[Notice] Network architecture adjustment - Elasticsearch

The network architecture of Alibaba Cloud Elasticsearch was adjusted in October 2020. Elasticsearch clusters that are created before October 2020 are deployed in the original network architecture. Elasticsearch clusters that are created in October 2020 or later are deployed in the new network architecture.

Adjustment and time

Adjustment

Alibaba Cloud Elasticsearch clusters deployed in the new network architecture reside in the virtual private cloud (VPC) within the service account of Alibaba Cloud Elasticsearch. These clusters cannot access resources in other network environments.
Alibaba Cloud Elasticsearch clusters deployed in the original network architecture reside in VPCs that are created by users. These clusters can access resources in other network environments.

Time

The network architecture of Alibaba Cloud Elasticsearch was adjusted in October 2020.

Elasticsearch clusters that are created before October 2020 are deployed in the original network architecture, except clusters created in the China (Zhangjiakou) region and regions outside China.
Elasticsearch clusters that are created in October 2020 or later are deployed in the new network architecture, except clusters created in the China (Zhangjiakou) region and regions outside China.
The time when the network architecture in the China (Zhangjiakou) region and regions outside China was adjusted is uncertain.
You can contact Alibaba Cloud technical support to check the network connectivity of an Elasticsearch cluster created in such a region.

Impact

You cannot perform cross-cluster operations, such as reindex, searches, or replication, between a cluster deployed in the original network architecture and a cluster deployed in the new network architecture.
New network architecture
- Private connections can be configured for Elasticsearch clusters. You can use the PrivateLink service to establish private connections between the VPC within the Elasticsearch service account and your VPC to resolve some communication issues. For more information, see Configure a private connection for an Elasticsearch cluster.
- In the new network architecture, features such as X-Pack Watcher, reindex, Lightweight Directory Access Protocol (LDAP) authentication, and Active Directory (AD) user authentication are limited. To resolve this issue, you can use the PrivateLink service to establish private connections between VPCs. For more information, see the following topics:
- X-Pack Watcher cannot directly access the Internet and must use the internal endpoint of your Elasticsearch cluster to access the Internet. To access the Internet, you must perform the following operations:
  - Configure a private connection for the Elasticsearch cluster. For more information, see Configure a private connection for an Elasticsearch cluster.
  - Associate an elastic IP address (EIP) with or configure a Source Network Address Translation (SNAT) entry for an Elastic Compute Service (ECS) instance. For more information, see Associate or disassociate an EIP or Create and manage SNAT entries.
Original network architecture
- Private connections cannot be configured for Elasticsearch clusters.
- Only single-zone Elasticsearch clusters support LDAP authentication and AD user authentication.