vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/css/umn/css_01_0082.html
Wuwan, Qi 050b395397 CSS UMN 23.2.1 20230926 
Reviewed-by: Kacur, Michal <michal.kacur@t-systems.com>
Co-authored-by: Wuwan, Qi <wuwanqi1@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-committed-by: Wuwan, Qi <wuwanqi1@noreply.gitea.eco.tsi-dev.otc-service.com>
2024-01-10 14:23:15 +00:00

39 lines
12 KiB
HTML
Raw Blame History

<a name="css_01_0082"></a><a name="css_01_0082"></a>
<h1 class="topictitle1">Accessing a Cluster Using a VPC Endpoint</h1>
<div id="body1574047656857"><p id="css_01_0082__en-us_topic_0000001223434404_p8060118">If the VPC endpoint service is enabled, you can use a private domain name or node IP address generated by the endpoint to access the cluster. When the VPC endpoint service is enabled, a VPC endpoint will be created by default. You can select <strong id="css_01_0082__b1882102817111">Private Domain Name Creation</strong> as required. VPC endpoint creation requires specific permissions. For details, see "VPCEP Permissions".</p>
<p id="css_01_0082__en-us_topic_0000001223434404_p172271451344">VPC Endpoint uses a shared load balancer for intranet access. If your workloads require quick access, you are advised to connect a dedicated load balancer to the cluster. For details, see <a href="css_01_0181.html">Connecting to a Dedicated Load Balancer</a>.</p>
<div class="caution" id="css_01_0082__en-us_topic_0000001223434404_note91924414116"><span class="cautiontitle"><img src="public_sys-resources/caution_3.0-en-us.png"> </span><div class="cautionbody"><p id="css_01_0082__en-us_topic_0000001223434404_p131922418116">The public IP address access and VPC endpoint service share a load balancer. If you have configured a public access whitelist, public and private IP addresses that access the cluster through VPCEP are restricted because the public IP address access shares the load balancer with the VPC endpoint service. In this case, you need to add IP address <strong id="css_01_0082__b18782184310187">198.19.128.0/17</strong> to the public access whitelist to allow traffic through VPCEP.</p>
</div></div>
<div class="section" id="css_01_0082__en-us_topic_0000001223434404_section115745793915"><h4 class="sectiontitle">Enabling the VPC Endpoint Service</h4><ol id="css_01_0082__en-us_topic_0000001223434404_ol77309120406"><li id="css_01_0082__en-us_topic_0000001223434404_li1142971461017">Log in to the <span id="css_01_0082__en-us_topic_0000001223434404_text7429314121020">CSS</span> management console.</li><li id="css_01_0082__en-us_topic_0000001223434404_li26962321017">Click <strong id="css_01_0082__b1853971110547">Create Cluster</strong> in the upper right corner.</li><li id="css_01_0082__en-us_topic_0000001223434404_li19621829513">On the <strong id="css_01_0082__b192581638133917">Create Cluster</strong> page, set <strong id="css_01_0082__b11258193833914">Advanced Settings</strong> to <strong id="css_01_0082__b1125853873915">Custom</strong>. Enable the VPC endpoint service.<ul id="css_01_0082__en-us_topic_0000001223434404_ul1376659192617"><li id="css_01_0082__en-us_topic_0000001223434404_li97412595266"><strong id="css_01_0082__b1725875612216">Private Domain Name Creation</strong>: If you enable this function, the system automatically creates a private domain name for you, which you can use to access the cluster.</li><li id="css_01_0082__en-us_topic_0000001223434404_li67635972618"><strong id="css_01_0082__b135116147817">VPC Endpoint Service Whitelist</strong>: You can add an authorized account ID to the VPC endpoint service whitelist. Then you can access the cluster using the domain name or the node IP address.</li><li id="css_01_0082__en-us_topic_0000001223434404_li3393155917228">You can click <strong id="css_01_0082__b32858551745">Add</strong> to add multiple accounts.</li><li id="css_01_0082__en-us_topic_0000001223434404_li640115594223">Click <strong id="css_01_0082__b15687931159">Delete</strong> in the <strong id="css_01_0082__b7599115955">Operation</strong> column to delete the accounts that are not allowed to access the cluster.</li></ul>
<div class="note" id="css_01_0082__en-us_topic_0000001223434404_note47795914269"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="css_01_0082__en-us_topic_0000001223434404_ul127765992615"><li id="css_01_0082__en-us_topic_0000001223434404_li2076259172619">If the authorized account ID is set to <strong id="css_01_0082__b42893549528">*</strong>, all users are allowed to access the cluster.</li><li id="css_01_0082__en-us_topic_0000001223434404_li107614595262">You can view authorized account IDs on the <strong id="css_01_0082__b82340124535">My Credentials</strong> page.</li></ul>
</div></div>
</li></ol>
</div>
<div class="section" id="css_01_0082__en-us_topic_0000001223434404_section12521512195113"><h4 class="sectiontitle">Managing VPC Endpoint Service</h4><p id="css_01_0082__en-us_topic_0000001223434404_p8328122613523">You can enable the VPC endpoint service while creating a cluster, and also enable it by performing the following steps after cluster creation.</p>
<ol id="css_01_0082__en-us_topic_0000001223434404_ol146347435519"><li id="css_01_0082__en-us_topic_0000001223434404_li7625635121410">Log in to the <span id="css_01_0082__en-us_topic_0000001223434404_text1762514356145">CSS</span> management console.</li><li id="css_01_0082__en-us_topic_0000001223434404_li106254357143">Choose <strong id="css_01_0082__b33362618474">Clusters</strong> in the navigation pane. On the <span class="wintitle" id="css_01_0082__wintitle20562115115114"><b>Clusters</b></span> page, click the name of the target cluster.</li><li id="css_01_0082__en-us_topic_0000001223434404_li1068041913586">Click the <strong id="css_01_0082__b14205337339">VPC Endpoint Service</strong> tab, and turn on the button next to <strong id="css_01_0082__b315831114818">VPC Endpoint Service</strong>.<p id="css_01_0082__en-us_topic_0000001223434404_p186900304331">In the displayed dialog box, you can determine whether to enable the private domain name. Click <strong id="css_01_0082__b173201424161616">Yes</strong> to enable the VPC endpoint service.</p>
<div class="note" id="css_01_0082__en-us_topic_0000001223434404_note365442833217"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="css_01_0082__en-us_topic_0000001223434404_ul10498537163212"><li id="css_01_0082__en-us_topic_0000001223434404_li74981437183213">If the VPC endpoint service is enabled, you can use a private domain name or node IP address generated by the VPC endpoint to access the cluster. For details, see <a href="#css_01_0082__en-us_topic_0000001223434404_section19864153679">Accessing the Cluster Using the Private Domain Name or Node IP Address</a>.</li><li id="css_01_0082__en-us_topic_0000001223434404_li4254839163219">If you disable the VPC endpoint service, none of the users can access the cluster using the private domain name.</li></ul>
</div></div>
</li><li id="css_01_0082__en-us_topic_0000001223434404_li1855619442016">(Optional) Click <strong id="css_01_0082__b13880115618177">Modify</strong> next to <strong id="css_01_0082__b10886356191714">VPC Endpoint Service Whitelist</strong> to update the existing whitelist.</li><li id="css_01_0082__en-us_topic_0000001223434404_li29456512311">Manage VPC endpoints.<p id="css_01_0082__en-us_topic_0000001223434404_p16226155244018"><a name="css_01_0082__en-us_topic_0000001223434404_li29456512311"></a><a name="en-us_topic_0000001223434404_li29456512311"></a>The <strong id="css_01_0082__b166436305186">VPC Endpoint Service</strong> page displays all VPC endpoints connected to the current VPC endpoint service.</p>
<div class="fignone" id="css_01_0082__en-us_topic_0000001223434404_fig117081245144212"><span class="figcap"><b>Figure 1 </b>Managing VPC endpoints</span><br><span><img id="css_01_0082__en-us_topic_0000001223434404_image13709154534210" src="en-us_image_0000001714802297.png"></span></div>
<p id="css_01_0082__en-us_topic_0000001223434404_p16779182523413">Click <strong id="css_01_0082__b199356599295">Accept</strong> or <strong id="css_01_0082__b93039283020">Reject</strong> in the <strong id="css_01_0082__b2011934143013">Operation</strong> column to change the node status. If you reject the connection with a VPC endpoint, you cannot access the cluster through the private domain name generated by that VPC endpoint.</p>
</li></ol>
</div>
<div class="section" id="css_01_0082__en-us_topic_0000001223434404_section19864153679"><a name="css_01_0082__en-us_topic_0000001223434404_section19864153679"></a><a name="en-us_topic_0000001223434404_section19864153679"></a><h4 class="sectiontitle">Accessing the Cluster Using the Private Domain Name or Node IP Address</h4><ol id="css_01_0082__en-us_topic_0000001223434404_ol852205619137"><li id="css_01_0082__en-us_topic_0000001223434404_li1580072410203">Obtain the private domain name or node IP address.<p id="css_01_0082__en-us_topic_0000001223434404_p521042354410"><a name="css_01_0082__en-us_topic_0000001223434404_li1580072410203"></a><a name="en-us_topic_0000001223434404_li1580072410203"></a>Log in to the CSS console, click the target cluster name and go to the <strong id="css_01_0082__b410112560255">Cluster Information</strong> page. Click the <strong id="css_01_0082__b01011456122514">VPC Endpoint Service</strong> tab and view the private domain name.</p>
</li><li id="css_01_0082__en-us_topic_0000001223434404_li17704228184111">Run the cURL command to execute the API or call the API by using a program before accessing the cluster. For details about Elasticsearch operations and APIs, see the <a href="https://www.elastic.co/guide/en/elasticsearch/guide/current/index.html" target="_blank" rel="noopener noreferrer">Elasticsearch Reference</a>.<p id="css_01_0082__en-us_topic_0000001223434404_p141791311175517">The ECS must meet the following requirements:</p>
<ul id="css_01_0082__en-us_topic_0000001223434404_ul1228819655613"><li id="css_01_0082__en-us_topic_0000001223434404_en-us_topic_0076509577_li5679111965818">Sufficient disk space is allocated for the ECS.</li><li id="css_01_0082__en-us_topic_0000001223434404_en-us_topic_0076509577_li177641430191913">The ECS and the cluster must be in the same VPC. After enabling the VPC endpoint service, you can access the cluster from the ECS even when the cluster is not in the same VPC as the ECS.</li><li id="css_01_0082__en-us_topic_0000001223434404_en-us_topic_0076509577_li17361956113515">The security group of the ECS must be the same as that of the cluster.<p id="css_01_0082__en-us_topic_0000001223434404_en-us_topic_0076509577_p1961118514013"><a name="css_01_0082__en-us_topic_0000001223434404_en-us_topic_0076509577_li17361956113515"></a><a name="en-us_topic_0000001223434404_en-us_topic_0076509577_li17361956113515"></a>If this requirement is not met, modify the ECS security group or configure the inbound and outbound rules of the ECS security group to allow the ECS security group to be accessed by all security groups of the cluster. For details, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0030878383.html" target="_blank" rel="noopener noreferrer">Configuring Security Group Rules</a>.</p>
</li><li id="css_01_0082__en-us_topic_0000001223434404_en-us_topic_0076509577_li18615245439">Configure security group rule settings of the target CSS cluster. Set <strong id="css_01_0082__b227371317517">Protocol</strong> to <strong id="css_01_0082__b32861161257">TCP</strong> and <strong id="css_01_0082__b18174121916516">Port Range</strong> to <strong id="css_01_0082__b72700238517">9200</strong> or a port range including port <strong id="css_01_0082__b149632712513">9200</strong> for both the outbound and inbound directions.</li></ul>
<ul id="css_01_0082__en-us_topic_0000001223434404_ul1488359135519"><li id="css_01_0082__en-us_topic_0000001223434404_li20883590552">If the cluster you access does not have the security mode enabled, run the following command:<pre class="screen" id="css_01_0082__en-us_topic_0000001223434404_screen128831696556">curl 'http://vpcep-7439f7f6-2c66-47d4-b5f3-790db4204b8d.region01.xxxx.com:9200/_cat/indices'</pre>
</li><li id="css_01_0082__en-us_topic_0000001223434404_li0883995557">If the cluster you access has the security mode enabled, access the cluster using HTTPS and add the username, password and <strong id="css_01_0082__b189099379377">-u</strong> to the cURL command.<pre class="screen" id="css_01_0082__en-us_topic_0000001223434404_screen28839945519">curl -u username:password -k 'https://vpcep-7439f7f6-2c66-47d4-b5f3-790db4204b8d.region01.xxxx.com:9200/_cat/indices'</pre>
</li></ul>
</li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="css_01_0210.html">Accessing an Elasticsearch Cluster</a></div>
</div>
</div>
View Git Blame Copy Permalink