You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When you configure a remote cluster, the local cluster needs a way to connect to the nodes of the remote cluster. {{es}} supports two connection modes to handle different network architectures:
16
12
17
-
-**Sniff mode**: The local cluster discovers the remote cluster’s gateway nodes and connects to them directly.
18
-
-**Proxy mode**: The local cluster connects through a reverse proxy or load balancer, which forwards traffic to the appropriate nodes in the remote cluster.
13
+
-**Proxy mode**: The local cluster connects through a reverse proxy or load balancer, which forwards traffic to the appropriate nodes in the remote cluster. You can configure this mode using either the {{kib}} UI or the {{es}} API.
14
+
-**Sniff mode**: The local cluster discovers the remote cluster’s gateway nodes and connects to them directly. This mode can only be configured using the {{es}} API.
19
15
20
16
::::{note}
21
17
Connection modes work independently of [security models](./security-models.md). Both connection modes are compatible with either security model.
22
18
::::
23
19
24
-
The choice between sniff and proxy mode depends on your network architecture and deployment type.
20
+
The choice between proxy and sniff mode depends on your network architecture and deployment type.
25
21
26
22
-**Self-managed clusters:** If direct connections on the publish addresses between {{es}} nodes in both clusters are possible, you can use sniff mode. If direct connectivity is difficult to implement—for example, when clusters are separated by NAT, firewalls, or containerized environments—you can place a reverse proxy or load balancer in front of the remote cluster and use proxy mode instead.
27
23
28
24
-**Managed environments ({{ece}}, {{ech}}, {{eck}}):** Direct node-to-node connectivity is generally not feasible, so these deployments always rely on the proxy connection mode.
29
25
30
-
31
26
The following sections describe each method in more detail.
32
27
33
-
## Sniff mode
34
-
```{applies_to}
35
-
deployment:
36
-
self: ga
37
-
```
38
-
39
-
In sniff mode, a cluster alias is registered with a name of your choosing and a list of addresses of *seed* nodes specified with the `cluster.remote.<cluster_alias>.seeds` setting. When you register a remote cluster using sniff mode, {{es}} retrieves from one of the seed nodes the addresses of up to three *gateway nodes*. Each `remote_cluster_client` node in the local {{es}} cluster then opens several TCP connections to the publish addresses of the gateway nodes. This mode therefore requires that the gateway nodes' publish addresses are accessible to nodes in the local cluster.
40
-
41
-
Sniff mode is the default connection mode when adding a remote cluster. See [Sniff mode remote cluster settings](remote-clusters-settings.md#remote-cluster-sniff-settings) for more information about configuring sniff mode.
42
-
43
-
::::{note}
44
-
Sniff mode is not supported in {{ech}} and {{ece}} deployments. In {{eck}}, sniff mode is not recommended due to its complexity. In these three cases, use proxy mode instead.
45
-
::::
46
-
47
-
48
28
## Proxy mode
49
29
50
30
In proxy mode, a cluster alias is registered with a name of your choosing and the address of a TCP (layer 4) reverse proxy specified with the `cluster.remote.<cluster_alias>.proxy_address` setting. You must configure this proxy to route connections to one or more nodes of the remote cluster. The service port to forward traffic to depends on the [security model](./security-models.md) in use, as each model uses a different service port.
51
31
52
32
When you register a remote cluster using proxy mode, {{es}} opens several TCP connections to the proxy address and uses these connections to communicate with the remote cluster. In proxy mode, {{es}} disregards the publish addresses of the remote cluster nodes, which means that the publish addresses of the remote cluster nodes do not need to be accessible to the local cluster.
53
33
54
-
Proxy mode is not the default connection mode, so you must set `cluster.remote.<cluster_alias>.mode: proxy` to use it. See[Proxy mode remote cluster settings](remote-clusters-settings.md#remote-cluster-proxy-settings) for more information about configuring proxy mode.
34
+
Proxy mode is not the default connection mode when adding remotes using the {{es}} API, so you must set `cluster.remote.<cluster_alias>.mode: proxy` to use it. Refer to[Proxy mode remote cluster settings](remote-clusters-settings.md#remote-cluster-proxy-settings) for more information about configuring proxy mode.
55
35
56
-
## Connection mode comparison
36
+
::::{note}
37
+
Remote clusters configured through **{{kib}}** support only proxy mode. You can’t select a connection mode or configure sniff mode from the UI.
38
+
::::
57
39
58
-
The following table summarizes the key differences between sniff and proxy mode to help you choose the most suitable option for your deployment.
40
+
## Sniff mode
41
+
42
+
In sniff mode, a cluster alias is registered with a name of your choosing and a list of addresses of *seed* nodes specified with the `cluster.remote.<cluster_alias>.seeds` setting. When you register a remote cluster using sniff mode, {{es}} retrieves from one of the seed nodes the addresses of up to three *gateway nodes*. Each `remote_cluster_client` node in the local {{es}} cluster then opens several TCP connections to the publish addresses of the gateway nodes. This mode therefore requires that the gateway nodes' publish addresses are accessible to nodes in the local cluster.
|**How it connects**| Local cluster connects directly to remote node addresses, discovered from the configured seeds | Local cluster connects to a single configured address. The reverse proxy or load balancer forwards traffic to remote nodes. |
65
-
|**Node discovery**| Dynamic: local cluster discovers remote gateway nodes through the seed list | None: all traffic goes through the reverse proxy |
66
-
|**Network requirements**| Local cluster must be able to reach the remote cluster’s gateway node publish addresses | Only the proxy address must be reachable; no need for local cluster to connect directly to remote nodes |
67
-
|**Configuration**| Configure remote seeds (`cluster.remote.<alias>.seeds`) | Configure proxy address (`cluster.remote.<alias>.proxy_address`) and set mode to `proxy`|
68
-
|**Use cases**| Clusters with direct network reachability between nodes (e.g., same VPC or peered networks) | Clusters separated by firewalls, NAT, or when exposing only a single ingress point is required |
44
+
Sniff mode is the default connection mode when adding a remote cluster through the {{es}} API. Refer to [Sniff mode remote cluster settings](remote-clusters-settings.md#remote-cluster-sniff-settings) for more information about configuring sniff mode.
|**Service endpoint**| Uses a dedicated remote-cluster-server service endpoint | Uses the default transport interface |
78
-
|**Default port**| 9443 | 9300 in self-managed, 9400 in {{ech}} or {{ece}} |
79
-
|**Authentication**| Client authenticates with an API key and validates the server’s certificate | Requires mutual TLS (both client and server present and validate certificates) |
80
-
|**Authorization**| Flexible: privileges can be scoped in the API key and combined with roles on the local cluster; supports fine-grained authorization | Rigid: roles must exist on the remote cluster with exact name matching; all authorization defined remotely |
81
-
|**Credential management**| API keys can be created with expiration and revoked without PKI changes | Requires certificate issuance, distribution, and rotation across clusters |
0 commit comments