youjiageng1/doc-exports
1
0
Fork 0
forked from laiweijian4/doc-exports
Code Pull Requests Activity
doc-exports/docs/css/umn/css_01_0082.html
Zheng, Xiu 0c90df93b1 CSS UMN 20230404 Version 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Co-authored-by: Zheng, Xiu <zhengxiu@huawei.com>
Co-committed-by: Zheng, Xiu <zhengxiu@huawei.com>
2023-04-05 08:45:09 +00:00

40 lines
10 KiB
HTML
Raw Blame History

<a name="css_01_0082"></a><a name="css_01_0082"></a>
<h1 class="topictitle1">VPC Endpoint Service</h1>
<div id="body0000001282658986"><p id="css_01_0082__p8060118">The VPC endpoint service allows you to access the cluster through a private domain name. When the VPC endpoint service is enabled, the system creates a VPC endpoint for you by default. To create a VPC endpoint, you must have the required permissions. For details, see .</p>
<div class="caution" id="css_01_0082__note91924414116"><span class="cautiontitle"><img src="public_sys-resources/caution_3.0-en-us.png"> </span><div class="cautionbody"><p id="css_01_0082__p131922418116">The public IP address access and VPC endpoint service share a load balancer. If you have configured a public access whitelist, public and private IP addresses that access the cluster through VPCEP are restricted because the public IP address access shares the load balancer with the VPC endpoint service. In this case, you need to add IP address <strong id="css_01_0082__b18782184310187">198.19.128.0/17</strong> to the public access whitelist to allow traffic through VPCEP.</p>
</div></div>
<div class="section" id="css_01_0082__section115745793915"><h4 class="sectiontitle">Enabling the VPC Endpoint Service</h4><ol id="css_01_0082__ol77309120406"><li id="css_01_0082__li1142971461017">Log in to the <span id="css_01_0082__text7429314121020">CSS</span> management console.</li><li id="css_01_0082__li19621829513">On the <strong id="css_01_0082__b192581638133917">Create Cluster</strong> page, set <strong id="css_01_0082__b11258193833914">Advanced Settings</strong> to <strong id="css_01_0082__b1125853873915">Custom</strong>. Enable the VPC endpoint service.<div class="p" id="css_01_0082__p1137224919313"><ul id="css_01_0082__ul1376659192617"><li id="css_01_0082__li97412595266"><strong id="css_01_0082__b1725875612216">Private Domain Name Creation</strong>: If you enable this function, the system automatically creates a private domain name for you, which you can use to access the cluster.</li><li id="css_01_0082__li67635972618"><strong id="css_01_0082__b8285569516">VPC Endpoint Service Whitelist</strong>: You can add an authorized account ID to the VPC endpoint service whitelist. Then you can access the cluster using the domain name or the node IP address.<p id="css_01_0082__p1676659142611">Click <span><img id="css_01_0082__image881313257920" src="en-us_image_0000001554697237.png"></span> to add multiple accounts. You can also click <strong id="css_01_0082__b155432384615">Delete</strong> in the <strong id="css_01_0082__b355562384612">Operation</strong> column to delete accounts.</p>
</li></ul>
<div class="note" id="css_01_0082__note47795914269"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="css_01_0082__ul127765992615"><li id="css_01_0082__li2076259172619">If the authorization account ID is set to <strong id="css_01_0082__b42893549528">*</strong>, all users are allowed to access the cluster.</li><li id="css_01_0082__li107614595262">You can view authorized account IDs on the <strong id="css_01_0082__b82340124535">My Credentials</strong> page.</li><li id="css_01_0082__li177785972613">After the VPC endpoint service is enabled for a cluster, you will be billed per use. For more information, see .</li></ul>
</div></div>
</div>
</li></ol>
</div>
<div class="section" id="css_01_0082__section12521512195113"><h4 class="sectiontitle">Managing VPC Endpoint Service</h4><p id="css_01_0082__p8328122613523">You can enable the VPC endpoint service while creating a cluster, and also enable it by performing the following steps after cluster creation.</p>
<ol id="css_01_0082__ol146347435519"><li id="css_01_0082__li7625635121410">Log in to the <span id="css_01_0082__text1762514356145">CSS</span> management console.</li><li id="css_01_0082__li106254357143">On the <span class="wintitle" id="css_01_0082__wintitle20562115115114"><b>Clusters</b></span> page, click the name of the target cluster.</li><li id="css_01_0082__li1068041913586">Click the <strong id="css_01_0082__b14205337339">VPC Endpoint Service</strong> tab, and turn on the button next to <strong id="css_01_0082__b315831114818">VPC Endpoint Service</strong>.<p id="css_01_0082__p114151437125520"><span><img id="css_01_0082__image84151437185519" src="en-us_image_0000001504137408.png"></span> indicates disabling the VPC endpoint service and <span><img id="css_01_0082__image8410195516444" src="en-us_image_0000001503817624.png"></span> indicates enabling the VPC endpoint service.</p>
<p id="css_01_0082__p186900304331">In the displayed dialog box, you can determine whether to enable the private domain name. After a private domain name is created, you can access the cluster using the private domain name.</p>
<div class="note" id="css_01_0082__note365442833217"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="css_01_0082__ul10498537163212"><li id="css_01_0082__li74981437183213">After you enable the VPC endpoint service, you can use the private domain name or node IP address generated by the endpoint to access the cluster. For details, see <a href="#css_01_0082__section19864153679">Accessing the Cluster Using the Private Domain Name or Node IP Address</a>.</li><li id="css_01_0082__li4254839163219">If you disable the VPC endpoint service, none of the users can access the cluster using the private domain name.</li></ul>
</div></div>
</li><li id="css_01_0082__li141821623173718">Click <strong id="css_01_0082__b78761391413">Yes</strong> to enable the VPC endpoint service.</li><li id="css_01_0082__li1855619442016">(Optional) Click <strong id="css_01_0082__b8373181617499">Update</strong> next to <strong id="css_01_0082__b1480316424490">VPC Endpoint Service Whitelist</strong> to update the existing whitelist.</li><li id="css_01_0082__li29456512311">Manage connections of the VPC endpoint.<p id="css_01_0082__p1099313151385"><a name="css_01_0082__li29456512311"></a><a name="li29456512311"></a>The <strong id="css_01_0082__b1351124855420">VPC Endpoint Service</strong> page displays all VPC endpoints connected to the current VPC endpoint service. You can accept or reject the connection with these endpoints. If you reject the connection with a VPC endpoint, you cannot access the cluster through the private domain name generated by the VPC endpoint.</p>
</li></ol>
</div>
<div class="section" id="css_01_0082__section19864153679"><a name="css_01_0082__section19864153679"></a><a name="section19864153679"></a><h4 class="sectiontitle">Accessing the Cluster Using the Private Domain Name or Node IP Address</h4><ol id="css_01_0082__ol852205619137"><li id="css_01_0082__li1580072410203">Obtain the private domain name or node IP address.<ul id="css_01_0082__ul14168124516406"><li id="css_01_0082__li1416804514012">Current user<p id="css_01_0082__p521042354410"><a name="css_01_0082__li1416804514012"></a><a name="li1416804514012"></a>Log in to the CSS console, click the target cluster name and go to the <strong id="css_01_0082__b88093871415">Basic Information</strong> page. Click the <strong id="css_01_0082__b1159716352330">VPC Endpoint Service</strong> tab and view the private domain name.</p>
</li><li id="css_01_0082__li102361147114011">Other users<p id="css_01_0082__p1416153418392"><a name="css_01_0082__li102361147114011"></a><a name="li102361147114011"></a>If you have applied for the VPC endpoint service, log in to the and click the target ID to go to the <strong id="css_01_0082__b9394201173917">Summary</strong> page and view the private domain name. </p>
</li></ul>
</li><li id="css_01_0082__li17704228184111">Run the cURL command to execute the API or call the API by using a program before accessing the cluster. For details about Elasticsearch operations and APIs, see the <a href="https://www.elastic.co/guide/en/elasticsearch/guide/current/index.html" target="_blank" rel="noopener noreferrer">Elasticsearch Reference</a>.<p id="css_01_0082__p141791311175517">The ECS must meet the following requirements:</p>
<ul id="css_01_0082__ul1228819655613"><li id="css_01_0082__en-us_topic_0076509577_li5679111965818">Sufficient disk space is allocated for the ECS.</li><li id="css_01_0082__en-us_topic_0076509577_li177641430191913">The ECS and the cluster must be in the same VPC. After enabling the VPC endpoint service, you can access the cluster from the ECS even when the cluster is not in the same VPC as the ECS.</li><li id="css_01_0082__en-us_topic_0076509577_li17361956113515">The security group of the ECS must be the same as that of the cluster.<p id="css_01_0082__en-us_topic_0076509577_p1961118514013"><a name="css_01_0082__en-us_topic_0076509577_li17361956113515"></a><a name="en-us_topic_0076509577_li17361956113515"></a>If this requirement is not met, modify the ECS security group or configure the inbound and outbound rules of the ECS security group to allow the ECS security group to be accessed by all security groups of the cluster. For details, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/ecs/en-us_topic_0030878383.html" target="_blank" rel="noopener noreferrer">Configuring Security Group Rules</a>.</p>
</li><li id="css_01_0082__en-us_topic_0076509577_li18615245439">Configure security group rule settings of the target CSS cluster. Set <strong id="css_01_0082__b227371317517">Protocol</strong> to <strong id="css_01_0082__b32861161257">TCP</strong> and <strong id="css_01_0082__b18174121916516">Port Range</strong> to <strong id="css_01_0082__b72700238517">9200</strong> or a port range including port <strong id="css_01_0082__b149632712513">9200</strong> for both the outbound and inbound directions.</li></ul>
<ul id="css_01_0082__ul1488359135519"><li id="css_01_0082__li20883590552">If the cluster does not have the security mode enabled, run the following command:<pre class="screen" id="css_01_0082__screen128831696556">curl 'http://vpcep-7439f7f6-2c66-47d4-b5f3-790db4204b8d.region01.xxxx.com:9200/_cat/indices'</pre>
</li><li id="css_01_0082__li0883995557">If the cluster you access has the security mode enabled, access the cluster using HTTPS and add the username, password and <strong id="css_01_0082__b189099379377">-u</strong> to the cURL command.<pre class="screen" id="css_01_0082__screen28839945519"></pre>
</li></ul>
</li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="css_01_0009.html">Managing Elasticsearch Clusters</a></div>
</div>
</div>
View Git Blame Copy Permalink