You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: deploy-manage/remote-clusters.md
+30-10Lines changed: 30 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -64,23 +64,43 @@ This section explains how remote clusters interact with network security when us
64
64
65
65
### Filter types for remote clusters traffic
66
66
67
-
Network security for remote cluster incoming connections using API key authentication supports two types of filters:
67
+
With API key–based authentication, remote clusters require the local cluster (A) to trust the transport SSL certificate presented by the remote cluster server (B). When network security is enabled on the destination cluster (B), it’s also necessary to explicitly allow the incoming traffic from cluster A. This can be achieved using different types of traffic filters:
68
+
69
+
*[IP filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges. These can be difficult to manage in orchestrated environments, where the source IP of individual {{es}} instances may change.
70
+
71
+
Use IP filters when the local cluster is self-managed.
68
72
69
-
*[IP filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges. These can be difficult to manage in orchestrated environments, where the source IP of individual {{es}} instances may change.
70
73
*[Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md), which allow filtering by organization ID or {{es}} cluster ID. This method is more reliable and recommended, as it combines mTLS with API key authentication for stronger security.
71
74
75
+
Use remote cluster filters when the local cluster is also on ECH or ECE, as these filters are specific to {{ecloud}} and ECE platforms.
76
+
72
77
### Use cases for remote clusters and network security [use-cases-network-security]
73
78
74
-
Network security is supported to control remote cluster traffic in the following scenarios:
79
+
[Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) are supported to control remote cluster traffic in the following scenarios:
80
+
* Local and remote clusters are {{ech}} deployments in the same organization
81
+
* Local and remote clusters are {{ech}} deployments in different organizations
82
+
* Local and remote clusters are {{ece}} deployments in the same ECE environment
83
+
* Local and remote clusters are {{ece}} deployments in different ECE environments
84
+
* The local deployment is on {{ech}} and the remote deployment is on an {{ece}} environment
85
+
::::{note}
86
+
Network security isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
87
+
::::
88
+
89
+
[IP filters](/deploy-manage/security/ip-filtering.md) are the only option for applying network security when the local deployment is a self-managed or an {{eck}} cluster, and the remote is on {{ece}} or {{ech}}.
75
90
76
-
* Local and remote clusters are {{ech}} deployments in the same organization
77
-
* Local and remote clusters are {{ech}} deployments in different organizations
78
-
* Local and remote clusters are {{ece}} deployments in the same ECE environment
79
-
* Local and remote clusters are {{ece}} deployments in different ECE environments
80
-
* The local deployment is on {{ech}} and the remote deployment is on an {{ece}} environment
91
+
### (option 2) Use cases for remote clusters and network security [use-cases-network-security2]
92
+
93
+
Network security can be used to control remote cluster traffic in the following scenarios. The supported filter depends on the deployment types involved:
| Local and remote clusters are ECH deployments in the same organization |[Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md)|
98
+
| Local and remote clusters are ECH deployments in different organizations |[Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md)|
99
+
| Local and remote clusters are ECE deployments in the same environment |[Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md)|
100
+
| Local and remote clusters are ECE deployments in different environments |[Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md)|
101
+
| The local deployment is on ECH and the remote deployment is on an ECE environment |[Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md)|
102
+
| Local deployment is self-managed or orchestrated by ECK |[IP filters](/deploy-manage/security/ip-filtering.md)|
81
103
82
104
::::{note}
83
105
Network security isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
84
106
::::
85
-
86
-
Refer to [Remote cluster filtering](/deploy-manage/security/remote-cluster-filtering.md) for instructions on creating and applying remote cluster filters in ECH or ECE.
Copy file name to clipboardExpand all lines: deploy-manage/remote-clusters/ec-enable-ccs.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -57,4 +57,4 @@ The steps, information, and authentication method required to configure CCS and
57
57
58
58
## Remote clusters and network security [ec-ccs-ccr-network-security]
59
59
60
-
If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to your deployment, then you might need to take extra steps to allow a cluster to make requests to your cluster. Some remote cluster configurations are not compatible with network security, including incoming connections from {{eck}} and self-managed clusters. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
60
+
If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to the remote cluster, you might need to take extra steps on the remote side to allow traffic from the local cluster. Some remote cluster configurations have limited compatibility with network security. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
Copy file name to clipboardExpand all lines: deploy-manage/remote-clusters/ece-enable-ccs.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -62,4 +62,4 @@ The steps, information, and authentication method required to configure CCS and
62
62
63
63
## Remote clusters and network security [ece-ccs-ccr-network-security]
64
64
65
-
If you have [network security filters](/deploy-manage/security/ece-filter-rules.md) applied to your deployment, then you might need to take extra steps to allow a cluster to make requests to your cluster. Some remote cluster configurations are not compatible with network security, including incoming connections from {{eck}} and self-managed clusters. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
65
+
If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to the remote cluster, you might need to take extra steps on the remote side to allow traffic from the local cluster. Some remote cluster configurations have limited compatibility with network security. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
0 commit comments