review in progress

eedugon · eedugon · commit d0b5df0d2d3f · 2025-04-01T19:36:36.000+02:00
diff --git a/deploy-manage/security/_snippets/cluster-comparison.md b/deploy-manage/security/_snippets/cluster-comparison.md
@@ -5,7 +5,6 @@ Security feature availability varies by deployment type, with each feature havin
 | **Fully managed** | Handled automatically by Elastic with no user configuration needed |
 | **Managed** | Handled automatically by Elastic, but certain configuration allowed |
 | **Configurable** | Built-in feature that needs your configuration (like IP filters or passwords) |
-| **Self-managed** | Infrastructure-level security you implement and maintain |
 | **N/A** | Not available for this deployment type |
 
 Select your deployment type below to see what's available and how implementation responsibilities are distributed:
@@ -20,7 +19,7 @@ Select your deployment type below to see what's available and how implementation
 |------------------|------------|--------------|-------------|
 | **Communication** | TLS (HTTP Layer) | Fully managed | Automatically configured by Elastic |
 | | TLS (Transport Layer) | Fully managed | Automatically configured by Elastic |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-traffic-filtering.md) |
+| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
 | | Private link | Configurable | [Establish a secure VPC connection](/deploy-manage/security/private-link-traffic-filters.md) |
 | | Kubernetes Network Policies | N/A |  |
 | **Data** | Encryption at rest | Managed | You can [bring your own encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md) |
@@ -33,31 +32,31 @@ Select your deployment type below to see what's available and how implementation
 :::{tab-item} Serverless
 :sync: serverless
 
-| Category| Security feature | Status | Description |
+| Category| Security feature | Status | Notes |
 |------------------|------------|--------------|-------------|
 | **Communication** | TLS (HTTP Layer) | Fully managed | Automatically configured by Elastic |
 | | TLS (Transport Layer) | Fully managed | Automatically configured by Elastic |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-traffic-filtering.md) |
-| | Private link | N/A | X |
+| **Network** | IP traffic filtering | N/A | |
+| | Private link | N/A |  |
 | | Kubernetes Network Policies | N/A |  |
 | **Data** | Encryption at rest | Fully managed | Automatically encrypted by Elastic |
-| | Secure settings | Configurable | Automatically protected by Elastic |
+| | Secure settings | N/A |  |
 | | Saved object encryption | Fully managed | Automatically encrypted by Elastic |
-| **User Session** | Kibana Sessions | Managed | Automatically configured by Elastic |
+| **User Session** | Kibana Sessions | Fully managed | Automatically configured by Elastic |
 
 :::
 
 :::{tab-item} ECE
 :sync: ece
 
-| Category| Security feature | Status | Description |
+| Category| Security feature | Status | Notes |
 |------------------|------------|--------------|-------------|
 | **Communication** | TLS (HTTP Layer) | Managed | You can [configure custom certificates](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md) |
 | | TLS (Transport Layer) | Fully managed | Automatically configured by Elastic |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-traffic-filtering.md) |
-| | Private link | N/A | X |
+| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
+| | Private link | N/A |  |
 | | Kubernetes Network Policies | N/A |  |
-| **Data** | Encryption at rest | Self-managed | Implement at infrastructure level |
+| **Data** | Encryption at rest | N/A |  |
 | | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |
 | | Saved object encryption | Configurable | [Enable encryption for saved objects](/deploy-manage/security/secure-saved-objects.md) |
 | **User Session** | Kibana Sessions | Configurable | [Customize session parameters](/deploy-manage/security/kibana-session-management.md) |
@@ -67,14 +66,14 @@ Select your deployment type below to see what's available and how implementation
 :::{tab-item} ECK
 :sync: eck
 
-| Category| Security feature | Status | Description |
+| Category| Security feature | Status | Notes |
 |------------------|------------|--------------|-------------|
 | **Communication** | TLS (HTTP Layer) | Managed | [Multiple options](/deploy-manage/security/k8s-https-settings.md) |
 | | TLS (Transport Layer) | Managed | [Multiple options](/deploy-manage/security/k8s-transport-settings.md) |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-traffic-filtering.md) |
+| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
 | | Private link | N/A |  |
 | | Kubernetes Network Policies | Configurable | [Apply network policies to your Pods](/deploy-manage/security/k8s-network-policies.md) |
-| **Data** | Encryption at rest | Self-managed | Implement at infrastructure level |
+| **Data** | Encryption at rest | N/A |  |
 | | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/k8s-secure-settings.md) |
 | | Saved object encryption | Configurable | [Enable encryption for saved objects](/deploy-manage/security/secure-saved-objects.md) |
 | **User Session** | Kibana Sessions | Configurable | [Customize session parameters](/deploy-manage/security/kibana-session-management.md) |
@@ -85,15 +84,15 @@ Select your deployment type below to see what's available and how implementation
 :::{tab-item} Self-managed
 :sync: self-managed
 
-| Category| Security feature | Status | Description |
+| Category| Security feature | Status | Notes |
 |------------------|------------|--------------|-------------|
-| **Communication** | TLS (HTTP Layer) | Self-managed | Implement and maintain certificates |
-| | TLS (Transport Layer) | Self-managed | Implement and maintain certificates |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-traffic-filtering.md) |
-| | Private link | N/A | X |
+| **Communication** | TLS (HTTP Layer) | Configurable | [Initial security setup](/deploy-manage/security/self-setup.md) |
+| | TLS (Transport Layer) | Configurable | [Initial security setup](/deploy-manage/security/self-setup.md) |
+| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
+| | Private link | N/A |  |
 | | Kubernetes Network Policies | N/A |  |
-| **Data** | Encryption at rest | Self-managed | Implement at infrastructure level |
-| | Keystore security | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) storage |
+| **Data** | Encryption at rest | N/A |  |
+| | Keystore security | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |
 | | Saved object encryption | Configurable | [Enable encryption for saved objects](/deploy-manage/security/secure-saved-objects.md) |
 | **User Session** | Kibana Sessions | Configurable | [Customize session parameters](/deploy-manage/security/kibana-session-management.md) |
 
diff --git a/deploy-manage/security/secure-cluster-communications.md b/deploy-manage/security/secure-cluster-communications.md
@@ -92,17 +92,17 @@ While HTTP TLS encryption is optional in self-managed environments, it is strong
 
 The way that HTTP layer security is managed depends on your deployment type:
 
-::::{tab-set}
+:::::{tab-set}
 :group: deployments
 
-:::{tab-item} ECH and Serverless
+::::{tab-item} ECH and Serverless
 :sync: ech
 
 HTTP TLS for {{es}} and {{kib}} is fully managed by Elastic. No configuration is required.
 {{kib}} instances are automatically configured to connect securely to {{es}}, without requiring manual setup.
-:::
+::::
 
-:::{tab-item} ECE
+::::{tab-item} ECE
 :sync: ece
 
 HTTP TLS for deployments is managed at the platform proxy level. Refer to these guides for ECE-specific security customizations:
@@ -111,28 +111,32 @@ HTTP TLS for deployments is managed at the platform proxy level. Refer to these
 * [Configure TLS version](./secure-your-elastic-cloud-enterprise-installation/configure-tls-version.md)
 
 {{kib}} instances are automatically configured to connect securely to {{es}}, without requiring manual setup.
-:::
+::::
 
-:::{tab-item} ECK
+::::{tab-item} ECK
 :sync: eck
 
 HTTP TLS is automatically enabled for {{es}} and {{kib}} using self-signed certificates, with [several options available for customization](./k8s-https-settings.md), including custom certificates and domain names.
 
 {{kib}} instances are automatically configured to connect securely to {{es}}, without requiring manual setup.
-:::
+::::
 
-:::{tab-item} Self-managed
+::::{tab-item} Self-managed
 :sync: self
 
 HTTP TLS certificates for {{es}} can be [automatically configured](self-auto-setup.md), or manually set up by following the steps in [Set up HTTP SSL](./set-up-basic-security-plus-https.md).
 
 {{kib}} acts as both an HTTP client to {{es}} and a server for browser access. It performs operations on behalf of users, so it must be properly configured to trust the {{es}} certificates, and to present its own TLS certificate for secure browser connections. These configurations must be performed manually in self-managed deployments.
 
-For environments with stricter security requirements, refer to [Mutual TLS authentication between {{kib}} and {{es}}](./kibana-es-mutual-tls.md).
+:::{note}
+The automatic configuration does not enable TLS on the {{kib}} HTTP endpoint. To encrypt browser traffic to {{kib}}, follow the steps in [](./set-up-basic-security-plus-https.md#encrypt-kibana-browser).
 :::
 
+For environments with stricter security requirements, refer to [Mutual TLS authentication between {{kib}} and {{es}}](./kibana-es-mutual-tls.md).
 ::::
 
+:::::
+
 ## Certificates lifecycle [generate-certificates]
 
 Managing certificates is critical for secure communications. Certificates have limited lifetimes and must be renewed before expiry to prevent service disruptions. Each deployment type provides different tools or responsibilities for managing certificates lifecycle.
diff --git a/deploy-manage/security/secure-your-cluster-deployment.md b/deploy-manage/security/secure-your-cluster-deployment.md
@@ -5,8 +5,6 @@ applies_to:
     eck: all
     ece: all
     ess: all
-mapped_pages:
-  - https://www.elastic.co/guide/en/elasticsearch/reference/current/manually-configure-security.html
 ---
 
 # Secure your cluster or deployment
diff --git a/deploy-manage/security/self-setup.md b/deploy-manage/security/self-setup.md
@@ -3,6 +3,8 @@ navigation_title: "Self-managed security setup"
 applies_to:
   deployment:
     self: ga
+mapped_pages:
+  - https://www.elastic.co/guide/en/elasticsearch/reference/current/manually-configure-security.html
 ---
 
 % scope: initial security setup in self-managed deployments, following the automatic or manual (minimal, basic, https) procedures
diff --git a/redirects.yml b/redirects.yml
@@ -1,4 +1,5 @@
 redirects:
+  'deploy-manage/security/secure-http-communications.md': '!deploy-manage/security/secure-cluster-communications.md'
   'deploy-manage/security/manually-configure-security-in-self-managed-cluster.md': '!deploy-manage/security/self-setup.md'
   'deploy-manage/security/security-certificates-keys.md': '!deploy-manage/security/self-auto-setup.md'
   'deploy-manage/security/ece-traffic-filtering-through-the-api.md': 'deploy-manage/security/ec-traffic-filtering-through-the-api.md'
