You can configure private connections to enable communication between virtual private clouds (VPCs) and prevent security risks that are caused by access over the Internet. This topic describes how to configure a private connection for an Alibaba Cloud Elasticsearch cluster.
Background information
In October 2020, the network architecture of Alibaba Cloud Elasticsearch was adjusted. After this adjustment, some features of Elasticsearch clusters deployed in the new network architecture are limited. You can use the PrivateLink service to establish private connections between the VPC within the Elasticsearch service account and your VPC to resolve some communication issues.
The following table describes the Elasticsearch features that can be implemented by using PrivateLink.
Feature | Description | References |
Watcher | X-Pack Watcher can monitor system information based on query criteria and report alerts. | |
Security features | X-Pack supports a variety of cluster-level security features, such as single sign-on, Lightweight Directory Access Protocol (LDAP) authentication, and user authentication. | |
External dictionary access of custom plug-ins | Custom plug-ins can dynamically access external dictionaries. | |
reindex API | The reindex API can be used to migrate data between clusters. | |
Elasticsearch data migration | Data in a self-managed Elasticsearch cluster can be migrated to an Alibaba Cloud Elasticsearch cluster. |
If your cluster is deployed in the new network architecture and you want to use the X-Pack Watcher, reindex, LDAP authentication, or AD user authentication feature, you must configure a private connection for your cluster. To ensure the availability of the features, you must strictly follow the instructions in this topic.
You can configure private connections only for clusters that are deployed in the new network architecture. Clusters created in October 2020 or later are deployed in the new network architecture. Clusters created before October 2020 are deployed in the original network architecture, including clusters in Alibaba Gov Cloud and Alibaba Finance Cloud.
Prerequisites
An Alibaba Cloud Elasticsearch cluster is created. For more information, see Create an Alibaba Cloud Elasticsearch cluster.
NoteThe Elasticsearch cluster must be created in October 2020 or later.
Elastic Compute Service (ECS) instances are created in your VPC, and the required applications are deployed on the ECS instances. For more information, see Create an instance by using the wizard.
NoteThe ECS instances are used as backend servers to receive requests that are forwarded by a Server Load Balancer (SLB) instance. You can deploy the ECS instances in zones that are listed in Limits
but must deploy them in the same VPC and region as the SLB instance.
Limits
Only some regions support PrivateLink. The following table lists the regions and zones that support both Elasticsearch and PrivateLink. For more information, see Regions and zones that support PrivateLink.
Region | Zone |
China (Hangzhou) | Zone F, Zone G, Zone H, Zone I, Zone J, and Zone K |
China (Shanghai) | Zone B, Zone E, Zone F, Zone G, and Zone L |
China (Qingdao) | Zone B and Zone C |
China (Beijing) | Zone C, Zone D, Zone E, Zone F, Zone G, Zone H, Zone I, and Zone K |
China (Zhangjiakou) | Zone A, Zone B, and Zone C |
China (Shenzhen) | Zone D, Zone E, and Zone F |
China (Hong Kong) | Zone B, Zone C, and Zone D |
Japan (Tokyo) | Zone A and Zone B |
Singapore | Zone A, Zone B, and Zone C |
Australia (Sydney) | Zone B |
Malaysia (Kuala Lumpur) | Zone A and Zone B |
Indonesia (Jakarta) | Zone A and Zone B |
Germany (Frankfurt) | Zone A and Zone B |
UK (London) | Zone A and Zone B |
US (Silicon Valley) | Zone A and Zone B |
US (Virginia) | Zone A and Zone B |
India (Mumbai) | Zone A and Zone B |
Terms
To use PrivateLink to establish private connections, you must create endpoint services and endpoints.
Term | Description |
endpoint service | Endpoint services within a VPC can be accessed by other VPCs over private connections. You must create endpoints for these VPCs to establish private connections. Note Endpoint services are created and managed by service providers. For more information, see Step 1: Create and configure an SLB instance and Step 2: Create an endpoint service. |
endpoint | You can associate an endpoint with an endpoint service to establish private connections. These connections allow a VPC to access external services. Note For Elasticsearch, endpoints are automatically created and managed by the service account of Elasticsearch. For more information, see Step 3: Configure a private connection for the Elasticsearch cluster. |
Procedure
Step 1: Create and configure an SLB instance
- Log on to the CLB console.
Create an SLB instance that supports PrivateLink.
On the Instances page, click Create CLB.
On the SLB buy page, configure the parameters, click Buy Now, and then complete the payment. You must set SLB instance to Intranet.
For more information, see Create and manage a CLB instance.
Configure the CLB instance.
On the Instances page, find the CLB instance and click Configure Listener in the Actions column.
On the Configure Server Load Balancer page, configure the parameters based on your business requirements and perform a health check and a configuration review.
For more information, see Configure a CLB instance and Listener overview.
Step 2: Create an endpoint service
In the top navigation bar, select the region in which you want to create an endpoint service.
The endpoint service must reside in the same region as the SLB instance.
Click Create Endpoint Service.
On the Create Endpoint Service page, select the SLB instance created in Step 1 as the service resource, configure other parameters based on your business requirements, and click OK.
For more information, see Create an endpoint service.
Step 3: Configure a private connection for the Elasticsearch cluster
- Log on to the Alibaba Cloud Elasticsearch console.
- In the left-side navigation pane, click Elasticsearch Clusters.
- Navigate to the desired cluster.
- In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
- On the Elasticsearch Clusters page, find the cluster and click its ID.
In the left-side navigation pane of the page that appears, choose .
In the Network Settings section, click Edit on the right side of Configure Private Connection.
In the Configure Private Connection panel, click Add Private Connection. In the Create Private Connection dialog box, select the endpoint service created in Step 2, select a zone, select the check box, and then click OK.
Then, the endpoint service attempts to connect to the associated endpoint. If the value of Endpoint Connection Status for the private connection is Connected, the endpoint service is connected to the associated endpoint.
NoteIf the value of Endpoint Connection Status for the private connection is Disconnected, click Allow Connection in the Actions column.
(Optional) View the domain name of the endpoint.
You can use the domain name of the endpoint for other configurations, such as Watcher, SSO, and LDAP authentication.
In the Configure Private Connection panel, click the ID of the endpoint in the Endpoint ID column.
On the Endpoint Connections tab of the page that appears, click the
icon next to the ID of the endpoint. Then, you can view the domain name of the endpoint.