Alibaba Cloud Elasticsearch uses Virtual Private Cloud (VPC), access control policies, and built-in security features to ensure the high security of Alibaba Cloud Elasticsearch clusters.

Access Alibaba Cloud Elasticsearch over a VPC

You can use the internal endpoint of an Alibaba Cloud Elasticsearch cluster to access the cluster over a VPC. If you require a secure environment where your applications access Alibaba Cloud Elasticsearch, you can purchase an Alibaba Cloud Elastic Compute Service (ECS) instance in the same zone, region, and VPC as your Alibaba Cloud Elasticsearch cluster. Deploy your applications on the ECS instance and then use the internal endpoint of your Alibaba Cloud Elasticsearch cluster for access.

Note A VPC is a private network in the cloud and is isolated from the Internet. It provides secure access for your applications.

Access control

  • Whitelist-based access control

    If you are using the internal endpoint of an Alibaba Cloud Elasticsearch cluster to access the cluster, you can configure a whitelist for the cluster to control access. Only clients whose IP addresses are in the whitelist can access the cluster. For more information, see VPC whitelist.

    If you are using the public endpoint of an Alibaba Cloud Elasticsearch cluster to access the cluster, you can configure a whitelist for the cluster to control access. Only clients whose IP addresses are in the whitelist can access the cluster. For more information, see Public network whitelist.

  • RAM-based access control

    The Elasticsearch console supports Resource Access Management (RAM) users. You can use RAM users to isolate resources. A RAM user can only view and manage its own Alibaba Cloud Elasticsearch clusters. For more information, see Policy check rules.

  • X-Pack role-based access control

    Alibaba Cloud Elasticsearch provides X-Pack, which is a commercial extension of Elasticsearch. X-Pack is an easy-to-install bundle that provides security, alerting, monitoring, graph, and reporting capabilities. X-Pack is integrated into Kibana to provide more capabilities, such as authorization and authentication, role-based access control, real-time monitoring, visual reporting, and machine learning. Role-based access control in X-Pack can be specific to indexes. For more information, visit Security APIs in the open-source Elasticsearch documentation.

System security

  • You can access an Alibaba Cloud Elasticsearch cluster over a VPC. A VPC provides a secure access environment.
  • You cannot log on to any node servers that are contained in an Alibaba Cloud Elasticsearch cluster.
  • No IP addresses are allowed to access the public endpoint of an Alibaba Cloud Elasticsearch cluster by default. If you want to allow access requests, you must configure a whitelist. For more information, see Public network whitelist.
  • You can configure whitelists to limit access to both the public and internal endpoints of an Alibaba Cloud Elasticsearch cluster.
  • Alibaba Cloud Elasticsearch opens only ports 9200 and 9300 to allow access to its public and internal endpoints.