[D&M] WIP cluster comms first pass

Author: leemthompo

deploy-manage/deploy/cloud-on-k8s/k8s-kibana-http-configuration.md

@@ -24,9 +24,9 @@ The following sections describe how to customize a {{kib}} deployment to suit yo
 * [Secure settings](k8s-kibana-secure-settings.md)
 * [HTTP Configuration](k8s-kibana-http-configuration.md)
 
-    * [Load balancer settings and TLS SANs](k8s-kibana-http-configuration.md#k8s-kibana-http-publish)
-    * [Provide your own certificate](k8s-kibana-http-configuration.md#k8s-kibana-http-custom-tls)
-    * [Disable TLS](k8s-kibana-http-configuration.md#k8s-kibana-http-disable-tls)
+    * [Load balancer settings and TLS SANs](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-publish)
+    * [Provide your own certificate](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-custom-tls)
+    * [Disable TLS](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-disable-tls)
     * [Install {{kib}} plugins](k8s-kibana-plugins.md)
 
 * [Autoscaling stateless applications](../../autoscaling/autoscaling-in-eck.md#k8s-stateless-autoscaling): Use [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) for {{kib}} or other stateless applications.

deploy-manage/deploy/cloud-on-k8s/kibana-configuration.md

@@ -1,11 +1,12 @@
 ---
+applies_to:
+  self: ga
 navigation_title: "With a different CA"
 mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/update-node-certs-different.html
 ---
 
 
-
 # Different CA [update-node-certs-different]
 
 

deploy-manage/security/different-ca.md

@@ -2,6 +2,8 @@
 applies_to:
   deployment:
     self: ga
+mapped_urls:
+  - https://www.elastic.co/guide/en/elastic-stack/current/install-stack-demo-secure.html
 ---
 
 # Tutorial: Securing a self-managed {{stack}} [install-stack-demo-secure]

deploy-manage/security/install-stack-demo-secure.md

@@ -1,4 +1,6 @@
 ---
+applies_to:
+  self: ga
 navigation_title: "With the same CA"
 mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/update-node-certs-same.html

deploy-manage/security/same-ca.md

@@ -1,33 +1,84 @@
 ---
+applies_to:
+  deployment:
+    self:
+    eck:
+    ece:
 mapped_urls:
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-security.html
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html
   - https://www.elastic.co/guide/en/kibana/current/elasticsearch-mutual-tls.html
 ---
 
+
+% TODO: what to do about this page that doesn't exist
+% * [/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-security.md](/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-security.md)
+
+
 # Secure cluster communications
 
-% What needs to be done: Refine
+This page explains how to secure communications between components in your {{stack}} deployment.
 
-% GitHub issue: https://github.com/elastic/docs-projects/issues/346
+For {{ech}} and {{serverless-full}} deployments, communications security is fully managed by Elastic with no configuration required.
 
-% Use migrated content from existing pages that map to this page:
+For ECE, ECK, and self-managed deployments, this page provides specific configuration guidance to secure the various communication channels between components.
 
-% - [ ] ./raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-security.md
-% - [ ] ./raw-migrated-files/elasticsearch/elasticsearch-reference/security-basic-setup.md
-%      Notes: concepts
-% - [ ] ./raw-migrated-files/kibana/kibana/elasticsearch-mutual-tls.md
+:::{tip}
+For a complete comparison of security feature availability and responsibility by deployment type, see [Security features by deployment type](../security.md#security-features-by-deployment-type).
+:::
 
-% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
+## Communication channels overview
 
-$$$generate-certificates$$$
+Your {{stack}} deployment includes several distinct communication channels that must be secured to protect your data and infrastructure.
 
-$$$encrypt-internode-communication$$$
+| **Channel** | **Description** | **Security needs** |
+|-------------|-----------------|--------------------|
+| [Transport layer](#transport-layer-security) | Communication between {{es}} nodes within a cluster | - Mutual TLS (required)<br>- Node authentication<br>- Node role verification |
+| [HTTP layer](#http-layer-security) | Communication between external clients and {{es}} through the REST API | - TLS encryption<br>- Authentication (basic auth, API keys, or token-based)<br>- Optional client certificate authentication |
+| [{{kib}}-to-{{es}}](#kib-to-es-communications) | Communication from the {{kib}} server to {{es}} for user requests and queries | - TLS encryption<br>- Service authentication (API keys, service tokens, or mutual TLS) |
 
-**This page is a work in progress.** The documentation team is working to combine content pulled from the following pages:
 
-% Doesn't exist
-% * [/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-security.md](/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-security.md)
+## Transport layer security
+
+The transport layer is used for communication between {{es}} nodes in a cluster. Securing this layer prevents unauthorized nodes from joining your cluster and protects internode data.
+
+**Deployment type notes:**
+- **Elastic Cloud & Serverless**: Transport security is fully managed by Elastic. No configuration is required.
+- **ECE/ECK**: Transport security is automatically configured by the operator. No direct user configuration is required.
+- **Self-managed**: Transport security must be manually configured following the steps in [Set up basic security](set-up-basic-security.md).
+
+## HTTP layer security
+
+The HTTP layer secures client communication with your {{es}} cluster via its REST API, preventing unauthorized access and protecting data in transit.
+
+**Deployment type notes:**
+- **Elastic Cloud & Serverless**: HTTP security is fully managed by Elastic. No configuration is required.
+- **ECE/ECK**: HTTP security is automatically configured with self-signed certificates. Custom certificates can be configured.
+- **Self-managed**: HTTP security must be manually configured following [Secure HTTP communications](secure-http-communications.md).
+
+## {{kib}}-to-{{es}} communications
+
+{{kib}} connects to {{es}} as a client but requires special configuration as it performs operations on behalf of end users.
+
+**Deployment type notes:**
+- **Elastic Cloud & Serverless**: {{kib}}-{{es}} communication is fully managed using HTTPS and service tokens.
+- **ECE/ECK**: {{kib}}-{{es}} communication is automatically secured with service tokens.
+- **Self-managed**: {{kib}}-{{es}} communication must be manually secured. For mutual TLS configuration, see [Mutual TLS authentication between {{kib}} and {{es}}](secure-http-communications.md#mutual-tls-kib-es).
+
+## Certificate management [generate-certificates]
+
+Managing certificates is critical for secure communications. Certificates have limited lifetimes and must be renewed before expiry to prevent service disruptions.
+
+**Deployment type notes:**
+- **Elastic Cloud & Serverless**: Certificate management is fully automated by Elastic.
+- **ECE**: ECE generates certificates for you. Refer to [](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md).
+
+ECK**: Certificate generation and basic rotation is handled by the operator. Custom HTTP certificates require manual management.
+- **Self-managed**: Certificate management is your responsibility. See [Security certificates and keys](security-certificates-keys.md).
+
+## Next steps
 
-* [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-basic-setup.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-basic-setup.md)
-* [/raw-migrated-files/kibana/kibana/elasticsearch-mutual-tls.md](/raw-migrated-files/kibana/kibana/elasticsearch-mutual-tls.md)
+- Configure [basic security and HTTPS](set-up-basic-security-plus-https.md) for self-managed deployments.
+- Learn about [HTTP communication security](secure-http-communications.md) best practices.
+- Understand how to securely manage [security certificates and keys](security-certificates-keys.md).
+- Check [SSL/TLS version compatibility](supported-ssltls-versions-by-jdk-version.md) for optimal encryption.