Apply suggestions from code review

eedugon · shainaraskas · web-flow · commit b3fca2699666 · 2025-10-22T18:10:38.000+02:00
Co-authored-by: shainaraskas &lt;58563081+shainaraskas@users.noreply.github.com&gt;
diff --git a/deploy-manage/remote-clusters.md b/deploy-manage/remote-clusters.md
@@ -34,7 +34,7 @@ You can learn more in the following documents:
 - [Connection modes](./remote-clusters/connection-modes.md): Sniff mode (direct connections to {{es}} nodes) or proxy mode (connections through a reverse proxy or load balancer endpoint).
 
 ::::{note}
-In managed or orchestrated environments, such as {{ech}}, {{ece}}, and {{eck}}, you can select the security model, but the connection mode is effectively limited to *proxy*, as sniff mode requires {{es}} nodes publish addresses to be directly reachable across clusters, which is generally not practical in containerized deployments.
+In managed or orchestrated environments, such as {{ech}}, {{ece}}, and {{eck}}, you can select the security model, but the connection mode is effectively limited to *proxy*. This is because sniff mode requires {{es}} nodes publish addresses to be directly reachable across clusters, which is generally not practical in containerized deployments.
 ::::
 
 ## Setup
diff --git a/deploy-manage/remote-clusters/connection-modes.md b/deploy-manage/remote-clusters/connection-modes.md
@@ -10,7 +10,7 @@ applies_to:
 products:
   - id: elasticsearch
 ---
-# Remote clusters connection modes
+# Remote cluster connection modes
 
 When you configure a remote cluster, the local cluster needs a way to connect to the nodes of the remote cluster. {{es}} supports two connection modes to handle different network architectures:
 
@@ -23,7 +23,7 @@ Connection modes work independently of [security models](./security-models.md).
 
 The choice between sniff and proxy mode depends on your network architecture and deployment type.  
 
-- **Self-managed environments:** If direct connections on the publish addresses between {{es}} nodes in both clusters are possible, you can use sniff mode. If direct connectivity is difficult to implement—for example, when clusters are separated by NAT, firewalls, or containerized environments—you can place a reverse proxy or load balancer in front of the remote cluster and use proxy mode instead.  
+- **Self-managed clusters:** If direct connections on the publish addresses between {{es}} nodes in both clusters are possible, you can use sniff mode. If direct connectivity is difficult to implement—for example, when clusters are separated by NAT, firewalls, or containerized environments—you can place a reverse proxy or load balancer in front of the remote cluster and use proxy mode instead.  
 
 - **Managed environments ({{ece}}, {{ech}}, {{eck}}):** Direct node-to-node connectivity is generally not feasible, so these deployments always rely on the proxy connection mode.
 
@@ -41,27 +41,27 @@ In sniff mode, a cluster alias is registered with a name of your choosing and a
 Sniff mode is the default connection mode when adding a remote cluster. See [Sniff mode remote cluster settings](remote-clusters-settings.md#remote-cluster-sniff-settings) for more information about configuring sniff mode.
 
 ::::{note}
-The sniff mode is not supported in {{ech}} and {{ece}} deployments, and it's not recommended in {{eck}} due to its complexity. Use proxy mode instead.
+Sniff mode is not supported in {{ech}} and {{ece}} deployments. In {{eck}}, sniff mode is not recommended due to its complexity. In these three cases, use proxy mode instead.
 ::::
 
 
 ## Proxy mode
 
 In proxy mode, a cluster alias is registered with a name of your choosing and the address of a TCP (layer 4) reverse proxy specified with the `cluster.remote.<cluster_alias>.proxy_address` setting. You must configure this proxy to route connections to one or more nodes of the remote cluster. The service port to forward traffic to depends on the [security model](./security-models.md) in use, as each model uses a different service port.
 
-When you register a remote cluster using proxy mode, {{es}} opens several TCP connections to the proxy address and uses these connections to communicate with the remote cluster. In proxy mode {{es}} disregards the publish addresses of the remote cluster nodes which means that the publish addresses of the remote cluster nodes do not need to be accessible to the local cluster.
+When you register a remote cluster using proxy mode, {{es}} opens several TCP connections to the proxy address and uses these connections to communicate with the remote cluster. In proxy mode, {{es}} disregards the publish addresses of the remote cluster nodes, which means that the publish addresses of the remote cluster nodes do not need to be accessible to the local cluster.
 
 Proxy mode is not the default connection mode, so you must set `cluster.remote.<cluster_alias>.mode: proxy` to use it. See [Proxy mode remote cluster settings](remote-clusters-settings.md#remote-cluster-proxy-settings) for more information about configuring proxy mode.
 
-## Connection modes: comparison
+## Connection mode comparison
 
 The following table summarizes the key differences between sniff and proxy mode to help you choose the most suitable option for your deployment.
 
 | Aspect                  | Sniff mode                                                                                       | Proxy mode                                                                                   |
 |-------------------------|--------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|
-| **Defaul when adding a remote**             | Yes                                                                                              | No (must be explicitly configured)                                                           |
+| **Default when adding a remote**             | Yes                                                                                              | No (must be explicitly configured)                                                           |
 | **Recommended deployment types**    | Self-managed                                                                                     | Self-managed, {{ech}}, {{ece}}, and {{eck}}                                                  |
-| **How it connects**     | Local cluster connects directly to remote nodes addresses, discovered from the configured seeds   | Local cluster connects to a single configured address. The reverse proxy or load balancer forwards traffic to remote nodes |
+| **How it connects**     | Local cluster connects directly to remote node addresses, discovered from the configured seeds   | Local cluster connects to a single configured address. The reverse proxy or load balancer forwards traffic to remote nodes. |
 | **Node discovery**      | Dynamic: local cluster discovers remote gateway nodes through the seed list                      | None: all traffic goes through the reverse proxy                                                |
 | **Network requirements**| Local cluster must be able to reach the remote cluster’s gateway node publish addresses          | Only the proxy address must be reachable; no need for local cluster to connect directly to remote nodes |
 | **Configuration**       | Configure remote seeds (`cluster.remote.<alias>.seeds`)                                          | Configure proxy address (`cluster.remote.<alias>.proxy_address`) and set mode to `proxy`      |
diff --git a/deploy-manage/remote-clusters/security-models.md b/deploy-manage/remote-clusters/security-models.md
@@ -1,54 +1,50 @@
 ---
 navigation_title: Security models
 applies_to:
-  deployment:
-    ece: ga
-    ess: ga
-    eck: ga
-    self: ga
+  stack: ga
   serverless: unavailable
 products:
   - id: elasticsearch
 ---
-# Remote clusters security models
+# Remote cluster security models
 
-Remote clusters security models determine how authentication and authorization works between clusters. {{es}} has evolved from a TLS certificate–based model, relying on mutual TLS authentication over the transport interface and duplicated roles across clusters, to a more flexible API key–based model that uses a dedicated service endpoint and supports fine-grained authorization on both local and remote clusters.
+Remote cluster security models determine how authentication and authorization works between clusters. {{es}} has evolved from a TLS certificate–based model, relying on mutual TLS authentication over the transport interface and duplicated roles across clusters, to a more flexible API key–based model that uses a dedicated service endpoint and supports fine-grained authorization on both local and remote clusters.
 
 TLS certificate–based authentication is now deprecated, and users are encouraged to migrate to the API key–based model.
 
 The following sections describe both models in detail and highlight their key differences.
 
-::::{note}
+::::{tip}
 Security models work independently of [connection modes](./connection-modes.md). Both security models are compatible with either connection mode.
 ::::
 
 ## API key authentication [api-key]
 
-API key authentication enables a local cluster to authenticate itself with a remote cluster via a [cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key). The API key needs to be created by an administrator of the remote cluster. The local cluster is configured to provide this API key on each request to the remote cluster. The remote cluster verifies the API key and grants access, based on the API key’s privileges.
+API key authentication enables a local cluster to authenticate itself with a remote cluster using a [cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key). The API key needs to be created by an administrator of the remote cluster. The local cluster is configured to provide this API key on each request to the remote cluster. The remote cluster verifies the API key, and grants access based on the API key’s privileges.
 
 ### Authorization
 
 With this security model, authorization is enforced jointly by the local and remote cluster, as follows:
 
-* All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to `my-index` on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search and/or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key.
+* All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to `my-index` on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key.
 
-* On the local cluster side, not every local user needs to access every piece of data allowed by the API key. An administrator of the local cluster can further configure additional permission constraints on local users so each user only gets access to the necessary remote data. Note it is only possible to further reduce the permissions allowed by the API key for individual local users. It is impossible to increase the permissions to go beyond what is allowed by the API key.
+* On the local cluster side, not every local user needs to access every piece of data allowed by the API key. An administrator of the local cluster can further configure additional permission constraints on local users so each user only gets access to the necessary remote data. It is only possible to further reduce the permissions allowed by the API key for individual local users. It is impossible to increase the permissions to go beyond what is allowed by the API key.
 
   ::::{tip}
   To configure fine-grained authorization for remote resources, use the `remote_indices` and `remote_clusters` fields in [role definitions](/deploy-manage/users-roles/cluster-or-deployment-auth/role-structure.md).
   ::::
 
 ### Connection details
 
-In this model, cross-cluster operations use [a dedicated server port](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#remote_cluster.port) (remote cluster interface), for communication between clusters. The default port is `9443`. The remote cluster must enable this port for local clusters to connect.
+In this model, cross-cluster operations use [a dedicated server port](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#remote_cluster.port), referred to as the remote cluster interface, for communication between clusters. The default port is `9443`. The remote cluster must enable this port for local clusters to connect.
 
 From a TLS perspective, the local cluster must trust the remote cluster on the remote cluster interface. This means the local cluster must trust the certificate authority (CA) that signs the server certificate used by the remote cluster interface. When establishing a connection, all nodes from the local cluster that participate in cross-cluster communication verify certificates from nodes on the other side, based on the TLS trust configuration.
 
 Mutual TLS is not required in this model.
 
 ### Setup
 
-Refer to [Remote clusters setup](../remote-clusters.md#setup) for configuration guidance across all deployment types.
+Refer to [Remote cluster setup](../remote-clusters.md#setup) for configuration guidance across all deployment types.
 
 ## TLS certificate authentication
 ```{applies_to}
@@ -71,7 +67,7 @@ The local cluster uses the [transport interface](elasticsearch://reference/elast
 
 ### Setup
 
-Refer to [Remote clusters setup](../remote-clusters.md#setup) for configuration guidance across all deployment types.
+Refer to [Remote cluster setup](../remote-clusters.md#setup) for configuration guidance across all deployment types.
 
 ### Security models: comparison
 
