Alibaba Cloud Elasticsearch clusters are deployed in logically isolated virtual private clouds (VPCs) and protected by layered security controls: network isolation, access policies, identity verification, encryption, monitoring, and disaster recovery. This topic describes the built-in security features and how they compare to what you manage in a self-managed cluster.
How security works
Security in Alibaba Cloud Elasticsearch operates across three layers, each intercepting threats at a different stage:
Network layer — VPC isolation and IP whitelists prevent unauthorized traffic from reaching the cluster endpoint.
Access policy layer — Resource Access Management (RAM) policies and port restrictions determine which authenticated identities can perform which operations.
Fine-grained control layer — Role-based access control (RBAC) provided by X-Pack enforces field- and index-level permissions after a request passes the first two layers.
This layered model lets you see exactly which controls Alibaba Cloud manages and which ones you configure yourself.
Open source software is often the first target of attacks. MongoDB ransomware attacks are an example. Elasticsearch has also become the target of attacks. Attackers may attack self-managed Elasticsearch clusters that do not have professional security protection, delete important data, or interfere with business systems.
Security features
Alibaba Cloud Elasticsearch has provided a fully managed service since November 2017. The following table compares what each security category includes by default against the steps required for a self-managed cluster.
Access control
VPC access
Access Alibaba Cloud Elasticsearch over a VPC using the cluster's internal endpoint. A VPC is a private network isolated from the Internet. To connect your applications to the cluster securely, create an Elastic Compute Service (ECS) instance in the same zone, region, and VPC as the cluster, then connect from that ECS instance to the internal endpoint.
Whitelist-based access control
Both the internal and public endpoints support IP whitelists. Only clients with IP addresses on the whitelist can connect. Configure whitelists for either endpoint in the Alibaba Cloud Elasticsearch console. For details, see Configure a public or private IP address whitelist for an Elasticsearch cluster.
Authentication and authorization
RAM-based access control
The Alibaba Cloud Elasticsearch console supports RAM users. Each RAM user can view and manage only the clusters for which they have been granted permissions, keeping resources isolated across teams and roles. For details on how RAM evaluates permissions, see Policy evaluation process.
Role-based access control via X-Pack
X-Pack is a commercial plug-in bundled with Alibaba Cloud Elasticsearch. Integrated into Kibana, it adds security, alerting, monitoring, graphing, and reporting capabilities, along with RBAC, real-time monitoring, visual reporting, and machine learning. RBAC permissions can be scoped to specific indexes. For configuration details, see Use the RBAC mechanism provided by Elasticsearch X-Pack to implement access control and the Security APIs reference.