You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: deploy-manage/security/private-connectivity-aws.md
+27-3Lines changed: 27 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,7 +35,7 @@ Before you begin, review the following considerations:
35
35
36
36
### Private connections and regions
37
37
38
-
Private connectivity with AWS PrivateLink is supported only in AWS regions. Elastic does not yet support cross-region AWS PrivateLink connections. Your PrivateLink endpoint needs to be in the same region as your target deployments. Additional details can be found in the [AWS VPCE Documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-limitations).
38
+
Private connectivity with AWS PrivateLink is supported only in AWS regions.
39
39
40
40
AWS interface virtual private connection (VPC) endpoints are configured for one or more availability zones (AZ). In some regions, our VPC endpoint service is not present in all the possible AZs that a region offers. You can only choose AZs that are common on both sides. As the names of AZs (for example `us-east-1a`) differ between AWS accounts, the following list of AWS regions shows the ID (e.g. `use1-az4`) of each available AZ for the service.
The mapping will be different for your region. Our production VPC Service for `us-east-1` is located in `use1-az2`, `use1-az4`, `use1-az6`. We need to create the VPC Endpoint for the preceding mapping in at least one of `us-east-1e`, `us-east-1a`, `us-east-1b`.
137
137
138
+
:::{note}
139
+
This limitation does not apply to [cross-region PrivateLink connections](#ec-aws-inter-region-private-link). If you're creating a cross-region connection, then you don't need to check that your VPC is present in all availability zones.
140
+
:::
138
141
139
142
### Create your VPC endpoint and DNS entries in AWS [ec-aws-vpc-dns]
140
143
141
144
1. Create a VPC endpoint in your VPC using the service name for your region.
142
145
143
-
Refer to the [AWS documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint) for details on creating a VPC interface endpoint to an endpoint service.
146
+
Refer to the [AWS documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint) for additional details on creating a VPC interface endpoint to an endpoint service.
144
147
145
-
Use [the service name for your region](#ec-private-link-service-names-aliases).
148
+
Select **PrivateLink Ready partner services** as the endpoint type. Use [the service name for your region](#ec-private-link-service-names-aliases) as the **Service name**.
@@ -151,6 +154,10 @@ The mapping will be different for your region. Our production VPC Service for `u
151
154
152
155
The security group for the endpoint should, at minimum, allow for inbound connectivity from your instances' CIDR range on ports 443 and 9243. Security groups for the instances should allow for outbound connectivity to the endpoint on ports 443 and 9243.
153
156
157
+
:::{tip}
158
+
You can also create a cross-region endpoint. Refer to [Setting up an cross-region Private Link connection](#ec-aws-inter-region-private-link).
## Setting up a cross-region PrivateLink connection [ec-aws-inter-region-private-link]
349
+
350
+
AWS supports cross-region PrivateLink as described on the [AWS blog](https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-cross-region-connectivity-for-aws-privatelink/).
351
+
352
+
This means your deployment on {{ecloud}} can be in a different region than the PrivateLink endpoints or the clients that consume the deployment endpoints.
353
+
354
+
In this example, `region 1` contains your VPC endpoint and `region 2` is the region where your deployment is hosted.
355
+
356
+
1. Begin to create your VPC endpoint in `region 1`, as described in [Create your VPC endpoint and DNS entries in AWS](#ec-aws-vpc-dns). In the service settings, do the following:
357
+
358
+
* In the **Service name** field, enter the [VPC service name](#ec-private-link-service-names-aliases) for `region 2`.
359
+
* Select **Enable Cross Region endpoint** and select `region 2` from the **Select a region** drop-down list.
360
+
361
+
1. [Create a private connection policy](#create-private-connection-policy) in the region where your deployment is hosted (`region 2`), and [associate it](#associate-private-connection-policy) with your deployment.
362
+
363
+
2. [Test the connection](#ec-access-the-deployment-over-private-link) from a VM or client in `region 1` to your Private Link endpoint, and it should be able to connect to your {{es}} cluster hosted in `region 2`.
364
+
341
365
## Manage private connection policies
342
366
343
367
After you create your private connection policy, you can edit it, remove it from your deployment, or delete it.
0 commit comments