Accessing a Cluster Using a VPC Endpoint

If the VPC endpoint service is enabled, you can use a private domain name or node IP address generated by the endpoint to access the cluster. When the VPC endpoint service is enabled, a VPC endpoint will be created by default. You can select Private Domain Name Creation as required. VPC endpoint creation requires specific permissions. For details, see "VPCEP Permissions".

VPC Endpoint uses a shared load balancer for intranet access. If your workloads require quick access, you are advised to connect a dedicated load balancer to the cluster. For details, see Connecting to a Dedicated Load Balancer.

The public IP address access and VPC endpoint service share a load balancer. If you have configured a public access whitelist, public and private IP addresses that access the cluster through VPCEP are restricted because the public IP address access shares the load balancer with the VPC endpoint service. In this case, you need to add IP address 198.19.128.0/17 to the public access whitelist to allow traffic through VPCEP.

Enabling the VPC Endpoint Service

  1. Log in to the CSS management console.
  2. Click Create Cluster in the upper right corner.
  3. On the Create Cluster page, set Advanced Settings to Custom. Enable the VPC endpoint service.
    • Private Domain Name Creation: If you enable this function, the system automatically creates a private domain name for you, which you can use to access the cluster.
    • VPC Endpoint Service Whitelist: You can add an authorized account ID to the VPC endpoint service whitelist. Then you can access the cluster using the domain name or the node IP address.
    • You can click Add to add multiple accounts.
    • Click Delete in the Operation column to delete the accounts that are not allowed to access the cluster.
    • If the authorized account ID is set to *, all users are allowed to access the cluster.
    • You can view authorized account IDs on the My Credentials page.

Managing VPC Endpoint Service

You can enable the VPC endpoint service while creating a cluster, and also enable it by performing the following steps after cluster creation.

  1. Log in to the CSS management console.
  2. Choose Clusters in the navigation pane. On the Clusters page, click the name of the target cluster.
  3. Click the VPC Endpoint Service tab, and turn on the button next to VPC Endpoint Service.

    In the displayed dialog box, you can determine whether to enable the private domain name. Click Yes to enable the VPC endpoint service.

  4. (Optional) Click Modify next to VPC Endpoint Service Whitelist to update the existing whitelist.
  5. Manage VPC endpoints.

    The VPC Endpoint Service page displays all VPC endpoints connected to the current VPC endpoint service.

    Figure 1 Managing VPC endpoints

    Click Accept or Reject in the Operation column to change the node status. If you reject the connection with a VPC endpoint, you cannot access the cluster through the private domain name generated by that VPC endpoint.

Accessing the Cluster Using the Private Domain Name or Node IP Address

  1. Obtain the private domain name or node IP address.

    Log in to the CSS console, click the target cluster name and go to the Cluster Information page. Click the VPC Endpoint Service tab and view the private domain name.

  2. Run the cURL command to execute the API or call the API by using a program before accessing the cluster. For details about Elasticsearch operations and APIs, see the Elasticsearch Reference.

    The ECS must meet the following requirements:

    • Sufficient disk space is allocated for the ECS.
    • The ECS and the cluster must be in the same VPC. After enabling the VPC endpoint service, you can access the cluster from the ECS even when the cluster is not in the same VPC as the ECS.
    • The security group of the ECS must be the same as that of the cluster.

      If this requirement is not met, modify the ECS security group or configure the inbound and outbound rules of the ECS security group to allow the ECS security group to be accessed by all security groups of the cluster. For details, see Configuring Security Group Rules.

    • Configure security group rule settings of the target CSS cluster. Set Protocol to TCP and Port Range to 9200 or a port range including port 9200 for both the outbound and inbound directions.
    • If the cluster you access does not have the security mode enabled, run the following command:
      curl 'http://vpcep-7439f7f6-2c66-47d4-b5f3-790db4204b8d.region01.xxxx.com:9200/_cat/indices'
    • If the cluster you access has the security mode enabled, access the cluster using HTTPS and add the username, password and -u to the cURL command.
      curl -u username:password -k 'https://vpcep-7439f7f6-2c66-47d4-b5f3-790db4204b8d.region01.xxxx.com:9200/_cat/indices'
Parent topic: Accessing an Elasticsearch Cluster