You can configure private connections to enable communication between virtual private clouds (VPCs) and prevent security risks that are caused by access over the Internet. This topic describes how to configure a private connection for an Alibaba Cloud Elasticsearch cluster.
Background information
In October 2020, the network architecture of Alibaba Cloud Elasticsearch was adjusted. After this adjustment, some features of Elasticsearch are limited. You can use the PrivateLink service to establish private connections between the exclusive VPC for Elasticsearch and your VPC to resolve some communication issues.
- Endpoint service
Endpoint services within a VPC can be accessed by other VPCs over private connections. You must create endpoints for these VPCs to establish private connections. Endpoint services are created and managed by service providers.
- Endpoint
You can associate an endpoint with an endpoint service to establish private connections. These connections allow a VPC to access external services. For Elasticsearch, endpoints are automatically created and managed by the service account of Elasticsearch.
Feature | Description |
---|---|
Watcher | X-Pack Watcher can monitor system information based on query criteria and report alerts. |
Security features | X-Pack supports a variety of cluster-level security features, such as single sign-on, Lightweight Directory Access Protocol (LDAP) authentication, and user authentication. |
External dictionary access of custom plug-ins | Custom plug-ins can dynamically access external dictionaries. |
Prerequisites
- An Alibaba Cloud Elasticsearch cluster is created. For more information, see Create an Alibaba Cloud Elasticsearch cluster.
- Elastic Compute Service (ECS) instances are created in your VPC, and the required
applications are deployed on the ECS instances. For more information, see Create an instance by using the wizard.
Note
- The ECS instances are used as backend servers to receive requests that are forwarded by a Server Load Balancer (SLB) instance. The ECS instances can be deployed in zones that are different from the SLB instance but must be deployed in the same VPC and region as the SLB instance.
- If a PrivateLink endpoint service is created in your VPC, SLB service resources are configured for the endpoint service, and the health check states of backend servers are Normal, you can directly configure a private connection for your Elasticsearch cluster and obtain the domain name of the related endpoint. For more information, see Step 4: Configure a private connection for the Elasticsearch cluster and View the domain name of an endpoint.
Limits
Region | Zone |
---|---|
China (Hangzhou) | Zone F, Zone G, Zone H, Zone I, Zone J, and Zone K |
China (Shanghai) | Zone B, Zone E, Zone F, Zone G, and Zone L |
China (Qingdao) | Zone B and Zone C |
China (Beijing) | Zone C, Zone D, Zone E, Zone F, Zone G, Zone H, Zone I, and Zone K |
China (Zhangjiakou) | Zone A, Zone B, and Zone C |
China (Shenzhen) | Zone D, Zone E, and Zone F |
China (Hong Kong) | Zone B, Zone C, and Zone D |
Japan (Tokyo) | Zone A and Zone B |
Singapore (Singapore) | Zone A, Zone B, and Zone C |
Australia (Sydney) | Zone B |
Malaysia (Kuala Lumpur) | Zone A and Zone B |
Indonesia (Jakarta) | Zone A and Zone B |
Germany (Frankfurt) | Zone A and Zone B |
UK (London) | Zone A and Zone B |
US (Silicon Valley) | Zone A and Zone B |
US (Virginia) | Zone A and Zone B |
India (Mumbai) | Zone A and Zone B |
Precautions
You can configure private connections only for clusters that are deployed in the new network architecture. Clusters created in October 2020 or later are deployed in the new network architecture. Clusters created before October 2020 are deployed in the original network architecture (including Alibaba Gov Cloud and Alibaba Finance Cloud).
Procedure
Step 1: Create a CLB instance that supports PrivateLink
Step 2: Configure the CLB instance
Step 3: Create an endpoint service
Step 4: Configure a private connection for the Elasticsearch cluster
View the domain name of an endpoint
You can use the domain names of endpoints to access the endpoint services with which the endpoints are associated. To view the domain name of an endpoint, perform the following steps: