Merge branch 'main' into 34-Elastic-Connectors-in-Security

Author: colleenmcginnis

.github/CODEOWNERS

@@ -47,8 +47,6 @@
 /solutions/observability/get-started/       @elastic/ski-docs
 /solutions/search/                          @elastic/developer-docs
 /solutions/security/                        @elastic/experience-docs
-/solutions/security/get-started/            @elastic/ingest-docs @elastic/experience-docs
-/solutions/security/cloud/                  @elastic/ingest-docs
 
 /troubleshoot/                              @elastic/docs
 /troubleshoot/deployments/                  @elastic/admin-docs

deploy-manage/_snippets/ecloud-security.md

@@ -1,7 +1,9 @@
 {{ecloud}} has built-in security. For example, HTTPS communications between {{ecloud}} and the internet, as well as inter-node communications, are secured automatically, and cluster data is encrypted at rest.
 
+In both {{ech}} and {{serverless-full}}, you can also configure [IP filters](/deploy-manage/security/ip-filtering-cloud.md) to prevent unauthorized access to your deployments and projects.
+
 In {{ech}}, you can augment these security features in the following ways:
-* Configure [traffic filtering](/deploy-manage/security/traffic-filtering.md) to prevent unauthorized access to your deployments.
+* [Configure private connectivity and apply VPC filtering](/deploy-manage/security/private-connectivity.md) to establish a secure connection for your {{ecloud}} deployments to communicate with other cloud services, and restrict traffic to deployments based on those private connections.
 * Encrypt your deployment with a [customer-managed encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md).
 * [Secure your settings](/deploy-manage/security/secure-settings.md) using {{es}} and {{kib}} keystores.
 * Use the list of [{{ecloud}} static IPs](/deploy-manage/security/elastic-cloud-static-ips.md) to allow or restrict communications in your infrastructure.

deploy-manage/autoscaling/trained-model-autoscaling.md

@@ -22,11 +22,13 @@ There are two ways to enable autoscaling:
 * through APIs by enabling adaptive allocations
 * in {{kib}} by enabling adaptive resources
 
+For {{serverless-short}} projects, trained model autoscaling is automatically enabled and cannot be disabled.
+
 ::::{important}
 To fully leverage model autoscaling in {{ech}}, {{ece}}, and {{eck}}, it is highly recommended to enable [{{es}} deployment autoscaling](../../deploy-manage/autoscaling.md).
 ::::
 
-Trained model autoscaling is available for {{serverless-short}}, {{ech}}, {{ece}}, and {{eck}} deployments. In serverless deployments, processing power is managed differently across Search, Observability, and Security projects, which impacts their costs and resource limits.
+Trained model autoscaling is available for {{serverless-short}}, {{ech}}, {{ece}}, and {{eck}} deployments. In {{serverless-short}} projects, processing power is managed differently across Search, Observability, and Security projects, which impacts their costs and resource limits.
 
 :::{admonition} Trained model auto-scaling for self-managed deployments
 The available resources of self-managed deployments are static, so trained model autoscaling is not applicable. However, available resources are still segmented based on the settings described in this section.
@@ -54,10 +56,6 @@ You can enable adaptive allocations by using:
 
 If the new allocations fit on the current {{ml}} nodes, they are immediately started. If more resource capacity is needed for creating new model allocations, then your {{ml}} node will be scaled up if {{ml}} autoscaling is enabled to provide enough resources for the new allocation. The number of model allocations can be scaled down to 0. They cannot be scaled up to more than 32 allocations, unless you explicitly set the maximum number of allocations to more. Adaptive allocations must be set up independently for each deployment and [{{infer}} endpoint](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-inference).
 
-:::{note}
-When you create inference endpoints on {{serverless-short}} using {{kib}}, adaptive allocations are automatically turned on, and there is no option to disable them.
-:::
-
 ### Optimizing for typical use cases [optimizing-for-typical-use-cases]
 
 You can optimize your model deployment for typical use cases, such as search and ingest. When you optimize for ingest, the throughput will be higher, which increases the number of {{infer}} requests that can be performed in parallel. When you optimize for search, the latency will be lower during search processes.
@@ -73,16 +71,16 @@ You can choose from three levels of resource usage for your trained model deploy
 
 Refer to the tables in the [Model deployment resource matrix](#model-deployment-resource-matrix) section to find out the settings for the level you selected.
 
-:::{image} /deploy-manage/images/machine-learning-ml-nlp-deployment-id-elser-v2.png
+The image below shows the process of starting a trained model on an {{ech}} deployment. In {{serverless-short}} projects, the **Adaptive resources** toggle is not available when starting trained model deployments, as adaptive allocations are always enabled and cannot be disabled.
+
+:::{image} /deploy-manage/images/ml-nlp-deployment-id-elser.png
 :alt: ELSER deployment with adaptive resources enabled.
 :screenshot:
 :width: 500px
 :::
 
 In {{serverless-full}}, Search projects are given access to more processing resources, while Security and Observability projects have lower limits. This difference is reflected in the UI configuration: Search projects have higher resource limits compared to Security and Observability projects to accommodate their more complex operations.
 
-On {{serverless-short}}, adaptive allocations are automatically enabled for all project types. However, the "Adaptive resources" control is not displayed in {{kib}} for Observability and Security projects.
-
 ## Model deployment resource matrix [model-deployment-resource-matrix]
 
 The used resources for trained model deployments depend on three factors:
@@ -100,10 +98,6 @@ If you use a self-managed cluster or ECK, vCPUs level ranges are derived from th
 
 The following tables show you the number of allocations, threads, and vCPUs available in ECE and ECH when adaptive resources are enabled or disabled.
 
-::::{note}
-On {{serverless-short}}, adaptive allocations are automatically enabled for all project types. However, the "Adaptive resources" control is not displayed in {{kib}} for Observability and Security projects.
-::::
-
 ### Ingest optimized
 
 In case of ingest-optimized deployments, we maximize the number of model allocations.
@@ -152,16 +146,6 @@ In case of ingest-optimized deployments, we maximize the number of model allocat
 
 :::
 
-:::{tab-item} {{serverless-short}}
-
-| Level | Allocations | Threads | VCUs |
-| --- | --- | --- | --- |
-| Low | Exactly 2 | 1 | 16 |
-| Medium | Exactly 32 | 1 | 256 |
-| High | 512 for Search<br> No static allocations for Security and Observability<br> | 1 | 4096 for Search<br> No static allocations for Security and Observability<br> |
-
-:::
-
 ::::
 
 ### Search optimized
@@ -188,9 +172,9 @@ In case of search-optimized deployments, we maximize the number of threads. The
 
 | Level | Allocations | Threads | VCUs |
 | --- | --- | --- | --- |
-| Low | 0 to 1 dynamically | Always 2 | 0 to 16 dynamically |
-| Medium | 1 to 2 (if threads=16), dynamically | Maximum (for example, 16) | 8 to 256 dynamically |
-| High | 1 to 32 (if threads=16), dynamically<br> 1 to 128 for Security and Observability<br> | Maximum (for example, 16) | 8 to 4096 for Search<br> 8 to 1024 for Security and Observability<br> |
+| Low | 0 to 1 dynamically | 2 | 0 to 16 dynamically |
+| Medium | 0 to 2 dynamically for Search and Observatibility<br> 1 to 2 dynamically for Security | 4 | 0 to 256 dynamically for Search and Observatibility<br> 8 to 256 dynamically for Security |
+| High | 0 to 32 dynamically for Search and Observatibility<br> 1 to 128 dynamically for Security<br> | 8 | 0 to 4096 dynamically for Search<br> 0 to 1024 dynamically for Observability<br>8 to 1014 dynamically for Security |
 
 :::
 
@@ -212,14 +196,4 @@ In case of search-optimized deployments, we maximize the number of threads. The
 
 :::
 
-:::{tab-item} {{serverless-short}}
-
-| Level | Allocations | Threads | VCUs |
-| --- | --- | --- | --- |
-| Low | 1 statically | Always 2 | 16 |
-| Medium | 2 statically (if threads=16) | Maximum (for example, 16) | 256 |
-| High | 32 statically (if threads=16) for Search<br> No static allocations for Security and Observability<br> | Maximum (for example, 16) | 4096 for Search<br> No static allocations for Security and Observability<br> |
-
-:::
-
 ::::

deploy-manage/deploy/_snippets/stack-version-compatibility.md

@@ -1,3 +1,3 @@
-When installing the {{stack}}, you must use the same version across the entire stack. For example, if you are using {{es}} {{stack-version}}, you install Beats {{stack-version}}, APM Server {{stack-version}}, {{es}} Hadoop {{stack-version}}, {{kib}} {{stack-version}}, and Logstash {{stack-version}}.
+When installing the {{stack}}, you must use the same version across the entire stack. For example, if you are using {{es}} {{version.stack}}, you install Beats {{version.stack}}, APM Server {{version.stack}}, {{es}} Hadoop {{version.stack}}, {{kib}} {{version.stack}}, and Logstash {{version.stack}}.
 
-If you’re upgrading an existing installation, see [](/deploy-manage/upgrade.md) for information about how to ensure compatibility with {{stack-version}}.
+If you’re upgrading an existing installation, see [](/deploy-manage/upgrade.md) for information about how to ensure compatibility with {{version.stack}}.

deploy-manage/deploy/cloud-enterprise/add-custom-bundles-plugins.md

@@ -71,7 +71,7 @@ Custom plugins can include the official {{es}} plugins not provided with {{ece}}
                     "elasticsearch_version" : "<es_version>" <2>
                   },
                   {
-                    "url": "http://www.MYURL.com/my-custom-plugin.zip",
+                    "url": "<MY_HOST_URL>/my-custom-plugin.zip",
                     "name": "my-custom-plugin",
                     "elasticsearch_version": "7.17.1"
                   }
@@ -105,7 +105,7 @@ This example adds a custom LDAP bundle for deployment level role-based access co
                 "user_bundles": [
                 {
                   "name": "ldap-cert",
-                  "url": "http://www.MYURL.com/ldapcert.zip", <1>
+                  "url": "<MY_HOST_URL>/ldapcert.zip", <1>
                   "elasticsearch_version": "*"
                 }
               ]
@@ -151,7 +151,7 @@ In this example, we assume the Identity Provider does not publish its SAML metad
                 "user_bundles": [
                 {
                   "name": "saml-metadata",
-                  "url": "http://www.MYURL.com/saml-metadata.zip", <1>
+                  "url": "<MY_HOST_URL>/saml-metadata.zip", <1>
                   "elasticsearch_version": "*"
                 }
               ]
@@ -254,7 +254,7 @@ To import a JVM trust store:
                 "user_bundles": [
                 {
                   "name": "custom-ca-certs",
-                  "url": "http://www.MYURL.com/cacerts.zip", <1>
+                  "url": "<MY_HOST_URL>/cacerts.zip", <1>
                   "elasticsearch_version": "*" <2>
                 }
               ]
@@ -309,7 +309,7 @@ To import a JVM trust store:
                 "user_bundles": [
                 {
                   "name": "custom-geoip-db",
-                  "url": "http://www.MYURL.com/my-geoip-file.zip",
+                  "url": "<MY_HOST_URL>/my-geoip-file.zip",
                   "elasticsearch_version": "*"
                 }
               ]
@@ -359,7 +359,7 @@ To import a JVM trust store:
                 "user_bundles": [
                 {
                   "name": "custom-synonyms",
-                  "url": "http://www.MYURL.com/synonyms.zip",
+                  "url": "<MY_HOST_URL>/synonyms.zip",
                   "elasticsearch_version": "*"
                 }
               ]

deploy-manage/deploy/cloud-enterprise/ce-add-support-for-node-roles-autoscaling.md

@@ -1418,7 +1418,7 @@ Having added support for `node_roles` and autoscaling to your custom template, i
 1. Obtain the existing deployment templates by sending the following `GET` request, and take note of the `id` of the template you wish to update.
 
     ```sh
-    curl -k -X GET -H "Authorization: ApiKey $ECE_API_KEY" https://COORDINATOR_HOST:12443/api/v1/deployments/templates?region=ece-region
+    curl -k -X GET -H "Authorization: ApiKey $ECE_API_KEY" https://$COORDINATOR_HOST:12443/api/v1/deployments/templates?region=ece-region
     ```
 
 2. Send a `PUT` request with the updated template on the payload, in order to effectively replace the outdated template with the new one. Note that the following request is just an example, you have to replace `{{template_id}}` with the `id` you collected on step 1. and set the payload to the updated template JSON. Check [set deployment template API](https://www.elastic.co/docs/api/doc/cloud-enterprise/operation/operation-set-deployment-template-v2) for more details.

deploy-manage/deploy/cloud-enterprise/change-endpoint-urls.md

@@ -15,8 +15,8 @@ products:
 By default, the deployments `CNAME` is set to `LOCAL_HOST_IP.ip.es.io`, where `LOCAL_HOST_IP` is the IP address of the first installed ECE host. This results in the following default endpoint URLs:
 
 ```sh
-http://CLUSTER_ID.LOCAL_HOST_IP.ip.es.io:9200
-https://CLUSTER_ID.LOCAL_HOST_IP.ip.es.io:9243
+http://<CLUSTER_ID.LOCAL_HOST_IP>.ip.es.io:9200
+https://<CLUSTER_ID.LOCAL_HOST_IP>.ip.es.io:9243
 ```
 
 ::::{important}

deploy-manage/deploy/cloud-enterprise/configure-allocator-affinity.md

@@ -42,7 +42,7 @@ $$$fill-anti-affinity$$$`fill-anti-affinity` (default)
 To check how allocator affinity is currently configured:
 
 ```sh
-curl -X GET -u admin:PASSWORD -k https://COORDINATOR_HOST:12443/api/v1/platform/configuration/store/constructor
+curl -X GET -u admin:PASSWORD -k https://$COORDINATOR_HOST:12443/api/v1/platform/configuration/store/constructor
 {
   "errors": [{
     "code": "platform.config.store.not_found",
@@ -56,7 +56,7 @@ If a configuration option cannot be found, the default `fill-anti-affinity` stra
 To set allocator affinity to the `distribute-anti-affinity` strategy:
 
 ```sh
-curl -X POST -u admin:PASSWORD -k https://COORDINATOR_HOST:12443/api/v1/platform/configuration/store/constructor -H 'Content-Type: application/json' -d '{ "value": "{ \"allocator_prioritization\": \"distribute-anti-affinity\" }" }'
+curl -X POST -u admin:PASSWORD -k https://$COORDINATOR_HOST:12443/api/v1/platform/configuration/store/constructor -H 'Content-Type: application/json' -d '{ "value": "{ \"allocator_prioritization\": \"distribute-anti-affinity\" }" }'
 {
   "changed": false,
   "name": "constructor",
@@ -67,7 +67,7 @@ curl -X POST -u admin:PASSWORD -k https://COORDINATOR_HOST:12443/api/v1/platform
 To update allocator affinity to the `distribute` strategy:
 
 ```sh
-curl -X PUT -u admin:PASSWORD -k https://COORDINATOR_HOST:12443/api/v1/platform/configuration/store/constructor -H 'Content-Type: application/json' -d '{ "value": "{ \"allocator_prioritization\": \"distribute\" }" }'
+curl -X PUT -u admin:PASSWORD -k https://$COORDINATOR_HOST:12443/api/v1/platform/configuration/store/constructor -H 'Content-Type: application/json' -d '{ "value": "{ \"allocator_prioritization\": \"distribute\" }" }'
 {
   "changed": true,
   "name": "constructor",
@@ -78,7 +78,7 @@ curl -X PUT -u admin:PASSWORD -k https://COORDINATOR_HOST:12443/api/v1/platform/
 To change allocator affinity back to the default behavior:
 
 ```sh
-curl -X DELETE -u admin:PASSWORD -k https://COORDINATOR_HOST:12443/api/v1/platform/configuration/store/constructor
+curl -X DELETE -u admin:PASSWORD -k https://$COORDINATOR_HOST:12443/api/v1/platform/configuration/store/constructor
 {
 
 }

deploy-manage/deploy/cloud-enterprise/configure-host-rhel.md

@@ -144,7 +144,7 @@ Make sure to use a supported combination of Linux distribution and container eng
 
     ```text
     [engine]
-    env = ["HTTP_PROXY=http://{proxy-ip}:{proxy-port}", "HTTPS_PROXY=http://{proxy-ip}:{proxy-port}"]
+    env = ["HTTP_PROXY=http://<PROXY_IP>:<PROXY_PORT>", "HTTPS_PROXY=http://<PROXY_IP>:<PROXY_PORT>"]
     ```
 
 7. Reload systemd configuration

deploy-manage/deploy/cloud-enterprise/connect-elasticsearch.md

@@ -32,7 +32,7 @@ Once you have the endpoint, use it in your client application. To test connectiv
 * Modify the following `curl` example to fit your environment by replacing the URL and proxy CA certificate with your own values.
 
   ```sh
-  curl --cacert /path/to/elastic-ece-ca-cert.pem -u elastic https://f76e96da2a7f4d3f8f3ee25d686b879c.HOST-IP-ADDRESS.ip.es.io:9243
+  curl --cacert /path/to/elastic-ece-ca-cert.pem -u elastic https://<CLUSTER_ID.LOCAL_HOST_IP>.ip.es.io:9243
   {
     "name" : "instance-0000000000",
     "cluster_name" : "f76e96da2a7f4d3f8f3ee25d686b879c",