances in a classic network and cloud resources in a VPC to access each other. We recommend that you select this mode.
    • Classic => VPC: This mode allows ECS instances in a classic network to access cloud resources in a VPC.
    • VPC => Classic: This mode allows cloud resources in a VPC to access ECS instances in a classic network.
    Protocol Select a communication protocol, such as customized TCP.
    Port Range Specify the ports used for communication. The ports must be in the format of xx/xx. For example, to specify port 80, enter 80/80.
    Priority Specify the priority of the rule. A small value indicates a high priority. For example, if you set this parameter to 1, the rule has the highest priority.
    Description Enter the description of the security group.

How do I test the connectivity between the classic network and VPC?

  1. Go to the ECS console and click the Column Filters button button in the upper-right corner of the Instances page. In the dialog box that appears, select Connection Status and click OK to view the connection status of the ECS instance. Column Filters dialog box
  2. Log on to the ECS instance from which the ClassicLink is established and run the curl command to access your Elasticsearch cluster in the VPC.
    Note If the system displays "curl command not found", run the yum install curl command to install cURL on the ECS instance.
    curl -u <username>:<password> http://<host>:<port>
    Variable Description
    <username> The account that is used to access your Elasticsearch cluster. We recommend that you do not use the elastic account.
    Notice
    • If you use the elastic account to access your Elasticsearch cluster and then reset the password of the account, it may require some time for the new password to take effect. During this period, you cannot use the elastic account to access your Elasticsearch cluster. Therefore, we recommend that you do not use the elastic account to access your Elasticsearch cluster.
    • If the version of your Elasticsearch cluster contains "with_X-Pack", you must specify both the username and password to access the cluster.
    <password> The password that is used to access your Elasticsearch cluster. The password is the one specified when you create the cluster or initialize Kibana.
    <host> The internal endpoint of your Elasticsearch cluster. You can obtain the internal endpoint from the Basic Information page of the cluster.
    <port> The port of your Elasticsearch cluster. In most cases, 9200 is used. You can obtain the port number from the Basic Information page of the cluster.
    Example command:
    curl -u elastic:es_password http://es-cn-vxxxxxxxxxxxx****.elasticsearch.aliyuncs.com:9200
    If the connection is established, the result shown in the following figure is returned.Successful response