Merge branch 'main' into obs-ai-assistant-openai-gpt-oss-model-performance-matrix

Author: viduni94

deploy-manage/deploy/cloud-enterprise/change-endpoint-urls.md

@@ -20,7 +20,7 @@ https://<CLUSTER_ID.LOCAL_HOST_IP>.ip.es.io:9243
 ```
 
 ::::{important}
-If your application does not support HTTPS, you can connect to the HTTP endpoint on port 9200. However, for security reasons, it is recommended to use **HTTPS (9243)** whenever possible.
+For security reasons, it is recommended to use **HTTPS (9243)** whenever possible.
 ::::
 
 To change endpoints in the Cloud UI:
@@ -43,3 +43,7 @@ If you have an App Search instance, after specifying a new deployment domain nam
 ::::{note}
 The built-in Proxy Certificate only validates against the default endpoint format described on this page. Once you change it, it is necessary to upload a new Proxy Certificate as described in [Manage security certificates](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md). For test only, clients can be configured with hostname verification disabled until the new certificate is uploaded.
 ::::
+
+::::{note}
+If you do not use wildcard certificates, you must configure SAN entries for each component of the deployment (for example, {{es}} or {{kib}}) and repeat this process for every deployment. Review [Wildcard DNS record and certificates](./ece-wildcard-dns.md) for more guidance.
+::::

deploy-manage/deploy/cloud-enterprise/ece-wildcard-dns.md

@@ -8,19 +8,39 @@ products:
   - id: cloud-enterprise
 ---
 
-# Wildcard DNS record [ece-wildcard-dns]
+# Wildcard DNS record and certificates [ece-wildcard-dns]
 
 ::::{warning} 
 Don't use `ip.es.io` for production systems. Set up your own domain name and DNS resolver for production. We do not guarantee uptime with `ip.es.io`.
 
 `ip.es.io` is intended for use only by {{ece}} customers. We may, acting in our sole discretion, immediately terminate, suspend, or block any unauthorized users or uses without notice.  
 ::::
 
-By default, {{ece}} uses the external `ip.es.io` service provided by Elastic to resolve virtual {{es}} cluster host names in compliance with RFC1918. The service works by resolving host names of the form `<ip>.ip.es.io` to `<ip>`. In the case of {{ece}}, each cluster is assigned a virtual host name of the form `<cluster id>.<proxy ip address>.ip.es.io:<port>`, such as `6dfc65aae62341e18a8b7692dcc97186.10.8.156.132.ip.es.io:9243`. The `ip.es.io` service simply resolves the virtual host name of the cluster to the proxy address which is specified during installation, `10.8.156.132` in our example, so that client requests are sent to the proxy. The proxy then extracts the cluster ID from the virtual host name of the cluster and uses its internal routing table to route the request to the right allocator.
+By default, {{ece}} uses the external `ip.es.io` service provided by Elastic to resolve virtual {{es}} cluster host names in compliance with RFC1918. The service works by resolving host names of the form `<ip>.ip.es.io` to `<ip>`. In the case of {{ece}}, each cluster is assigned a virtual host name of the form `<cluster id>.<proxy ip address>.ip.es.io:<port>`, such as `6dfc65aae62341e18a8b7692dcc97186.10.8.156.132.ip.es.io:9243`. 
+
+The `ip.es.io` service simply resolves the virtual host name of the cluster to the proxy address which is specified during installation, `10.8.156.132` in our example, so that client requests are sent to the proxy. The proxy then extracts the cluster ID from the virtual host name of the cluster and uses its internal routing table to route the request to the right allocator.
+
+## Considerations for production
 
 The `ip.es.io` service is provided to help you evaluate {{ece}} without having to set up DNS records for your environment. You must set up a wildcard DNS record for your production system. You typically set up a wildcard DNS record that resolves to the proxy host or to a load balancer if you set up multiple proxies fronted by a load balancer. You can create both a wildcard DNS entry for your endpoints and a wildcard TLS/SSL certificate, so that you can create multiple clusters without the need for further DNS or TSL/SSL modifications. Simply configure your DNS to point to your load balancers and install your certificates on them, so that communication with the cluster is secure.
 
-A wildcard certificate is enabled based on the deployment domain name. For more information on modifying the deployment domain name, check [Configure endpoints](change-endpoint-urls.md). The deployment domain name also determines the endpoint URLs that are displayed in the Cloud UI.
+## Configuring wildcard DNS certificates
+
+{{ece}} highly recommends using a wildcard DNS certificate, typically configured as a subdomain (for example, `*.ece.mycompany.com`), to automatically secure the unique endpoints generated for each deployment (for example, `[cluster-id].ece.mycompany.com`). For details on modifying the deployment domain name, see [Change endpoint URLs](change-endpoint-urls.md). The deployment domain name also determines the endpoint URLs displayed in the Cloud UI.
+
+Additionally, if you use custom endpoint aliases, you must configure a wildcard DNS certificate for each application-specific subdomain, such as `*.es.mycompany.com` for {{es}} or `*.kb.mycompany.com` for {{kib}}. Refer to [Enable custom endpoint aliases](./enable-custom-endpoint-aliases.md) for more information. Platform administrators must enable this feature to allow deployment managers to create and modify aliases for their deployments.
+
+
+### Wildcard DNS certificate vs static SAN certificates
+
+In {{ece}}, each deployment generates multiple DNS entries, as every component within a deployment has its own cluster ID and fully qualified domain name (FQDN), and may also have an [alias](./enable-custom-endpoint-aliases.md). In environments with many deployments, especially when aliases are used, this can result in hundreds of unique FQDNs that must be covered by the certificate.
+
+For this reason, using a wildcard DNS certificate for a subdomain, such as `*.ece.mycompany.com`, is recommended over a certificate with static SAN entries, as it offers a more scalable, efficient, and operationally safe solution:
+
+* **Operational cost:** Because deployment FQDNs cannot be predicted in advance, a wildcard certificate provides optimal flexibility, allowing the proxy to present a valid certificate for any deployment URL. In contrast, a certificate with static SAN entries must be reissued whenever a new deployment is created, which increases the operational overhead.
+
+* **Security:** We suggest configuring your wildcard DNS certificate for a subdomain, such as `*.ece.mycompany.com`. Doing so significantly reduces security risks associated with certificate misconfigurations. In contrast, if a certificate with static SAN entries does not include the new deployment’s cluster IDs, clients will encounter certificate name mismatch warnings, indicating a security misconfiguration.
+
+* **Performance:** Wildcard certificates are generally more performant than certificates with a large number of SAN entries. They are smaller, which reduces TLS handshake time, and scale automatically with new deployments. In contrast, certificates with a large number of SAN entries can increase handshake latency and may affect client compatibility.
 
-Report security issues to [email protected]. 
 

deploy-manage/deploy/cloud-enterprise/enable-custom-endpoint-aliases.md

@@ -23,21 +23,18 @@ After installing or upgrading to version 2.10 or later:
 2. [Update your proxy certificate(s)](../../security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md). In addition to currently configured domains, additional SAN entries must be configured for each application-specific subdomain:
 
     ::::{note}
-    If you are not using wildcard certificates, you need to repeat this process for each deployment to account for specific aliases.
+    If you are not using wildcard certificates, you need to repeat this process for each deployment to account for specific aliases. Review [Wildcard DNS record and certificates](./ece-wildcard-dns.md) for more guidance.
     ::::
-
+    
 
     * For {{es}}, the certificate needs to allow for **\*.es.<your-domain>**
     * For {{kib}}, the certificate needs to allow for **\*.kb.<your-domain>**
     * For APM, the certificate needs to allow for **\*.apm.<your-domain>**
     * For Fleet, the certificate needs to allow for **\*.fleet.<your-domain>**
     * For Universal Profiling, the certificate needs to allow for **\*.profiling.<your-domain>** and **\*.symbols.<your-domain>**
 
+
 3. In the **Platform** menu, select **Settings**.
 4. Under the **Enable custom endpoint alias naming**, toggle the setting to allow platform administrators and deployment managers to choose a simplified, unique URL for the endpoint.
 
-If you do not perform these steps, application endpoints will behave as they did in versions before 2.10.
-
-To learn about setting up custom endpoint aliases for your deployments, check [Custom endpoint aliases](ece-regional-deployment-aliases.md).
-
 

deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md

@@ -16,22 +16,21 @@ In these instructions, we show you how you can download the security certificate
 
 You can change the certificates for the following ECE components separately:
 
-Cloud UI certificate
+**Cloud UI certificate**
 :   Used to connect securely to the Cloud UI and to make RESTful API calls.
 
-Proxy certificate
-:   Used to connect securely to {{es}} clusters and {{kib}}. You should use a wildcard certificate rooted at the [cluster endpoint that you set](../../deploy/cloud-enterprise/change-endpoint-urls.md) (`*.example.com`, for example). A wildcard certificate is required, because the first label of the DNS address is distinct for {{es}} clusters and {{kib}} (`bc898abb421843918ebc31a513169a.example.com`, for example).
+**Proxy certificate**
+:   Used to connect securely to {{es}} clusters and other components such as {{kib}}, etc. 
 
-    If you wish to enable [custom endpoint aliases](../../deploy/cloud-enterprise/enable-custom-endpoint-aliases.md) in ECE 2.10 or later, also follow the directions for adding Subject Alternative Name (SAN) entries to support these aliases.
+    We strongly recommend using a wildcard certificate configured for a subdomain at the [cluster endpoint you set](../../deploy/cloud-enterprise/change-endpoint-urls.md) (for example, `*.ece.mycompany.com`).
 
-    ::::{note} 
-    If you plan to deploy [Integration Servers](../../deploy/cloud-enterprise/manage-integrations-server.md), you must add two additional wildcard subdomains, `*.fleet.<your-domain>` and `*.apm.<your-domain>`, to the Subject Alternative Names (SANs) attached to the proxy wildcard certificate. Based on the previous example, your proxy certificates should end up with those three wildcards: `*.example.com`, `*.fleet.example.com`, and `*.apm.example.com`.
-    ::::
+    If you wish to enable [custom endpoint aliases](../../deploy/cloud-enterprise/enable-custom-endpoint-aliases.md) in ECE 2.10 or later, also follow the directions for adding Subject Alternative Name (SAN) entries to support these aliases.
 
+    A wildcard DNS certificate is more performant, scalable, and operationally safe than a static SAN certificate. Review [Wildcard DNS record and certificates](../../deploy/cloud-enterprise/ece-wildcard-dns.md) for more guidance.
 
     After the certificates have been installed, connecting securely to {{es}}, {{kib}}, and the Cloud UI or making secure RESTful API calls to ECE should not result in any security warnings or errors.
 
-Adminconsole certificate
+**Adminconsole certificate**
 :   This certificate facilitates a secure connection to an alternative API port, which can be used in rare scenarios where the UI is unavailable. We recommend using the same certificate as the one configured for the Cloud UI.
 
 

explore-analyze/elastic-inference/eis.md

@@ -57,6 +57,17 @@ All models on EIS incur a charge per million tokens. The pricing details are at
 
 Note that this pricing models differs from the existing [Machine Learning Nodes](https://www.elastic.co/docs/explore-analyze/machine-learning/data-frame-analytics/ml-trained-models), which is billed via VCUs consumed.
 
+### Token-based billing
+
+EIS is billed per million tokens used:
+
+- For **chat** models, input and output tokens are billed. Longer conversations with extensive context or detailed responses will consume more tokens.
+- For **embeddings** models, only input tokens are billed.
+
+Tokens are the fundamental units that language models process for both input and output. Tokenizers convert text into numerical data by segmenting it into subword units. A token may be a complete word, part of a word, or a punctuation mark, depending on the model's trained tokenizer and the frequency patterns in its training data.
+
+For example, the sentence "It was the best of times, it was the worst of times." contains 52 characters but would tokenize into approximately 14 tokens with a typical word-based approach, though the exact count varies by tokenizer.
+
 ## Rate Limits
 
 The service enforces rate limits on an ongoing basis. Exceeding a limit will result in HTTP 429 responses from the server until the sliding window moves on further and parts of the limit resets.

solutions/images/kibana-serverless-create-an-api-key.png

@@ -185,3 +185,4 @@ You can still add your own processors manually to the `@custom` pipeline if need
 
 - Streams does not support all processors. More processors will be added in future versions.
 - The data preview simulation may not accurately reflect the changes to the existing data when editing existing processors or re-ordering them. Streams will allow proper simulations using original documents in a future version.
+- Streams can't properly handle arrays. While it supports basic actions like appending or renaming, it can't access individual array elements. For classic streams, the workaround is to use the [manual pipeline configuration](./extract/manual-pipeline-configuration.md) that supports Painless scripting and all ingest processors.

solutions/observability/streams/management/extract.md

@@ -1,14 +1,21 @@
 ---
-navigation_title: MCP server
+navigation_title: MCP servers
 applies_to:
   stack:
   serverless:
 ---
 
-# {{es}} Model Context Protocol (MCP) server
+# Elastic Model Context Protocol (MCP) servers
 
-Connect to your Elasticsearch data directly from any MCP Client (like Claude Desktop) using the Model Context Protocol (MCP).
+Elastic offers two MCP server options for connecting agents to your {{es}} data. The Agent Builder MCP server is the recommended approach for {{es}} 9.2+ and Serverless deployments, offering full access to built-in and custom tools. For older {{es}} versions without Agent Builder, you can use the `mcp-elasticsearch` server which has a limited tool set.
 
-This server enables connecting agents to your Elasticsearch data and allows you to interact with your Elasticsearch indices through natural language conversations.
+## {{agent-builder}} MCP server
+```{applies_to}
+stack: preview 9.2
+serverless: preview
+```
+Elastic 9.2.0+ and Serverless deployments provide an [Agent Builder MCP server endpoint](https://www.elastic.co/docs/solutions/search/agent-builder/mcp-server) that exposes all built-in and custom [tools](https://www.elastic.co/docs/solutions/search/agent-builder/tools) you can use to power agentic workflows.
 
-Learn more in the [elastic/mcp-server-elasticsearch](https://github.com/elastic/mcp-server-elasticsearch?tab=readme-ov-file#elasticsearch-mcp-server) GitHub repository.
+## {{es}} MCP server
+
+If you're running older versions of Elasticsearch without Agent Builder, you can use [elastic/mcp-server-elasticsearch](https://github.com/elastic/mcp-server-elasticsearch?tab=readme-ov-file#elasticsearch-mcp-server). This MCP server enables connecting agents to your {{es}} data and allows you to interact with your {{es}} indices through natural language conversations, though with a more limited tool set compared to the Agent Builder MCP server.

solutions/search/mcp.md

@@ -79,8 +79,7 @@ The **Cloud ID** is also available in the **Connection Details** section. Toggle
 ### Create an API key [create-an-api-key-serverless]
 
 1. Go to the serverless project’s home page.
-2. Select the settings icon in the **Elasticsearch endpoint** section.
-3. On the **API keys** page, select **Create API key**.
+2. Select **Create API key**.
 
     :::{image} /solutions/images/kibana-serverless-create-an-api-key.png
     :alt: serverless create an api key