From 5fda3ee8346b2f39a44bb53b0dd806e11ade649b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Thu, 18 Sep 2025 22:51:45 +0200
Subject: [PATCH 01/21] attempting to present remote cluster filters
---
deploy-manage/remote-clusters.md | 54 +++++++-
.../remote-clusters/ec-enable-ccs.md | 22 +--
.../remote-clusters/ec-remote-cluster-ece.md | 6 +-
.../ec-remote-cluster-other-ess.md | 2 +-
.../ec-remote-cluster-same-ess.md | 2 +-
.../remote-clusters/ece-enable-ccs.md | 23 +---
.../ece-remote-cluster-ece-ess.md | 7 +
deploy-manage/security/network-security.md | 1 +
.../security/remote-cluster-filtering.md | 126 ++++++++++++++++++
deploy-manage/toc.yml | 1 +
10 files changed, 200 insertions(+), 44 deletions(-)
create mode 100644 deploy-manage/security/remote-cluster-filtering.md
diff --git a/deploy-manage/remote-clusters.md b/deploy-manage/remote-clusters.md
index 0d69b96eff..abb0bb5e06 100644
--- a/deploy-manage/remote-clusters.md
+++ b/deploy-manage/remote-clusters.md
@@ -34,7 +34,53 @@ Depending on the environment the local and remote clusters are deployed on and t
Find the instructions with details on the supported security models and available connection modes for your specific scenario:
-- [Remote clusters with {{ech}}](remote-clusters/ec-enable-ccs.md)
-- [Remote clusters with {{ece}}](remote-clusters/ece-enable-ccs.md)
-- [Remote clusters with {{eck}}](remote-clusters/eck-remote-clusters.md)
-- [Remote clusters with self-managed installations](remote-clusters/remote-clusters-self-managed.md)
\ No newline at end of file
+- [Remote clusters on {{ech}}](remote-clusters/ec-enable-ccs.md)
+- [Remote clusters on {{ece}}](remote-clusters/ece-enable-ccs.md)
+- [Remote clusters on {{eck}}](remote-clusters/eck-remote-clusters.md)
+- [Remote clusters on self-managed installations](remote-clusters/remote-clusters-self-managed.md)
+
+## Remote clusters and network security [network-security]
+```{applies_to}
+deployment:
+ ece: ga
+ ess: ga
+```
+
+In {{ech}} (ECH) and {{ece}} (ECE), the remote clusters functionality interacts with [network security](/deploy-manage/security/network-security.md) traffic filtering rules in different ways, depending on the [security model](/deploy-manage/remote-clusters/remote-clusters-self-managed.md#remote-clusters-security-models) you use.
+
+* **TLS certificate–based authentication (deprecated):**
+ For remote clusters configured using the TLS certificate–based security model, network security policies or rule sets have no effect on remote clusters functionality. Connections established with this method (mTLS) are already considered secure and are always accepted, regardless of any filtering policies or rule sets applied on the local or remote deployment to restrict other traffic.
+
+* **API key–based authentication (recommended):**
+ When remote clusters use the API key–based authentication model, network security policies or rule sets on the **destination deployment** do affect remote cluster functionality if enabled. In this case, you can use traffic filters to explicitly control which deployments are allowed to connect to the remote clusters service endpoint.
+
+ ::::{note}
+ Because of [how network security works](/deploy-manage/security/network-security.md#how-network-security-works):
+ * If network security is disabled, all traffic is allowed by default, and remote clusters work without requiring any specific filtering policy.
+ * If network security is enabled on the remote cluster, apply a [remote cluster filter](/deploy-manage/security/remote-cluster-filtering.md#create-remote-cluster-filter) to allow incoming connections from the local clusters. Without this filter, the connections are blocked.
+ ::::
+
+This section explains how remote clusters interact with network security when using API key–based authentication, and describes the supported use cases.
+
+### Filter types for remote clusters traffic
+
+Traffic filtering for remote clusters incoming connections using API key authentication supports two types of filters:
+
+* [IP-based filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges. These can be difficult to manage in orchestration environments, where the source IP of individual {{es}} instances may change.
+* [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md), which allow filtering by Organization or {{es}} cluster ID. This method is more reliable and recommended, as it combines mTLS with API key authentication for stronger security.
+
+### Use cases for remote clusters and network security
+
+Network security is supported to control remote cluster traffic in the following scenarios:
+
+* Local and remote clusters are {{ech}} deployments in the same organization
+* Local and remote clusters are {{ech}} deployments in different organizations
+* Local and remote clusters are {{ece}} deployments in the same ECE environment
+* Local and remote clusters are {{ece}} deployments in different ECE environments
+* The local deployment is on {{ech}} and the remote deployment is on an {{ece}} environment
+
+::::{note}
+Network security isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
+::::
+
+Refer to [Remote cluster filtering](/deploy-manage/security/remote-cluster-filtering.md) for instructions on creating and applying remote cluster filters in ECH or ECE.
\ No newline at end of file
diff --git a/deploy-manage/remote-clusters/ec-enable-ccs.md b/deploy-manage/remote-clusters/ec-enable-ccs.md
index 744ac6f786..fdcb30fab4 100644
--- a/deploy-manage/remote-clusters/ec-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ec-enable-ccs.md
@@ -19,6 +19,10 @@ You can configure an {{ech}} deployment to remotely access or (be accessed by) a
* A deployment in an {{eck}} installation
* A self-managed installation.
+::::{note}
+Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for details on how remote clusters interact with network security filters and the implications for your deployments.
+::::
+
## Prerequisites [ec-ccs-ccr-prerequisites]
@@ -50,21 +54,3 @@ The steps, information, and authentication method required to configure CCS and
* [From an ECE deployment](ece-remote-cluster-ece-ess.md)
* [From a self-managed cluster](remote-clusters-self-managed.md)
* [From an ECK environment](ec-enable-ccs-for-eck.md)
-
-
-## Remote clusters and network security [ec-ccs-ccr-network-security]
-
-::::{note}
-[Network security](../security/network-security.md) isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
-::::
-
-You can use [network security policies](../security/network-security.md) to restrict access to deployments used as a local or remote cluster, without impacting cross-cluster search or cross-cluster replication.
-
-Network security for remote clusters supports the following methods:
-
-* [Filtering by IP addresses and Classless Inter-Domain Routing (CIDR) masks](../security/ip-filtering.md)
-* Filtering by Organization or {{es}} cluster ID with a **Remote cluster** private connection policy. You can configure this type of policy from the **Access and security** > **Network security** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.
-
-::::{note}
-When setting up network security policies for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. This is regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections.
-::::
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
index 857f951bcc..1f26beee24 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
@@ -14,6 +14,10 @@ products:
This section explains how to configure a deployment to connect remotely to clusters belonging to an {{ECE}} (ECE) environment.
+::::{note}
+If network security filters are applied to the remote cluster on ECE, the remote cluster administrator must configure a [remote cluster security filter](/deploy-manage/security/remote-cluster-filtering.md), using either the organization ID or the Elasticsearch cluster ID of the local ECH cluster as the filtering criteria. For detailed instructions, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+::::
+
## Allow the remote connection [ec_allow_the_remote_connection_3]
Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
@@ -143,7 +147,7 @@ A deployment can be configured to trust all or specific deployments in a remote
7. Provide a name for the trusted environment. That name will appear in the trust summary of your deployment’s **Security** page.
8. Select **Create trust** to complete the configuration.
-9. Configure the corresponding deployments of the ECE environment to [trust this deployment](/deploy-manage/remote-clusters/ece-enable-ccs.md). You will only be able to connect two deployments successfully when both of them trust each other.
+9. Configure the corresponding deployments of the ECE environment to [trust this deployment](/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md#ece-trust-ec). You will only be able to connect two deployments successfully when both of them trust each other.
::::{note}
The environment ID and cluster IDs must be entered fully and correctly. For security reasons, verification of the IDs is not possible. If cross-environment trust does not appear to be working, double-checking the IDs is a good place to start.
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md b/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
index 1831305b9a..635a55d935 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
@@ -14,7 +14,7 @@ products:
This section explains how to configure a deployment to connect remotely to clusters belonging to a different {{ecloud}} organization.
::::{note}
-If network security policies are applied to the remote cluster, the remote cluster administrator must configure a private connection policy of type remote cluster, using either the organization ID or the Elasticsearch cluster ID as the filtering criteria. For detailed instructions, refer to [Remote clusters and network security](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-network-security).
+If network security policies are applied to the remote cluster, the remote cluster administrator must configure a [private connection policy of type remote cluster](/deploy-manage/security/remote-cluster-filtering.md), using either the organization ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For detailed instructions, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
::::
## Allow the remote connection [ec_allow_the_remote_connection_2]
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md b/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md
index 32413c8f20..af96edb6ae 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md
@@ -14,7 +14,7 @@ products:
This section explains how to configure a deployment to connect remotely to clusters belonging to the same {{ecloud}} organization.
::::{note}
-If network security is enabled on the remote cluster, the remote cluster administrator must configure a private connection policy of type **Remote cluster**, specifying either the organization ID or the Elasticsearch cluster ID. For detailed instructions, refer to [Remote clusters and network security](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-network-security).
+If network security policies are applied to the remote cluster, the remote cluster administrator must configure a [private connection policy of type remote cluster](/deploy-manage/security/remote-cluster-filtering.md), using either the organization ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For detailed instructions, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
::::
## Allow the remote connection [ec_allow_the_remote_connection]
diff --git a/deploy-manage/remote-clusters/ece-enable-ccs.md b/deploy-manage/remote-clusters/ece-enable-ccs.md
index d1c6c4e5b0..041cd9506a 100644
--- a/deploy-manage/remote-clusters/ece-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ece-enable-ccs.md
@@ -19,6 +19,10 @@ You can configure an {{ece}} deployment to remotely access or (be accessed by) a
* A deployment running on an {{eck}} installation
* A self-managed installation
+$$$ece-ccs-ccr-network-security$$$
+::::{note}
+Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for details on how remote clusters interact with network security filters and the implications for your deployments.
+::::
## Prerequisites [ece-ccs-ccr-prerequisites]
@@ -56,22 +60,3 @@ The steps, information, and authentication method required to configure CCS and
* [From an {{ech}} deployment](/deploy-manage/remote-clusters/ec-remote-cluster-ece.md)
* [From a self-managed cluster](/deploy-manage/remote-clusters/remote-clusters-self-managed.md)
* [From an ECK environment](ece-enable-ccs-for-eck.md)
-
-
-## Remote clusters and network security [ece-ccs-ccr-network-security]
-
-::::{note}
-Network security isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
-::::
-
-
-For remote clusters configured using TLS certificate authentication, [network security](../security/network-security.md) can be enabled to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.
-
-Traffic filtering for remote clusters supports two methods:
-
-* [Filtering by IP addresses and Classless Inter-Domain Routing (CIDR) masks](../security/ip-filtering-ece.md)
-* Filtering by Organization or {{es}} cluster ID with a Remote cluster type filter. You can configure this type of filter from the **Platform** > **Security** page of your environment or using the [{{ece}} API](https://www.elastic.co/docs/api/doc/cloud-enterprise) and apply it from each deployment’s **Security** page.
-
-::::{note}
-When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. This is regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections. This applies regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections.
-::::
diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md b/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
index b55f74b16a..7104e3cbdc 100644
--- a/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
+++ b/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
@@ -14,6 +14,13 @@ products:
This section explains how to configure a deployment to connect remotely to clusters belonging to an {{ecloud}} organization.
+::::{note}
+* [Network security](../security/network-security.md) policies are not supported for cross-cluster operations from an {{ece}} environment to a remote {{ech}} deployment when using the API key–based authentication model.
+
+* If you configure remote clusters with the deprecated TLS certificate–based authentication model, connections work regardless of network security policies on the remote deployment.
+
+For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+::::
## Allow the remote connection [ece_allow_the_remote_connection_3]
diff --git a/deploy-manage/security/network-security.md b/deploy-manage/security/network-security.md
index 43a1f9b0ba..8eb022d01b 100644
--- a/deploy-manage/security/network-security.md
+++ b/deploy-manage/security/network-security.md
@@ -44,6 +44,7 @@ You can also allow traffic to or from a [remote cluster](/deploy-manage/remote-c
| Filter type | Description | Applicable deployment types |
| --- | --- | --- |
| [IP filters](ip-filtering.md) | Filter traffic from the public internet by allowlisting specific IP addresses and Classless Inter-Domain Routing (CIDR) masks.
• [In {{serverless-short}} or ECH](/deploy-manage/security/ip-filtering-cloud.md)
• [In ECE](/deploy-manage/security/ip-filtering-ece.md)
• [In ECK or self-managed](/deploy-manage/security/ip-filtering-basic.md) | {{serverless-short}}, ECH, ECE, ECK, and self-managed clusters |
+| [Remote cluster filters](./remote-cluster-filtering.md) | Filter incoming remote cluster traffic by validating the client certificate against its `organization_id` and `cluster_id`.
It does not support ECE -> ECH traffic. | ECH, ECE |
| [Private connectivity and VPC filtering](/deploy-manage/security/private-connectivity.md) | Establish private connections between {{es}} and other resources hosted by the same cloud provider using private link services, and further secure these connections using VPC filtering. Choose the relevant option for your region:
• AWS regions: [AWS PrivateLink](/deploy-manage/security/private-connectivity-aws.md)
• Azure regions: [Azure Private Link](/deploy-manage/security/private-connectivity-azure.md)
• GCP regions: [GCP Private Service Connect](/deploy-manage/security/private-connectivity-gcp.md) | {{ech}} only |
| [Kubernetes network policies](/deploy-manage/security/k8s-network-policies.md) | Isolate pods by restricting incoming and outgoing network connections to a trusted set of sources and destinations. | {{eck}} only |
diff --git a/deploy-manage/security/remote-cluster-filtering.md b/deploy-manage/security/remote-cluster-filtering.md
new file mode 100644
index 0000000000..f844bb664e
--- /dev/null
+++ b/deploy-manage/security/remote-cluster-filtering.md
@@ -0,0 +1,126 @@
+---
+applies_to:
+ deployment:
+ ess: ga
+ ece: ga
+navigation_title: "Remote cluster filters"
+---
+
+# Remote cluster filtering
+
+In {{ech}} (ECH) and {{ece}} (ECE), remote cluster filters let you control incoming traffic from other deployments that use the [Remote clusters functionality](/deploy-manage/remote-clusters.md) with [API key–based authentication](/deploy-manage/remote-clusters/remote-clusters-api-key.md).
+
+::::{note} about terminology
+In the case of remote clusters, the {{es}} cluster or deployment initiating the connection and requests is often referred to as the **local cluster**, while the {{es}} cluster or deployment receiving the requests is referred to as the **remote cluster**.
+::::
+
+Remote cluster filters operate at the proxy level, filtering incoming connections based on the organization ID or {{es}} cluster ID of the local cluster that initiates the connection to the remote cluster service endpoint (default port `9443`).
+
+Because of [how network security works](/deploy-manage/security/network-security.md#how-network-security-works), these filters are only relevant when network security is enabled on the remote cluster.
+* If network security is disabled, all traffic is allowed by default and remote clusters work without any filtering policy.
+* If network security is enabled, all traffic is blocked unless explicitly allowed. In this case, you must add a remote cluster filter in the remote cluster to permit remote cluster connections from the local clusters.
+
+Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for more information about the remote clusters functionality, its relationship to network security, and the supported use cases.
+
+## Create remote cluster filter [create-remote-cluster-filter]
+
+:::::{tab-set}
+
+::::{tab-item} {{ech}}
+
+Remote cluster filters are presented in {{ecloud}} as a type of Private Connection filters. To create a remote cluster filter:
+
+:::{include} _snippets/network-security-page.md
+:::
+4. Select **Create** > **Private connection**.
+5. Select the cloud provider and region for the remote cluster filter.
+
+ :::{tip}
+ Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate an IP filter with resources in multiple regions, then you have to create the same filter in all the regions you want to apply it to.
+ :::
+
+6. In the **Connectivity** section, select **Remote cluster**.
+7. Add a meaningful name and description for the filter.
+8. In the **Organization ID** and **{{es}} ID** fields, enter the organization or cluster ID of the {{ecloud}} deployments from which you want to allow traffic. Provide one or both values; traffic is allowed if it matches either ID. To add multiple rules to the filter, use the plus (`+`) button.
+
+ ::::{tip}
+ Find the organization ID on the organization page in the top-right menu, and the {{es}} ID of a deployment by selecting **Copy cluster ID** on the deployment management page.
+ ::::
+
+ % Not sure if we want any of this
+ ::::{important}
+ Network security filtering for remote cluster traffic from ECE to ECH is not supported. These filters apply only to {{ecloud}} resources, so the values must be {{ecloud}} IDs.
+
+ If you require network security policies in the remote deployment for remote cluster connections coming from ECE, consider configuring the remote clusters with the deprecated [TLS certificate–based authentication model](/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md). Traffic with this model is authenticated through mTLS and is not subject to network security filters.
+
+ Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for more information.
+ ::::
+
+9. Optional: Under **Apply to resources**, associate the new filter with one or more deployments. After you associate the filter with a deployment, it will allow remote cluster traffic coming from the organization or {{es}} IDs defined in the rules.
+
+ :::{tip}
+ You can apply multiple policies to a single deployment. For {{ech}} deployments, you can apply both IP filter policies and private connection policies. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
+
+ [Learn more about how network security policies affect your deployment](network-security-policies.md).
+ :::
+
+8. To automatically attach this filter to new deployments, select **Apply by default**.
+9. Click **Create**.
+
+
+::::
+
+::::{tab-item} {{ece}}
+
+To create a remote cluster filter:
+
+1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. From the **Platform** menu, select **Security**.
+3. Select **Create filter**.
+4. Select **Remote cluster rule set** as the filter type.
+5. Add a meaningful name and description for the rule set.
+6. In the **Organization ID** and **{{es}} ID** fields, enter the organization or cluster ID of the deployments from which you want to allow traffic. Provide one or both values; traffic is allowed if it matches either ID. To add multiple rules to the filter, use the plus (`+`) button.
+
+ ::::note
+ * ECE supports filtering remote cluster traffic from deployments in the same ECE system, in other ECE environments, or in {{ecloud}}.
+ * For ECE systems, use the **Environment ID** from **Platform → Trust Management → Trust parameters** as the organization ID.
+ * In {{ecloud}}, the organization ID is shown on the organization page in the top-right menu.
+ * To get a deployment’s {{es}} ID, select **Copy cluster ID** on its management page in the Cloud UI.
+ ::::
+
+7. Select if this rule set should be automatically attached to new deployments.
+8. Select **Create filter** to create the remote cluster filter.
+
+::::{important}
+Because this type of filter operates at the proxy level, if the local deployments or organizations in the filter belong to a different ECE environment or to ECH, you must add the transport TLS CA certificate of the local environment to the ECE proxy:
+
+* Find the TLS CA certificate in the **Security -> Remote Connections -> CA certificates** section of any deployment of the environment that initiates the remote connection. In {{ecloud}}, each provider and region has its own CA certificate, while in ECE a single CA certificate is used per installation.
+
+* To add a CA certificate to the ECE proxy, go to **Platform -> Settings -> TLS certificates** in the UI and update the certificate chain used when configuring your ECE installation. Append the required CA certificates to the end of the chain. The final chain should look like this: `Proxy private key`, `Proxy SSL certificate`, `Proxy CA(s)`, followed by the remaining CAs. For more details, refer to [Add a proxy certificate](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md#ece-tls-proxy).
+::::
+
+
+::::
+
+:::::
+
+## Associate a remote filter to a deployment
+
+(Work in progress)
+
+On ECE:
+
+After you’ve created the policy or rule set, you’ll need to associate it with your deployment:
+
+1. Go to the deployment.
+2. On the **Security** page, under **Traffic filters**, select **Apply filter**.
+3. Choose the filter you want to apply and select **Apply filter**.
+
+
+On Cloud:
+
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. On the **Hosted deployments** page, select your deployment.
+3. Select the **Security** tab on the left-hand side menu bar.
+4. Under **Network security**, select **Apply policies** > **IP filter**.
+5. Choose the IP filter you want to apply and select **Apply**.
diff --git a/deploy-manage/toc.yml b/deploy-manage/toc.yml
index f8d24de2e7..29aedcc8e4 100644
--- a/deploy-manage/toc.yml
+++ b/deploy-manage/toc.yml
@@ -495,6 +495,7 @@ toc:
- file: security/ip-filtering-cloud.md
- file: security/ip-filtering-ece.md
- file: security/ip-filtering-basic.md
+ - file: security/remote-cluster-filtering.md
- file: security/private-connectivity.md
children:
- file: security/private-connectivity-aws.md
From e1f7c207c06953e412cfa464e38b1b7c4aea4de1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Thu, 18 Sep 2025 23:01:18 +0200
Subject: [PATCH 02/21] attempting to present remote cluster filters
---
deploy-manage/remote-clusters.md | 2 +-
deploy-manage/remote-clusters/ec-enable-ccs.md | 4 ++++
deploy-manage/remote-clusters/ece-enable-ccs.md | 4 ++++
3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/deploy-manage/remote-clusters.md b/deploy-manage/remote-clusters.md
index abb0bb5e06..d977ac0fd9 100644
--- a/deploy-manage/remote-clusters.md
+++ b/deploy-manage/remote-clusters.md
@@ -52,7 +52,7 @@ In {{ech}} (ECH) and {{ece}} (ECE), the remote clusters functionality interacts
For remote clusters configured using the TLS certificate–based security model, network security policies or rule sets have no effect on remote clusters functionality. Connections established with this method (mTLS) are already considered secure and are always accepted, regardless of any filtering policies or rule sets applied on the local or remote deployment to restrict other traffic.
* **API key–based authentication (recommended):**
- When remote clusters use the API key–based authentication model, network security policies or rule sets on the **destination deployment** do affect remote cluster functionality if enabled. In this case, you can use traffic filters to explicitly control which deployments are allowed to connect to the remote clusters service endpoint.
+ When remote clusters use the API key–based authentication model, network security policies or rule sets on the **destination (remote) deployment** do affect remote cluster functionality if enabled. In this case, you can use traffic filters to explicitly control which deployments are allowed to connect to the remote cluster service endpoint.
::::{note}
Because of [how network security works](/deploy-manage/security/network-security.md#how-network-security-works):
diff --git a/deploy-manage/remote-clusters/ec-enable-ccs.md b/deploy-manage/remote-clusters/ec-enable-ccs.md
index fdcb30fab4..9ac690ade5 100644
--- a/deploy-manage/remote-clusters/ec-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ec-enable-ccs.md
@@ -54,3 +54,7 @@ The steps, information, and authentication method required to configure CCS and
* [From an ECE deployment](ece-remote-cluster-ece-ess.md)
* [From a self-managed cluster](remote-clusters-self-managed.md)
* [From an ECK environment](ec-enable-ccs-for-eck.md)
+
+## Remote clusters and network security [ec-ccs-ccr-network-security]
+
+Content moved to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
\ No newline at end of file
diff --git a/deploy-manage/remote-clusters/ece-enable-ccs.md b/deploy-manage/remote-clusters/ece-enable-ccs.md
index 041cd9506a..b90f4e157e 100644
--- a/deploy-manage/remote-clusters/ece-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ece-enable-ccs.md
@@ -60,3 +60,7 @@ The steps, information, and authentication method required to configure CCS and
* [From an {{ech}} deployment](/deploy-manage/remote-clusters/ec-remote-cluster-ece.md)
* [From a self-managed cluster](/deploy-manage/remote-clusters/remote-clusters-self-managed.md)
* [From an ECK environment](ece-enable-ccs-for-eck.md)
+
+## Remote clusters and network security [ece-ccs-ccr-network-security]
+
+Content moved to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
\ No newline at end of file
From 4fcf134a9284e0fcd40af5653cad90d29e167e48 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Thu, 18 Sep 2025 23:16:29 +0200
Subject: [PATCH 03/21] bug fix
---
deploy-manage/security/remote-cluster-filtering.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/deploy-manage/security/remote-cluster-filtering.md b/deploy-manage/security/remote-cluster-filtering.md
index f844bb664e..ae19d81089 100644
--- a/deploy-manage/security/remote-cluster-filtering.md
+++ b/deploy-manage/security/remote-cluster-filtering.md
@@ -81,23 +81,23 @@ To create a remote cluster filter:
5. Add a meaningful name and description for the rule set.
6. In the **Organization ID** and **{{es}} ID** fields, enter the organization or cluster ID of the deployments from which you want to allow traffic. Provide one or both values; traffic is allowed if it matches either ID. To add multiple rules to the filter, use the plus (`+`) button.
- ::::note
+ :::note
* ECE supports filtering remote cluster traffic from deployments in the same ECE system, in other ECE environments, or in {{ecloud}}.
* For ECE systems, use the **Environment ID** from **Platform → Trust Management → Trust parameters** as the organization ID.
* In {{ecloud}}, the organization ID is shown on the organization page in the top-right menu.
* To get a deployment’s {{es}} ID, select **Copy cluster ID** on its management page in the Cloud UI.
- ::::
+ :::
7. Select if this rule set should be automatically attached to new deployments.
8. Select **Create filter** to create the remote cluster filter.
-::::{important}
+:::{important}
Because this type of filter operates at the proxy level, if the local deployments or organizations in the filter belong to a different ECE environment or to ECH, you must add the transport TLS CA certificate of the local environment to the ECE proxy:
* Find the TLS CA certificate in the **Security -> Remote Connections -> CA certificates** section of any deployment of the environment that initiates the remote connection. In {{ecloud}}, each provider and region has its own CA certificate, while in ECE a single CA certificate is used per installation.
* To add a CA certificate to the ECE proxy, go to **Platform -> Settings -> TLS certificates** in the UI and update the certificate chain used when configuring your ECE installation. Append the required CA certificates to the end of the chain. The final chain should look like this: `Proxy private key`, `Proxy SSL certificate`, `Proxy CA(s)`, followed by the remaining CAs. For more details, refer to [Add a proxy certificate](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md#ece-tls-proxy).
-::::
+:::
::::
From 7a28e29980d94debd6ceca15ecc91796c52e72ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Thu, 18 Sep 2025 23:17:12 +0200
Subject: [PATCH 04/21] bug fix
---
deploy-manage/security/remote-cluster-filtering.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/deploy-manage/security/remote-cluster-filtering.md b/deploy-manage/security/remote-cluster-filtering.md
index ae19d81089..fb8738655e 100644
--- a/deploy-manage/security/remote-cluster-filtering.md
+++ b/deploy-manage/security/remote-cluster-filtering.md
@@ -81,7 +81,7 @@ To create a remote cluster filter:
5. Add a meaningful name and description for the rule set.
6. In the **Organization ID** and **{{es}} ID** fields, enter the organization or cluster ID of the deployments from which you want to allow traffic. Provide one or both values; traffic is allowed if it matches either ID. To add multiple rules to the filter, use the plus (`+`) button.
- :::note
+ :::{note}
* ECE supports filtering remote cluster traffic from deployments in the same ECE system, in other ECE environments, or in {{ecloud}}.
* For ECE systems, use the **Environment ID** from **Platform → Trust Management → Trust parameters** as the organization ID.
* In {{ecloud}}, the organization ID is shown on the organization page in the top-right menu.
From c29379e05683f0b10b3b50d4144998e119d9b66a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Fri, 19 Sep 2025 09:20:03 +0200
Subject: [PATCH 05/21] remote cluster filters updated
---
.../security/remote-cluster-filtering.md | 135 ++++++++++++++----
1 file changed, 110 insertions(+), 25 deletions(-)
diff --git a/deploy-manage/security/remote-cluster-filtering.md b/deploy-manage/security/remote-cluster-filtering.md
index fb8738655e..4c7c753422 100644
--- a/deploy-manage/security/remote-cluster-filtering.md
+++ b/deploy-manage/security/remote-cluster-filtering.md
@@ -22,7 +22,17 @@ Because of [how network security works](/deploy-manage/security/network-security
Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for more information about the remote clusters functionality, its relationship to network security, and the supported use cases.
-## Create remote cluster filter [create-remote-cluster-filter]
+To apply a filter to a deployment, you must first create a security policy at the organization or platform level, and then apply it to your deployment.
+
+This guide covers the following remote cluster filtering tasks:
+
+* [Create a remote cluster filter](#create-remote-cluster-filter)
+* [Associate a remote cluster filter with your deployment](#apply-remote-cluster-filter)
+* [Remove a filter association from your deployment](#remove-association)
+* [Edit a remote cluster filter](#edit-remote-cluster-filter)
+* [Delete a remote cluster filter](#delete-remote-cluster-filter)
+
+## Create a remote cluster filter [create-remote-cluster-filter]
:::::{tab-set}
@@ -35,8 +45,8 @@ Remote cluster filters are presented in {{ecloud}} as a type of Private Connecti
4. Select **Create** > **Private connection**.
5. Select the cloud provider and region for the remote cluster filter.
- :::{tip}
- Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate an IP filter with resources in multiple regions, then you have to create the same filter in all the regions you want to apply it to.
+ :::{note}
+ Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
:::
6. In the **Connectivity** section, select **Remote cluster**.
@@ -47,18 +57,9 @@ Remote cluster filters are presented in {{ecloud}} as a type of Private Connecti
Find the organization ID on the organization page in the top-right menu, and the {{es}} ID of a deployment by selecting **Copy cluster ID** on the deployment management page.
::::
- % Not sure if we want any of this
- ::::{important}
- Network security filtering for remote cluster traffic from ECE to ECH is not supported. These filters apply only to {{ecloud}} resources, so the values must be {{ecloud}} IDs.
-
- If you require network security policies in the remote deployment for remote cluster connections coming from ECE, consider configuring the remote clusters with the deprecated [TLS certificate–based authentication model](/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md). Traffic with this model is authenticated through mTLS and is not subject to network security filters.
-
- Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for more information.
- ::::
-
9. Optional: Under **Apply to resources**, associate the new filter with one or more deployments. After you associate the filter with a deployment, it will allow remote cluster traffic coming from the organization or {{es}} IDs defined in the rules.
- :::{tip}
+ :::{note}
You can apply multiple policies to a single deployment. For {{ech}} deployments, you can apply both IP filter policies and private connection policies. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
[Learn more about how network security policies affect your deployment](network-security-policies.md).
@@ -66,8 +67,6 @@ Remote cluster filters are presented in {{ecloud}} as a type of Private Connecti
8. To automatically attach this filter to new deployments, select **Apply by default**.
9. Click **Create**.
-
-
::::
::::{tab-item} {{ece}}
@@ -104,23 +103,109 @@ Because this type of filter operates at the proxy level, if the local deployment
:::::
-## Associate a remote filter to a deployment
-
-(Work in progress)
+## Associate a remote cluster filter with your deployment [apply-remote-cluster-filter]
-On ECE:
+After you've created the network security policy or rule set, you'll need to associate it with your deployment. To do that:
-After you’ve created the policy or rule set, you’ll need to associate it with your deployment:
+:::::::{tab-set}
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters**, select **Apply filter**.
+::::::{tab-item} {{ech}}
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. On the **Hosted deployments** page, select your deployment.
+3. Select the **Security** tab on the left-hand side menu bar.
+4. Under **Network security**, select **Apply policies** > **Private connection**.
+5. Choose the security policy you want to apply and select **Apply**.
+::::::
+
+::::::{tab-item} {{ece}}
+1. Open the deployment management page in the Cloud UI.
+2. Select the **Security** tab on the left-hand side menu bar.
+3. Under **Traffic filters**, select **Apply filter**.
3. Choose the filter you want to apply and select **Apply filter**.
+::::::
+
+:::::::
+
+## Remove a filter association from your deployment [remove-association]
+
+To remove a network security policy or rule set association from your deployment:
+
+:::::::{tab-set}
+::::::{tab-item} {{ech}}
-On Cloud:
+You can remove associations from your deployments directly from the policy settings or from the deployment security page.
+#### From your deployment security page
1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
2. On the **Hosted deployments** page, select your deployment.
3. Select the **Security** tab on the left-hand side menu bar.
-4. Under **Network security**, select **Apply policies** > **IP filter**.
-5. Choose the IP filter you want to apply and select **Apply**.
+4. Under **Network security**, find the security policy you want to disconnect.
+5. Under **Actions**, click the **Delete** icon.
+
+#### From the network security policy settings
+:::{include} _snippets/network-security-page.md
+:::
+4. Find the remote cluster policy you want to edit, then select the **Edit** {icon}`pencil` button.
+5. Under **Apply to resources**, click the `x` beside the resource that you want to disconnect.
+6. Click **Update** to save your changes.
+
+
+::::::
+
+::::::{tab-item} {{ece}}
+1. Open the deployment management page in the Cloud UI.
+2. Select the **Security** tab on the left-hand side menu bar.
+3. Under **Traffic filters**, select **Remove**.
+3. Choose the filter you want to remove.
+::::::
+
+:::::::
+
+## Edit a remote cluster filter [edit-remote-cluster-filter]
+
+You can edit a remote cluster filter policy name or change the list of allowed Organization IDs and {{es}} cluster IDs. To do that:
+
+:::::::{tab-set}
+
+::::::{tab-item} {{ech}}
+:::{include} _snippets/network-security-page.md
+:::
+4. Find the remote cluster policy you want to edit, then select the **Edit** {icon}`pencil` button.
+5. Select **Update** to save your changes.
+::::::
+
+::::::{tab-item} {{ece}}
+1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. From the **Platform** menu, select **Security**.
+3. Find the rule set you want to edit.
+4. Select the **Edit** {icon}`pencil` button.
+5. Click **Update** to save your changes.
+::::::
+
+:::::::
+
+## Delete a remote cluster filter [delete-remote-cluster-filter]
+
+If you need to remove a remote cluster filter policy, you must first [remove any associations](#remove-association) with deployments.
+
+To delete a filter:
+
+:::::::{tab-set}
+
+::::::{tab-item} {{ech}}
+:::{include} _snippets/network-security-page.md
+:::
+4. Find the rule set you want to edit, then select the **Delete** {icon}`trash` button. The icon is inactive if there are deployments associated with the filter.
+::::::
+
+::::::{tab-item} {{ece}}
+1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. From the **Platform** menu, select **Security**.
+3. Find the rule set you want to edit.
+4. Click the **Delete** {icon}`trash` button. The button is inactive if there are deployments assigned to the rule set.
+::::::
+
+:::::::
+
+
From de26aeb2fef9f54e21cd33338ab0fd0b874bc840 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Fri, 19 Sep 2025 09:25:08 +0200
Subject: [PATCH 06/21] syncing tabs
---
.../security/remote-cluster-filtering.md | 24 +++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/deploy-manage/security/remote-cluster-filtering.md b/deploy-manage/security/remote-cluster-filtering.md
index 4c7c753422..851bad82db 100644
--- a/deploy-manage/security/remote-cluster-filtering.md
+++ b/deploy-manage/security/remote-cluster-filtering.md
@@ -35,9 +35,9 @@ This guide covers the following remote cluster filtering tasks:
## Create a remote cluster filter [create-remote-cluster-filter]
:::::{tab-set}
-
+:group: deployment
::::{tab-item} {{ech}}
-
+:sync: ech
Remote cluster filters are presented in {{ecloud}} as a type of Private Connection filters. To create a remote cluster filter:
:::{include} _snippets/network-security-page.md
@@ -70,6 +70,7 @@ Remote cluster filters are presented in {{ecloud}} as a type of Private Connecti
::::
::::{tab-item} {{ece}}
+:sync: ece
To create a remote cluster filter:
@@ -108,8 +109,11 @@ Because this type of filter operates at the proxy level, if the local deployment
After you've created the network security policy or rule set, you'll need to associate it with your deployment. To do that:
:::::::{tab-set}
+:group: deployment
::::::{tab-item} {{ech}}
+:sync: ech
+
1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
2. On the **Hosted deployments** page, select your deployment.
3. Select the **Security** tab on the left-hand side menu bar.
@@ -118,6 +122,8 @@ After you've created the network security policy or rule set, you'll need to ass
::::::
::::::{tab-item} {{ece}}
+:sync: ece
+
1. Open the deployment management page in the Cloud UI.
2. Select the **Security** tab on the left-hand side menu bar.
3. Under **Traffic filters**, select **Apply filter**.
@@ -131,8 +137,10 @@ After you've created the network security policy or rule set, you'll need to ass
To remove a network security policy or rule set association from your deployment:
:::::::{tab-set}
+:group: deployment
::::::{tab-item} {{ech}}
+:sync: ech
You can remove associations from your deployments directly from the policy settings or from the deployment security page.
@@ -154,6 +162,8 @@ You can remove associations from your deployments directly from the policy setti
::::::
::::::{tab-item} {{ece}}
+:sync: ece
+
1. Open the deployment management page in the Cloud UI.
2. Select the **Security** tab on the left-hand side menu bar.
3. Under **Traffic filters**, select **Remove**.
@@ -167,8 +177,11 @@ You can remove associations from your deployments directly from the policy setti
You can edit a remote cluster filter policy name or change the list of allowed Organization IDs and {{es}} cluster IDs. To do that:
:::::::{tab-set}
+:group: deployment
::::::{tab-item} {{ech}}
+:sync: ech
+
:::{include} _snippets/network-security-page.md
:::
4. Find the remote cluster policy you want to edit, then select the **Edit** {icon}`pencil` button.
@@ -176,6 +189,8 @@ You can edit a remote cluster filter policy name or change the list of allowed O
::::::
::::::{tab-item} {{ece}}
+:sync: ece
+
1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
2. From the **Platform** menu, select **Security**.
3. Find the rule set you want to edit.
@@ -192,14 +207,19 @@ If you need to remove a remote cluster filter policy, you must first [remove any
To delete a filter:
:::::::{tab-set}
+:group: deployment
::::::{tab-item} {{ech}}
+:sync: ech
+
:::{include} _snippets/network-security-page.md
:::
4. Find the rule set you want to edit, then select the **Delete** {icon}`trash` button. The icon is inactive if there are deployments associated with the filter.
::::::
::::::{tab-item} {{ece}}
+:sync: ece
+
1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
2. From the **Platform** menu, select **Security**.
3. Find the rule set you want to edit.
From 2b7a3bc284c65b25d0bb963b7f0bfd66c9620889 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Fri, 19 Sep 2025 09:44:57 +0200
Subject: [PATCH 07/21] notes updated and added to ECE docs
---
deploy-manage/remote-clusters/ec-remote-cluster-ece.md | 2 +-
deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md | 2 +-
deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md | 2 +-
deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md | 2 +-
deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md | 4 ++++
deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md | 3 +++
6 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
index 1145f7f31c..448c9633ed 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
@@ -15,7 +15,7 @@ products:
This section explains how to configure a deployment to connect remotely to clusters belonging to an {{ECE}} (ECE) environment.
::::{note}
-If network security filters are applied to the remote cluster on ECE, the remote cluster administrator must configure a [remote cluster security filter](/deploy-manage/security/remote-cluster-filtering.md), using either the organization ID or the Elasticsearch cluster ID of the local ECH cluster as the filtering criteria. For detailed instructions, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+If network security filters are applied to the remote cluster on ECE, the remote cluster administrator must configure a [remote cluster security filter](/deploy-manage/security/remote-cluster-filtering.md), using either the organization ID or the Elasticsearch cluster ID of the local ECH cluster as the filtering criteria. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
::::
## Allow the remote connection [ec_allow_the_remote_connection_3]
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md b/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
index 84e7b53064..17fb26bf50 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
@@ -14,7 +14,7 @@ products:
This section explains how to configure a deployment to connect remotely to clusters belonging to a different {{ecloud}} organization.
::::{note}
-If network security policies are applied to the remote cluster, the remote cluster administrator must configure a [private connection policy of type remote cluster](/deploy-manage/security/remote-cluster-filtering.md), using either the organization ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For detailed instructions, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+If network security policies are applied to the remote cluster, the remote cluster administrator must configure a [private connection policy of type remote cluster](/deploy-manage/security/remote-cluster-filtering.md), using either the organization ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
::::
## Allow the remote connection [ec_allow_the_remote_connection_2]
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md b/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md
index ae21bb9a8c..f91b3343cc 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md
@@ -14,7 +14,7 @@ products:
This section explains how to configure a deployment to connect remotely to clusters belonging to the same {{ecloud}} organization.
::::{note}
-If network security policies are applied to the remote cluster, the remote cluster administrator must configure a [private connection policy of type remote cluster](/deploy-manage/security/remote-cluster-filtering.md), using either the organization ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For detailed instructions, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+If network security policies are applied to the remote cluster, the remote cluster administrator must configure a [private connection policy of type remote cluster](/deploy-manage/security/remote-cluster-filtering.md), using either the organization ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
::::
## Allow the remote connection [ec_allow_the_remote_connection]
diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md b/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
index be1cfe8f08..18d6c917c3 100644
--- a/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
+++ b/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
@@ -14,7 +14,7 @@ products:
This section explains how to configure a deployment to connect remotely to clusters belonging to an {{ecloud}} organization.
-::::{note}
+::::{note} aaa
* [Network security](../security/network-security.md) policies are not supported for cross-cluster operations from an {{ece}} environment to a remote {{ech}} deployment when using the API key–based authentication model.
* If you configure remote clusters with the deprecated TLS certificate–based authentication model, connections work regardless of network security policies on the remote deployment.
diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md b/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md
index 76403b8590..c7caa361d1 100644
--- a/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md
+++ b/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md
@@ -13,6 +13,10 @@ products:
This section explains how to configure a deployment to connect remotely to clusters belonging to a different {{ece}} environment.
+::::{note}
+If network security filters are applied to the remote cluster, the remote cluster administrator must configure a [remote cluster filter](/deploy-manage/security/remote-cluster-filtering.md), using either the ECE environment ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+::::
+
## Allow the remote connection [ece_allow_the_remote_connection_2]
diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md b/deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md
index ca745ae312..41edb63242 100644
--- a/deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md
+++ b/deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md
@@ -13,6 +13,9 @@ products:
This section explains how to configure a deployment to connect remotely to clusters belonging to the same {{ece}} environment.
+::::{note}
+If network security filters are applied to the remote cluster, the remote cluster administrator must configure a [remote cluster filter](/deploy-manage/security/remote-cluster-filtering.md), using either the ECE environment ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+::::
## Allow the remote connection [ece_allow_the_remote_connection]
From 1ea395abeb723e6f8bafd3f4b91a243527d973b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Fri, 19 Sep 2025 12:58:37 +0200
Subject: [PATCH 08/21] Update deploy-manage/remote-clusters/ec-enable-ccs.md
Co-authored-by: Alex Chalkias <34575586+alxchalkias@users.noreply.github.com>
---
deploy-manage/remote-clusters/ec-enable-ccs.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/deploy-manage/remote-clusters/ec-enable-ccs.md b/deploy-manage/remote-clusters/ec-enable-ccs.md
index 1805beba35..ba73b55d95 100644
--- a/deploy-manage/remote-clusters/ec-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ec-enable-ccs.md
@@ -20,7 +20,7 @@ You can configure an {{ech}} deployment to either connect to remote clusters or
* A self-managed installation.
::::{note}
-Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for details on how remote clusters interact with network security filters and the implications for your deployments.
+Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for details on how remote clusters interact with network security policies and the implications for your deployments.
::::
From 62cc426e2de99bf5b6e0629b2c653e89de135b41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Mon, 22 Sep 2025 12:36:07 +0200
Subject: [PATCH 09/21] Apply suggestions from code review
Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com>
---
deploy-manage/remote-clusters.md | 6 ++---
.../remote-clusters/ec-enable-ccs.md | 2 +-
.../ece-remote-cluster-ece-ess.md | 2 +-
.../security/remote-cluster-filtering.md | 27 ++++++++++++-------
4 files changed, 22 insertions(+), 15 deletions(-)
diff --git a/deploy-manage/remote-clusters.md b/deploy-manage/remote-clusters.md
index d977ac0fd9..692ddf41b0 100644
--- a/deploy-manage/remote-clusters.md
+++ b/deploy-manage/remote-clusters.md
@@ -64,10 +64,10 @@ This section explains how remote clusters interact with network security when us
### Filter types for remote clusters traffic
-Traffic filtering for remote clusters incoming connections using API key authentication supports two types of filters:
+Network security for remote cluster incoming connections using API key authentication supports two types of filters:
-* [IP-based filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges. These can be difficult to manage in orchestration environments, where the source IP of individual {{es}} instances may change.
-* [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md), which allow filtering by Organization or {{es}} cluster ID. This method is more reliable and recommended, as it combines mTLS with API key authentication for stronger security.
+* [IP filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges. These can be difficult to manage in orchestrated environments, where the source IP of individual {{es}} instances may change.
+* [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md), which allow filtering by organization ID or {{es}} cluster ID. This method is more reliable and recommended, as it combines mTLS with API key authentication for stronger security.
### Use cases for remote clusters and network security
diff --git a/deploy-manage/remote-clusters/ec-enable-ccs.md b/deploy-manage/remote-clusters/ec-enable-ccs.md
index ba73b55d95..386f88932e 100644
--- a/deploy-manage/remote-clusters/ec-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ec-enable-ccs.md
@@ -57,4 +57,4 @@ The steps, information, and authentication method required to configure CCS and
## Remote clusters and network security [ec-ccs-ccr-network-security]
-Content moved to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
\ No newline at end of file
+If you have [network security policies] applied to your deployment, then you might need to take extra steps to allow a cluster to make requests to your cluster. Some remote cluster configurations are not compatible with network security, including incoming connections from {{eck}} and self-managed clusters. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
\ No newline at end of file
diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md b/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
index 18d6c917c3..be1cfe8f08 100644
--- a/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
+++ b/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
@@ -14,7 +14,7 @@ products:
This section explains how to configure a deployment to connect remotely to clusters belonging to an {{ecloud}} organization.
-::::{note} aaa
+::::{note}
* [Network security](../security/network-security.md) policies are not supported for cross-cluster operations from an {{ece}} environment to a remote {{ech}} deployment when using the API key–based authentication model.
* If you configure remote clusters with the deprecated TLS certificate–based authentication model, connections work regardless of network security policies on the remote deployment.
diff --git a/deploy-manage/security/remote-cluster-filtering.md b/deploy-manage/security/remote-cluster-filtering.md
index 851bad82db..b4fbfcbf86 100644
--- a/deploy-manage/security/remote-cluster-filtering.md
+++ b/deploy-manage/security/remote-cluster-filtering.md
@@ -8,7 +8,7 @@ navigation_title: "Remote cluster filters"
# Remote cluster filtering
-In {{ech}} (ECH) and {{ece}} (ECE), remote cluster filters let you control incoming traffic from other deployments that use the [Remote clusters functionality](/deploy-manage/remote-clusters.md) with [API key–based authentication](/deploy-manage/remote-clusters/remote-clusters-api-key.md).
+In {{ech}} (ECH) and {{ece}} (ECE), remote cluster filters let you control incoming traffic from other deployments that use the [remote clusters functionality](/deploy-manage/remote-clusters.md) with API key–based authentication.
::::{note} about terminology
In the case of remote clusters, the {{es}} cluster or deployment initiating the connection and requests is often referred to as the **local cluster**, while the {{es}} cluster or deployment receiving the requests is referred to as the **remote cluster**.
@@ -38,7 +38,7 @@ This guide covers the following remote cluster filtering tasks:
:group: deployment
::::{tab-item} {{ech}}
:sync: ech
-Remote cluster filters are presented in {{ecloud}} as a type of Private Connection filters. To create a remote cluster filter:
+Remote cluster filters are presented in {{ecloud}} as a type of Private Connection filter. To create a remote cluster filter:
:::{include} _snippets/network-security-page.md
:::
@@ -49,7 +49,7 @@ Remote cluster filters are presented in {{ecloud}} as a type of Private Connecti
Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
:::
-6. In the **Connectivity** section, select **Remote cluster**.
+6. Under**Connectivity**, select **Remote cluster**.
7. Add a meaningful name and description for the filter.
8. In the **Organization ID** and **{{es}} ID** fields, enter the organization or cluster ID of the {{ecloud}} deployments from which you want to allow traffic. Provide one or both values; traffic is allowed if it matches either ID. To add multiple rules to the filter, use the plus (`+`) button.
@@ -85,7 +85,7 @@ To create a remote cluster filter:
* ECE supports filtering remote cluster traffic from deployments in the same ECE system, in other ECE environments, or in {{ecloud}}.
* For ECE systems, use the **Environment ID** from **Platform → Trust Management → Trust parameters** as the organization ID.
* In {{ecloud}}, the organization ID is shown on the organization page in the top-right menu.
- * To get a deployment’s {{es}} ID, select **Copy cluster ID** on its management page in the Cloud UI.
+ * To get a deployment’s {{es}} ID, select **Copy cluster ID** on its management page in the Cloud UI or {{ecloud}} console.
:::
7. Select if this rule set should be automatically attached to new deployments.
@@ -94,7 +94,7 @@ To create a remote cluster filter:
:::{important}
Because this type of filter operates at the proxy level, if the local deployments or organizations in the filter belong to a different ECE environment or to ECH, you must add the transport TLS CA certificate of the local environment to the ECE proxy:
-* Find the TLS CA certificate in the **Security -> Remote Connections -> CA certificates** section of any deployment of the environment that initiates the remote connection. In {{ecloud}}, each provider and region has its own CA certificate, while in ECE a single CA certificate is used per installation.
+* Find the TLS CA certificate in the **Security -> Remote Connections -> CA certificates** section of any deployment of the environment that initiates the remote connection. In {{ecloud}}, each provider and region has its own CA certificate, while in ECE a single CA certificate is used for the entire installation.
* To add a CA certificate to the ECE proxy, go to **Platform -> Settings -> TLS certificates** in the UI and update the certificate chain used when configuring your ECE installation. Append the required CA certificates to the end of the chain. The final chain should look like this: `Proxy private key`, `Proxy SSL certificate`, `Proxy CA(s)`, followed by the remaining CAs. For more details, refer to [Add a proxy certificate](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md#ece-tls-proxy).
:::
@@ -114,11 +114,18 @@ After you've created the network security policy or rule set, you'll need to ass
::::::{tab-item} {{ech}}
:sync: ech
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-2. On the **Hosted deployments** page, select your deployment.
-3. Select the **Security** tab on the left-hand side menu bar.
-4. Under **Network security**, select **Apply policies** > **Private connection**.
-5. Choose the security policy you want to apply and select **Apply**.
+#### From a deployment
+
+:::{include} _snippets/associate-filter.md
+:::
+
+#### From the policy settings
+
+:::{include} _snippets/network-security-page.md
+:::
+5. Find the policy you want to edit.
+6. Under **Apply to resources**, associate the policy with one or more deployments.
+7. Click **Update** to save your changes.
::::::
::::::{tab-item} {{ece}}
From d70dbee020a489dff44bb97a4cd2f6b8a60f3050 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Tue, 23 Sep 2025 10:18:34 +0200
Subject: [PATCH 10/21] snippets added for ECE filters association and detach
---
.../security/_snippets/associate-filter-ece.md | 4 ++++
.../security/_snippets/detach-filter-ece.md | 4 ++++
deploy-manage/security/ip-filtering-ece.md | 9 ++++-----
deploy-manage/security/remote-cluster-filtering.md | 13 +++++--------
4 files changed, 17 insertions(+), 13 deletions(-)
create mode 100644 deploy-manage/security/_snippets/associate-filter-ece.md
create mode 100644 deploy-manage/security/_snippets/detach-filter-ece.md
diff --git a/deploy-manage/security/_snippets/associate-filter-ece.md b/deploy-manage/security/_snippets/associate-filter-ece.md
new file mode 100644
index 0000000000..269fca8e60
--- /dev/null
+++ b/deploy-manage/security/_snippets/associate-filter-ece.md
@@ -0,0 +1,4 @@
+1. Open the deployment management page in the Cloud UI.
+2. Select the **Security** tab on the left-hand side menu bar.
+3. Under **Traffic filters**, select **Apply filter**.
+4. Choose the filter you want to apply and select **Apply filter**.
diff --git a/deploy-manage/security/_snippets/detach-filter-ece.md b/deploy-manage/security/_snippets/detach-filter-ece.md
new file mode 100644
index 0000000000..c577935957
--- /dev/null
+++ b/deploy-manage/security/_snippets/detach-filter-ece.md
@@ -0,0 +1,4 @@
+1. Open the deployment management page in the Cloud UI.
+2. Select the **Security** tab on the left-hand side menu bar.
+3. Under **Traffic filters**, choose the filter you want to detach and select the **X** icon in the **Actions** column.
+4. In the confirmation dialog, select **Remove filter**.
diff --git a/deploy-manage/security/ip-filtering-ece.md b/deploy-manage/security/ip-filtering-ece.md
index b536e3c266..d54b681151 100644
--- a/deploy-manage/security/ip-filtering-ece.md
+++ b/deploy-manage/security/ip-filtering-ece.md
@@ -57,9 +57,8 @@ To create a rule set:
After you’ve created the rule set, you’ll need to associate it with your deployment:
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters**, select **Apply filter**.
-3. Choose the filter you want to apply and select **Apply filter**.
+:::{include} _snippets/associate-filter-ece.md
+:::
At this point, the IP filtering rule set is active. You can remove or edit it at any time.
@@ -67,8 +66,8 @@ At this point, the IP filtering rule set is active. You can remove or edit it at
If you want to remove any traffic restrictions from a deployment or delete a rule set, you’ll need to remove any rule set associations first. To remove an association through the UI:
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters** select **Remove**.
+:::{include} _snippets/detach-filter-ece.md
+:::
## Edit an IP filtering rule set
diff --git a/deploy-manage/security/remote-cluster-filtering.md b/deploy-manage/security/remote-cluster-filtering.md
index b4fbfcbf86..73647bcc68 100644
--- a/deploy-manage/security/remote-cluster-filtering.md
+++ b/deploy-manage/security/remote-cluster-filtering.md
@@ -130,11 +130,9 @@ After you've created the network security policy or rule set, you'll need to ass
::::::{tab-item} {{ece}}
:sync: ece
+:::{include} _snippets/associate-filter-ece.md
+:::
-1. Open the deployment management page in the Cloud UI.
-2. Select the **Security** tab on the left-hand side menu bar.
-3. Under **Traffic filters**, select **Apply filter**.
-3. Choose the filter you want to apply and select **Apply filter**.
::::::
:::::::
@@ -171,10 +169,9 @@ You can remove associations from your deployments directly from the policy setti
::::::{tab-item} {{ece}}
:sync: ece
-1. Open the deployment management page in the Cloud UI.
-2. Select the **Security** tab on the left-hand side menu bar.
-3. Under **Traffic filters**, select **Remove**.
-3. Choose the filter you want to remove.
+:::{include} _snippets/detach-filter-ece.md
+:::
+
::::::
:::::::
From f5fa85546c2b0d5c040323b9748055fed642569b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Tue, 23 Sep 2025 10:40:59 +0200
Subject: [PATCH 11/21] updated intro sentence for eck and self-managed plus
updated steps
---
deploy-manage/remote-clusters.md | 2 +-
deploy-manage/security/remote-cluster-filtering.md | 6 ++++--
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/deploy-manage/remote-clusters.md b/deploy-manage/remote-clusters.md
index 692ddf41b0..d5b7d14b7d 100644
--- a/deploy-manage/remote-clusters.md
+++ b/deploy-manage/remote-clusters.md
@@ -69,7 +69,7 @@ Network security for remote cluster incoming connections using API key authentic
* [IP filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges. These can be difficult to manage in orchestrated environments, where the source IP of individual {{es}} instances may change.
* [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md), which allow filtering by organization ID or {{es}} cluster ID. This method is more reliable and recommended, as it combines mTLS with API key authentication for stronger security.
-### Use cases for remote clusters and network security
+### Use cases for remote clusters and network security [use-cases-network-security]
Network security is supported to control remote cluster traffic in the following scenarios:
diff --git a/deploy-manage/security/remote-cluster-filtering.md b/deploy-manage/security/remote-cluster-filtering.md
index 73647bcc68..1c9d537723 100644
--- a/deploy-manage/security/remote-cluster-filtering.md
+++ b/deploy-manage/security/remote-cluster-filtering.md
@@ -8,7 +8,7 @@ navigation_title: "Remote cluster filters"
# Remote cluster filtering
-In {{ech}} (ECH) and {{ece}} (ECE), remote cluster filters let you control incoming traffic from other deployments that use the [remote clusters functionality](/deploy-manage/remote-clusters.md) with API key–based authentication.
+In {{ech}} (ECH) and {{ece}} (ECE), remote cluster filters let you control incoming traffic from other deployments that use the [remote clusters functionality](/deploy-manage/remote-clusters.md) with API key–based authentication. These filters are specific to ECH and ECE and are not applicable when connecting from {{es}} clusters that run in {{eck}} or are self-managed, because they rely on the certificates and proxy mechanisms provided by ECH and ECE.
::::{note} about terminology
In the case of remote clusters, the {{es}} cluster or deployment initiating the connection and requests is often referred to as the **local cluster**, while the {{es}} cluster or deployment receiving the requests is referred to as the **remote cluster**.
@@ -54,7 +54,9 @@ Remote cluster filters are presented in {{ecloud}} as a type of Private Connecti
8. In the **Organization ID** and **{{es}} ID** fields, enter the organization or cluster ID of the {{ecloud}} deployments from which you want to allow traffic. Provide one or both values; traffic is allowed if it matches either ID. To add multiple rules to the filter, use the plus (`+`) button.
::::{tip}
- Find the organization ID on the organization page in the top-right menu, and the {{es}} ID of a deployment by selecting **Copy cluster ID** on the deployment management page.
+ * Find the organization ID on the organization page in the top-right menu, and the {{es}} ID of a deployment by selecting **Copy cluster ID** on the deployment management page.
+
+ * {{ecloud}} supports filtering remote cluster traffic from deployments in the same and other ECH organizations, but not from ECE environments. Refer to the list of [supported use cases](/deploy-manage/remote-clusters.md#use-cases-network-security) for more information.
::::
9. Optional: Under **Apply to resources**, associate the new filter with one or more deployments. After you associate the filter with a deployment, it will allow remote cluster traffic coming from the organization or {{es}} IDs defined in the rules.
From 71ea6b3fb745efd0a6b538e075e582b8c1c01673 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Tue, 23 Sep 2025 10:49:26 +0200
Subject: [PATCH 12/21] network security table updated for remote cluster
filter
---
deploy-manage/security/network-security.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/deploy-manage/security/network-security.md b/deploy-manage/security/network-security.md
index 8eb022d01b..ef9ec31cc9 100644
--- a/deploy-manage/security/network-security.md
+++ b/deploy-manage/security/network-security.md
@@ -44,7 +44,7 @@ You can also allow traffic to or from a [remote cluster](/deploy-manage/remote-c
| Filter type | Description | Applicable deployment types |
| --- | --- | --- |
| [IP filters](ip-filtering.md) | Filter traffic from the public internet by allowlisting specific IP addresses and Classless Inter-Domain Routing (CIDR) masks.
• [In {{serverless-short}} or ECH](/deploy-manage/security/ip-filtering-cloud.md)
• [In ECE](/deploy-manage/security/ip-filtering-ece.md)
• [In ECK or self-managed](/deploy-manage/security/ip-filtering-basic.md) | {{serverless-short}}, ECH, ECE, ECK, and self-managed clusters |
-| [Remote cluster filters](./remote-cluster-filtering.md) | Filter incoming remote cluster traffic by validating the client certificate against its `organization_id` and `cluster_id`.
It does not support ECE -> ECH traffic. | ECH, ECE |
+| [Remote cluster filters](./remote-cluster-filtering.md) | Filter incoming remote cluster traffic by validating the client certificate against its `organization_id` and `cluster_id`.
Only applicable with the API key–based authentication model.
Not supported for ECE → ECH traffic. | ECH and ECE, limited to [these use cases](/deploy-manage/remote-clusters.md#use-cases-network-security) |
| [Private connectivity and VPC filtering](/deploy-manage/security/private-connectivity.md) | Establish private connections between {{es}} and other resources hosted by the same cloud provider using private link services, and further secure these connections using VPC filtering. Choose the relevant option for your region:
• AWS regions: [AWS PrivateLink](/deploy-manage/security/private-connectivity-aws.md)
• Azure regions: [Azure Private Link](/deploy-manage/security/private-connectivity-azure.md)
• GCP regions: [GCP Private Service Connect](/deploy-manage/security/private-connectivity-gcp.md) | {{ech}} only |
| [Kubernetes network policies](/deploy-manage/security/k8s-network-policies.md) | Isolate pods by restricting incoming and outgoing network connections to a trusted set of sources and destinations. | {{eck}} only |
From 855a104a1c792494385169c96a7be9d23ae65540 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Tue, 23 Sep 2025 10:54:37 +0200
Subject: [PATCH 13/21] moved sections presentation refined
---
deploy-manage/remote-clusters/ec-enable-ccs.md | 2 +-
deploy-manage/remote-clusters/ece-enable-ccs.md | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/deploy-manage/remote-clusters/ec-enable-ccs.md b/deploy-manage/remote-clusters/ec-enable-ccs.md
index 386f88932e..4073483213 100644
--- a/deploy-manage/remote-clusters/ec-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ec-enable-ccs.md
@@ -57,4 +57,4 @@ The steps, information, and authentication method required to configure CCS and
## Remote clusters and network security [ec-ccs-ccr-network-security]
-If you have [network security policies] applied to your deployment, then you might need to take extra steps to allow a cluster to make requests to your cluster. Some remote cluster configurations are not compatible with network security, including incoming connections from {{eck}} and self-managed clusters. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
\ No newline at end of file
+If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to your deployment, then you might need to take extra steps to allow a cluster to make requests to your cluster. Some remote cluster configurations are not compatible with network security, including incoming connections from {{eck}} and self-managed clusters. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
\ No newline at end of file
diff --git a/deploy-manage/remote-clusters/ece-enable-ccs.md b/deploy-manage/remote-clusters/ece-enable-ccs.md
index a181255291..c6d7f5c70f 100644
--- a/deploy-manage/remote-clusters/ece-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ece-enable-ccs.md
@@ -63,4 +63,4 @@ The steps, information, and authentication method required to configure CCS and
## Remote clusters and network security [ece-ccs-ccr-network-security]
-Content moved to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
\ No newline at end of file
+If you have [network security filters](/deploy-manage/security/ece-filter-rules.md) applied to your deployment, then you might need to take extra steps to allow a cluster to make requests to your cluster. Some remote cluster configurations are not compatible with network security, including incoming connections from {{eck}} and self-managed clusters. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
\ No newline at end of file
From c5d0f28c5ef7835652e4627f553d480f4ccfa1a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Tue, 23 Sep 2025 10:55:50 +0200
Subject: [PATCH 14/21] anchor removed
---
deploy-manage/remote-clusters/ece-enable-ccs.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/deploy-manage/remote-clusters/ece-enable-ccs.md b/deploy-manage/remote-clusters/ece-enable-ccs.md
index c6d7f5c70f..1bc33ef66d 100644
--- a/deploy-manage/remote-clusters/ece-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ece-enable-ccs.md
@@ -19,7 +19,6 @@ You can configure an {{ece}} deployment to either connect to remote clusters or
* A deployment running on an {{eck}} installation
* A self-managed installation
-$$$ece-ccs-ccr-network-security$$$
::::{note}
Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for details on how remote clusters interact with network security filters and the implications for your deployments.
::::
From 5163170a48d2515e1ea624639c0821f7889a1475 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Tue, 23 Sep 2025 11:09:46 +0200
Subject: [PATCH 15/21] sub added for snippet error
---
deploy-manage/security/remote-cluster-filtering.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/deploy-manage/security/remote-cluster-filtering.md b/deploy-manage/security/remote-cluster-filtering.md
index 1c9d537723..3ae135ed08 100644
--- a/deploy-manage/security/remote-cluster-filtering.md
+++ b/deploy-manage/security/remote-cluster-filtering.md
@@ -4,6 +4,8 @@ applies_to:
ess: ga
ece: ga
navigation_title: "Remote cluster filters"
+sub:
+ policy-type: "Private connection"
---
# Remote cluster filtering
From 9a54e0a4f55443eee876d677a24f37765780b0c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Tue, 23 Sep 2025 23:36:41 +0200
Subject: [PATCH 16/21] Apply suggestion from @shainaraskas
Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com>
---
deploy-manage/security/remote-cluster-filtering.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/deploy-manage/security/remote-cluster-filtering.md b/deploy-manage/security/remote-cluster-filtering.md
index 3ae135ed08..46fbf4a386 100644
--- a/deploy-manage/security/remote-cluster-filtering.md
+++ b/deploy-manage/security/remote-cluster-filtering.md
@@ -51,7 +51,7 @@ Remote cluster filters are presented in {{ecloud}} as a type of Private Connecti
Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
:::
-6. Under**Connectivity**, select **Remote cluster**.
+6. Under **Connectivity**, select **Remote cluster**.
7. Add a meaningful name and description for the filter.
8. In the **Organization ID** and **{{es}} ID** fields, enter the organization or cluster ID of the {{ecloud}} deployments from which you want to allow traffic. Provide one or both values; traffic is allowed if it matches either ID. To add multiple rules to the filter, use the plus (`+`) button.
From 772f77d7c6e4ce0d2df4bfb4fa27600ec5f045d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Wed, 24 Sep 2025 10:02:43 +0200
Subject: [PATCH 17/21] introducing better ip filters and self-managed locals
---
deploy-manage/remote-clusters.md | 40 ++++++++++++++-----
.../remote-clusters/ec-enable-ccs.md | 2 +-
.../remote-clusters/ece-enable-ccs.md | 2 +-
3 files changed, 32 insertions(+), 12 deletions(-)
diff --git a/deploy-manage/remote-clusters.md b/deploy-manage/remote-clusters.md
index d5b7d14b7d..ebce6a7ab4 100644
--- a/deploy-manage/remote-clusters.md
+++ b/deploy-manage/remote-clusters.md
@@ -64,23 +64,43 @@ This section explains how remote clusters interact with network security when us
### Filter types for remote clusters traffic
-Network security for remote cluster incoming connections using API key authentication supports two types of filters:
+With API key–based authentication, remote clusters require the local cluster (A) to trust the transport SSL certificate presented by the remote cluster server (B). When network security is enabled on the destination cluster (B), it’s also necessary to explicitly allow the incoming traffic from cluster A. This can be achieved using different types of traffic filters:
+
+* [IP filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges. These can be difficult to manage in orchestrated environments, where the source IP of individual {{es}} instances may change.
+
+ Use IP filters when the local cluster is self-managed.
-* [IP filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges. These can be difficult to manage in orchestrated environments, where the source IP of individual {{es}} instances may change.
* [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md), which allow filtering by organization ID or {{es}} cluster ID. This method is more reliable and recommended, as it combines mTLS with API key authentication for stronger security.
+ Use remote cluster filters when the local cluster is also on ECH or ECE, as these filters are specific to {{ecloud}} and ECE platforms.
+
### Use cases for remote clusters and network security [use-cases-network-security]
-Network security is supported to control remote cluster traffic in the following scenarios:
+[Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) are supported to control remote cluster traffic in the following scenarios:
+ * Local and remote clusters are {{ech}} deployments in the same organization
+ * Local and remote clusters are {{ech}} deployments in different organizations
+ * Local and remote clusters are {{ece}} deployments in the same ECE environment
+ * Local and remote clusters are {{ece}} deployments in different ECE environments
+ * The local deployment is on {{ech}} and the remote deployment is on an {{ece}} environment
+ ::::{note}
+ Network security isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
+ ::::
+
+[IP filters](/deploy-manage/security/ip-filtering.md) are the only option for applying network security when the local deployment is a self-managed or an {{eck}} cluster, and the remote is on {{ece}} or {{ech}}.
-* Local and remote clusters are {{ech}} deployments in the same organization
-* Local and remote clusters are {{ech}} deployments in different organizations
-* Local and remote clusters are {{ece}} deployments in the same ECE environment
-* Local and remote clusters are {{ece}} deployments in different ECE environments
-* The local deployment is on {{ech}} and the remote deployment is on an {{ece}} environment
+### (option 2) Use cases for remote clusters and network security [use-cases-network-security2]
+
+Network security can be used to control remote cluster traffic in the following scenarios. The supported filter depends on the deployment types involved:
+
+| Scenario | Supported filter |
+|-------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------|
+| Local and remote clusters are ECH deployments in the same organization | [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) |
+| Local and remote clusters are ECH deployments in different organizations | [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) |
+| Local and remote clusters are ECE deployments in the same environment | [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) |
+| Local and remote clusters are ECE deployments in different environments | [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) |
+| The local deployment is on ECH and the remote deployment is on an ECE environment | [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) |
+| Local deployment is self-managed or orchestrated by ECK | [IP filters](/deploy-manage/security/ip-filtering.md) |
::::{note}
Network security isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
::::
-
-Refer to [Remote cluster filtering](/deploy-manage/security/remote-cluster-filtering.md) for instructions on creating and applying remote cluster filters in ECH or ECE.
\ No newline at end of file
diff --git a/deploy-manage/remote-clusters/ec-enable-ccs.md b/deploy-manage/remote-clusters/ec-enable-ccs.md
index 4073483213..dc69804aa1 100644
--- a/deploy-manage/remote-clusters/ec-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ec-enable-ccs.md
@@ -57,4 +57,4 @@ The steps, information, and authentication method required to configure CCS and
## Remote clusters and network security [ec-ccs-ccr-network-security]
-If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to your deployment, then you might need to take extra steps to allow a cluster to make requests to your cluster. Some remote cluster configurations are not compatible with network security, including incoming connections from {{eck}} and self-managed clusters. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
\ No newline at end of file
+If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to the remote cluster, you might need to take extra steps on the remote side to allow traffic from the local cluster. Some remote cluster configurations have limited compatibility with network security. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
\ No newline at end of file
diff --git a/deploy-manage/remote-clusters/ece-enable-ccs.md b/deploy-manage/remote-clusters/ece-enable-ccs.md
index 1bc33ef66d..79c7b8214e 100644
--- a/deploy-manage/remote-clusters/ece-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ece-enable-ccs.md
@@ -62,4 +62,4 @@ The steps, information, and authentication method required to configure CCS and
## Remote clusters and network security [ece-ccs-ccr-network-security]
-If you have [network security filters](/deploy-manage/security/ece-filter-rules.md) applied to your deployment, then you might need to take extra steps to allow a cluster to make requests to your cluster. Some remote cluster configurations are not compatible with network security, including incoming connections from {{eck}} and self-managed clusters. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
\ No newline at end of file
+If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to the remote cluster, you might need to take extra steps on the remote side to allow traffic from the local cluster. Some remote cluster configurations have limited compatibility with network security. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
\ No newline at end of file
From a300bc149e08b3312c68fc256c0765759a029a74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Thu, 25 Sep 2025 14:10:21 +0200
Subject: [PATCH 18/21] Update deploy-manage/remote-clusters.md
Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com>
---
deploy-manage/remote-clusters.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/deploy-manage/remote-clusters.md b/deploy-manage/remote-clusters.md
index ebce6a7ab4..5d6c545d68 100644
--- a/deploy-manage/remote-clusters.md
+++ b/deploy-manage/remote-clusters.md
@@ -62,7 +62,7 @@ In {{ech}} (ECH) and {{ece}} (ECE), the remote clusters functionality interacts
This section explains how remote clusters interact with network security when using API key–based authentication, and describes the supported use cases.
-### Filter types for remote clusters traffic
+### Filter types for remote cluster traffic
With API key–based authentication, remote clusters require the local cluster (A) to trust the transport SSL certificate presented by the remote cluster server (B). When network security is enabled on the destination cluster (B), it’s also necessary to explicitly allow the incoming traffic from cluster A. This can be achieved using different types of traffic filters:
From dbdf884b6facb6b143580a8a70830aef212311c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Thu, 25 Sep 2025 14:39:03 +0200
Subject: [PATCH 19/21] applying review comments
---
deploy-manage/remote-clusters.md | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/deploy-manage/remote-clusters.md b/deploy-manage/remote-clusters.md
index 5d6c545d68..deef2b9b8c 100644
--- a/deploy-manage/remote-clusters.md
+++ b/deploy-manage/remote-clusters.md
@@ -66,13 +66,9 @@ This section explains how remote clusters interact with network security when us
With API key–based authentication, remote clusters require the local cluster (A) to trust the transport SSL certificate presented by the remote cluster server (B). When network security is enabled on the destination cluster (B), it’s also necessary to explicitly allow the incoming traffic from cluster A. This can be achieved using different types of traffic filters:
-* [IP filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges. These can be difficult to manage in orchestrated environments, where the source IP of individual {{es}} instances may change.
-
- Use IP filters when the local cluster is self-managed.
+* [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md), which allow filtering by organization ID or {{es}} cluster ID. This method is more reliable and recommended, as it combines mTLS with API key authentication for stronger security. These filters are specific to ECH and ECE, because they rely on the certificates and proxy mechanisms provided by ECH and ECE.
-* [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md), which allow filtering by organization ID or {{es}} cluster ID. This method is more reliable and recommended, as it combines mTLS with API key authentication for stronger security.
-
- Use remote cluster filters when the local cluster is also on ECH or ECE, as these filters are specific to {{ecloud}} and ECE platforms.
+* [IP filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges. These can be difficult to manage in orchestrated environments, where the source IP of individual {{es}} instances may change.
### Use cases for remote clusters and network security [use-cases-network-security]
From 7f8ace6d89f1428cf3a7487a18e7ab9a32198ea7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Fri, 26 Sep 2025 10:46:25 +0200
Subject: [PATCH 20/21] ip filters introduced better as an option for
unsupported cases
---
deploy-manage/remote-clusters.md | 20 ++-----------------
.../ece-remote-cluster-ece-ess.md | 6 +++---
.../security/remote-cluster-filtering.md | 12 ++++++++---
3 files changed, 14 insertions(+), 24 deletions(-)
diff --git a/deploy-manage/remote-clusters.md b/deploy-manage/remote-clusters.md
index deef2b9b8c..f595986d65 100644
--- a/deploy-manage/remote-clusters.md
+++ b/deploy-manage/remote-clusters.md
@@ -78,25 +78,9 @@ With API key–based authentication, remote clusters require the local cluster (
* Local and remote clusters are {{ece}} deployments in the same ECE environment
* Local and remote clusters are {{ece}} deployments in different ECE environments
* The local deployment is on {{ech}} and the remote deployment is on an {{ece}} environment
+
::::{note}
- Network security isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
+ Network security with remote cluster filters isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment. For this use case, consider disabling network security on the remote cluster or use an IP filter instead.
::::
[IP filters](/deploy-manage/security/ip-filtering.md) are the only option for applying network security when the local deployment is a self-managed or an {{eck}} cluster, and the remote is on {{ece}} or {{ech}}.
-
-### (option 2) Use cases for remote clusters and network security [use-cases-network-security2]
-
-Network security can be used to control remote cluster traffic in the following scenarios. The supported filter depends on the deployment types involved:
-
-| Scenario | Supported filter |
-|-------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------|
-| Local and remote clusters are ECH deployments in the same organization | [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) |
-| Local and remote clusters are ECH deployments in different organizations | [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) |
-| Local and remote clusters are ECE deployments in the same environment | [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) |
-| Local and remote clusters are ECE deployments in different environments | [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) |
-| The local deployment is on ECH and the remote deployment is on an ECE environment | [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) |
-| Local deployment is self-managed or orchestrated by ECK | [IP filters](/deploy-manage/security/ip-filtering.md) |
-
-::::{note}
-Network security isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
-::::
diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md b/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
index be1cfe8f08..510bf8d843 100644
--- a/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
+++ b/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
@@ -15,9 +15,9 @@ products:
This section explains how to configure a deployment to connect remotely to clusters belonging to an {{ecloud}} organization.
::::{note}
-* [Network security](../security/network-security.md) policies are not supported for cross-cluster operations from an {{ece}} environment to a remote {{ech}} deployment when using the API key–based authentication model.
-
-* If you configure remote clusters with the deprecated TLS certificate–based authentication model, connections work regardless of network security policies on the remote deployment.
+[Network security](../security/network-security.md) with [remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment when using the API key–based authentication model. For this use case, consider one of the following options:
+ * Disable network security in the remote cluster.
+ * Use an [IP filter network security policy](/deploy-manage/security/ip-filtering-cloud.md).
For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
::::
diff --git a/deploy-manage/security/remote-cluster-filtering.md b/deploy-manage/security/remote-cluster-filtering.md
index 46fbf4a386..54cfca6f09 100644
--- a/deploy-manage/security/remote-cluster-filtering.md
+++ b/deploy-manage/security/remote-cluster-filtering.md
@@ -10,20 +10,26 @@ sub:
# Remote cluster filtering
-In {{ech}} (ECH) and {{ece}} (ECE), remote cluster filters let you control incoming traffic from other deployments that use the [remote clusters functionality](/deploy-manage/remote-clusters.md) with API key–based authentication. These filters are specific to ECH and ECE and are not applicable when connecting from {{es}} clusters that run in {{eck}} or are self-managed, because they rely on the certificates and proxy mechanisms provided by ECH and ECE.
+In {{ech}} (ECH) and {{ece}} (ECE), remote cluster filters let you control incoming traffic from other deployments that use the [remote clusters functionality](/deploy-manage/remote-clusters.md) with API key–based authentication. These filters are specific to ECH and ECE, because they rely on the certificates and proxy mechanisms provided by these environments.
::::{note} about terminology
In the case of remote clusters, the {{es}} cluster or deployment initiating the connection and requests is often referred to as the **local cluster**, while the {{es}} cluster or deployment receiving the requests is referred to as the **remote cluster**.
::::
+::::{important}
+Remote cluster filters aren’t supported when the local cluster runs in {{eck}} or is self-managed, or when connecting from an {{ece}} cluster to a remote {{ech}} deployment. For these cases, use an [IP filter](./ip-filtering-cloud.md) instead.
+
+Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for more information about the remote clusters functionality, its relationship to network security, and the supported [use cases](/deploy-manage/remote-clusters.md#use-cases-network-security).
+::::
+
+## How remote cluster filters work
+
Remote cluster filters operate at the proxy level, filtering incoming connections based on the organization ID or {{es}} cluster ID of the local cluster that initiates the connection to the remote cluster service endpoint (default port `9443`).
Because of [how network security works](/deploy-manage/security/network-security.md#how-network-security-works), these filters are only relevant when network security is enabled on the remote cluster.
* If network security is disabled, all traffic is allowed by default and remote clusters work without any filtering policy.
* If network security is enabled, all traffic is blocked unless explicitly allowed. In this case, you must add a remote cluster filter in the remote cluster to permit remote cluster connections from the local clusters.
-Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for more information about the remote clusters functionality, its relationship to network security, and the supported use cases.
-
To apply a filter to a deployment, you must first create a security policy at the organization or platform level, and then apply it to your deployment.
This guide covers the following remote cluster filtering tasks:
From 3d636e6a65befb6cb8c4f704eb345e09fd24314c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?=
<25320357+eedugon@users.noreply.github.com>
Date: Thu, 2 Oct 2025 23:35:29 +0200
Subject: [PATCH 21/21] content adapted to new supported use cases
---
deploy-manage/remote-clusters.md | 27 ++++++------
.../remote-clusters/ec-remote-cluster-ece.md | 7 +++-
.../ece-remote-cluster-ece-ess.md | 21 ++--------
.../ece-remote-cluster-other-ece.md | 3 +-
.../security/remote-cluster-filtering.md | 41 ++++++++-----------
5 files changed, 41 insertions(+), 58 deletions(-)
diff --git a/deploy-manage/remote-clusters.md b/deploy-manage/remote-clusters.md
index f595986d65..87bf9e73eb 100644
--- a/deploy-manage/remote-clusters.md
+++ b/deploy-manage/remote-clusters.md
@@ -62,25 +62,24 @@ In {{ech}} (ECH) and {{ece}} (ECE), the remote clusters functionality interacts
This section explains how remote clusters interact with network security when using API key–based authentication, and describes the supported use cases.
-### Filter types for remote cluster traffic
+### Filter types and supported use cases for remote cluster traffic [use-cases-network-security]
With API key–based authentication, remote clusters require the local cluster (A) to trust the transport SSL certificate presented by the remote cluster server (B). When network security is enabled on the destination cluster (B), it’s also necessary to explicitly allow the incoming traffic from cluster A. This can be achieved using different types of traffic filters:
-* [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md), which allow filtering by organization ID or {{es}} cluster ID. This method is more reliable and recommended, as it combines mTLS with API key authentication for stronger security. These filters are specific to ECH and ECE, because they rely on the certificates and proxy mechanisms provided by ECH and ECE.
+* [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md), available exclusively in ECH and ECE. They allow filtering by organization ID or {{es}} cluster ID and are the recommended option, as they combine mTLS with API key authentication for stronger security.
-* [IP filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges. These can be difficult to manage in orchestrated environments, where the source IP of individual {{es}} instances may change.
+* [IP filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges.
-### Use cases for remote clusters and network security [use-cases-network-security]
+The applicable filter type for the remote cluster depends on the local and remote deployment types:
-[Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) are supported to control remote cluster traffic in the following scenarios:
- * Local and remote clusters are {{ech}} deployments in the same organization
- * Local and remote clusters are {{ech}} deployments in different organizations
- * Local and remote clusters are {{ece}} deployments in the same ECE environment
- * Local and remote clusters are {{ece}} deployments in different ECE environments
- * The local deployment is on {{ech}} and the remote deployment is on an {{ece}} environment
+| Remote cluster →
Local cluster ↓ | Elastic Cloud Hosted | Elastic Cloud Enterprise | Self-managed / Elastic Cloud on Kubernetes |
+|-------------------------|----------------------|--------------------------|--------------------------------------------|
+| **Elastic Cloud Hosted** | [Remote cluster filter](/deploy-manage/security/remote-cluster-filtering.md) | [IP filter](/deploy-manage/security/ip-filtering.md) | [IP filter](/deploy-manage/security/ip-filtering.md) or [Kubernetes network policy](/deploy-manage/security/k8s-network-policies.md) |
+| **Elastic Cloud Enterprise** | [IP filter](/deploy-manage/security/ip-filtering.md) | [Remote cluster filter](/deploy-manage/security/remote-cluster-filtering.md) / [IP filter](/deploy-manage/security/ip-filtering.md) (\*) | [IP filter](/deploy-manage/security/ip-filtering.md) or [Kubernetes network policy](/deploy-manage/security/k8s-network-policies.md) |
+| **Self-managed / Elastic Cloud on Kubernetes** | [IP filter](/deploy-manage/security/ip-filtering.md) | [IP filter](/deploy-manage/security/ip-filtering.md) | [IP filter](/deploy-manage/security/ip-filtering.md) or [Kubernetes network policy](/deploy-manage/security/k8s-network-policies.md) |
- ::::{note}
- Network security with remote cluster filters isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment. For this use case, consider disabling network security on the remote cluster or use an IP filter instead.
- ::::
+(*) For ECE, remote cluster filters apply when both clusters are in the **same environment**. Use IP filters when the clusters belong to **different environments**.
-[IP filters](/deploy-manage/security/ip-filtering.md) are the only option for applying network security when the local deployment is a self-managed or an {{eck}} cluster, and the remote is on {{ece}} or {{ech}}.
+::::{note}
+When using self-managed security mechanisms (such as firewalls), keep in mind that remote clusters with API key–based authentication use port `9443` by default. Specify this port if a destination port is required.
+::::
\ No newline at end of file
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
index 448c9633ed..a23814dabf 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
@@ -15,7 +15,7 @@ products:
This section explains how to configure a deployment to connect remotely to clusters belonging to an {{ECE}} (ECE) environment.
::::{note}
-If network security filters are applied to the remote cluster on ECE, the remote cluster administrator must configure a [remote cluster security filter](/deploy-manage/security/remote-cluster-filtering.md), using either the organization ID or the Elasticsearch cluster ID of the local ECH cluster as the filtering criteria. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+If network security filters are applied to the remote cluster on ECE, the remote cluster administrator must configure an [IP filter](/deploy-manage/security/ip-filtering-ece.md) to allow traffic from [{{ecloud}} IP addresses](/deploy-manage/security/elastic-cloud-static-ips.md#ec-egress). For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
::::
## Allow the remote connection [ec_allow_the_remote_connection_3]
@@ -216,6 +216,11 @@ On the local cluster, add the remote cluster using {{kib}} or the {{es}} API.
* **Server name**: This value can be found on the **Security** page of the {{ech}} deployment you want to use as a remote.
+ :::{image} /deploy-manage/images/cloud-enterprise-ce-copy-remote-cluster-parameters.png
+ :alt: Remote Cluster Parameters in Deployment
+ :screenshot:
+ :::
+
::::{note}
If you’re having issues establishing the connection and the remote cluster is part of an {{ece}} environment with a private certificate, make sure that the proxy address and server name match with the the certificate information. For more information, refer to [Administering endpoints in {{ece}}](/deploy-manage/deploy/cloud-enterprise/change-endpoint-urls.md).
::::
diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md b/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
index 510bf8d843..d02ec683ab 100644
--- a/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
+++ b/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
@@ -12,14 +12,10 @@ products:
# Connect {{ece}} deployments to an {{ecloud}} organization [ece-remote-cluster-ece-ess]
-This section explains how to configure a deployment to connect remotely to clusters belonging to an {{ecloud}} organization.
+This section explains how to configure an {{ece}} (ECE) deployment to connect remotely to clusters belonging to an {{ecloud}} organization.
::::{note}
-[Network security](../security/network-security.md) with [remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md) isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment when using the API key–based authentication model. For this use case, consider one of the following options:
- * Disable network security in the remote cluster.
- * Use an [IP filter network security policy](/deploy-manage/security/ip-filtering-cloud.md).
-
-For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+If network security filters are applied to the remote cluster on {{ecloud}}, the remote cluster administrator must configure an [IP filter](/deploy-manage/security/ip-filtering-cloud.md) to allow connections from the IP addresses (or CIDR ranges) of the local ECE allocator hosts. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
::::
## Allow the remote connection [ece_allow_the_remote_connection_3]
@@ -155,22 +151,13 @@ On the local cluster, add the remote cluster using {{kib}} or the {{es}} API.
* **Name**: This *cluster alias* is a unique identifier that represents the connection to the remote cluster and is used to distinguish local and remote indices.
When using API key authentication, this alias must match the **Remote cluster name** you configured when adding the API key in the Cloud UI.
- * **Proxy address**: This value can be found on the **Security** page of the {{ece}} deployment you want to use as a remote.
+ * **Proxy address**: This value can be found on the **Security** page of the {{ech}} deployment you want to use as a remote.
::::{tip}
If you’re using API keys as security model, change the port into `9443`.
::::
- * **Server name**: This value can be found on the **Security** page of the {{ece}} deployment you want to use as a remote.
-
- :::{image} /deploy-manage/images/cloud-enterprise-ce-copy-remote-cluster-parameters.png
- :alt: Remote Cluster Parameters in Deployment
- :screenshot:
- :::
-
- ::::{note}
- If you’re having issues establishing the connection and the remote cluster is part of an {{ece}} environment with a private certificate, make sure that the proxy address and server name match with the the certificate information. For more information, refer to [Administering endpoints in {{ece}}](/deploy-manage/deploy/cloud-enterprise/change-endpoint-urls.md).
- ::::
+ * **Server name**: This value can be found on the **Security** page of the {{ech}} deployment you want to use as a remote.
4. Click **Next**.
5. Click **Add remote cluster** (you have already established trust in a previous step).
diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md b/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md
index c7caa361d1..566281d8d7 100644
--- a/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md
+++ b/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md
@@ -14,10 +14,9 @@ products:
This section explains how to configure a deployment to connect remotely to clusters belonging to a different {{ece}} environment.
::::{note}
-If network security filters are applied to the remote cluster, the remote cluster administrator must configure a [remote cluster filter](/deploy-manage/security/remote-cluster-filtering.md), using either the ECE environment ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+If network security filters are applied to the remote cluster on ECE, the remote cluster administrator must configure an [IP filter](/deploy-manage/security/ip-filtering-ece.md) to allow connections from the IP addresses (or CIDR ranges) of the local ECE allocator hosts. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
::::
-
## Allow the remote connection [ece_allow_the_remote_connection_2]
Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
diff --git a/deploy-manage/security/remote-cluster-filtering.md b/deploy-manage/security/remote-cluster-filtering.md
index 54cfca6f09..1b60bbcd15 100644
--- a/deploy-manage/security/remote-cluster-filtering.md
+++ b/deploy-manage/security/remote-cluster-filtering.md
@@ -10,21 +10,24 @@ sub:
# Remote cluster filtering
-In {{ech}} (ECH) and {{ece}} (ECE), remote cluster filters let you control incoming traffic from other deployments that use the [remote clusters functionality](/deploy-manage/remote-clusters.md) with API key–based authentication. These filters are specific to ECH and ECE, because they rely on the certificates and proxy mechanisms provided by these environments.
+In {{ech}} (ECH) and {{ece}} (ECE), remote cluster filters let you control incoming traffic from other deployments that use the [remote clusters functionality](/deploy-manage/remote-clusters.md) with API key–based authentication.
::::{note} about terminology
In the case of remote clusters, the {{es}} cluster or deployment initiating the connection and requests is often referred to as the **local cluster**, while the {{es}} cluster or deployment receiving the requests is referred to as the **remote cluster**.
::::
-::::{important}
-Remote cluster filters aren’t supported when the local cluster runs in {{eck}} or is self-managed, or when connecting from an {{ece}} cluster to a remote {{ech}} deployment. For these cases, use an [IP filter](./ip-filtering-cloud.md) instead.
+These filters are supported only when the local and remote clusters run on the same platform (both on the same ECE environment, or both on ECH), as they rely on the certificates and proxy mechanisms provided by these environments.
Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for more information about the remote clusters functionality, its relationship to network security, and the supported [use cases](/deploy-manage/remote-clusters.md#use-cases-network-security).
-::::
+
## How remote cluster filters work
-Remote cluster filters operate at the proxy level, filtering incoming connections based on the organization ID or {{es}} cluster ID of the local cluster that initiates the connection to the remote cluster service endpoint (default port `9443`).
+Remote cluster filters operate at the proxy level, allowing incoming connections based on the organization ID or {{es}} cluster ID of the local cluster that initiates the connection to the remote cluster service endpoint (default port `9443`).
+
+::::{note}
+In {{ece}}, the equivalent of the organization ID in {{ech}} is the **environment ID**, which serves the same purpose for remote cluster filtering.
+::::
Because of [how network security works](/deploy-manage/security/network-security.md#how-network-security-works), these filters are only relevant when network security is enabled on the remote cluster.
* If network security is disabled, all traffic is allowed by default and remote clusters work without any filtering policy.
@@ -62,9 +65,7 @@ Remote cluster filters are presented in {{ecloud}} as a type of Private Connecti
8. In the **Organization ID** and **{{es}} ID** fields, enter the organization or cluster ID of the {{ecloud}} deployments from which you want to allow traffic. Provide one or both values; traffic is allowed if it matches either ID. To add multiple rules to the filter, use the plus (`+`) button.
::::{tip}
- * Find the organization ID on the organization page in the top-right menu, and the {{es}} ID of a deployment by selecting **Copy cluster ID** on the deployment management page.
-
- * {{ecloud}} supports filtering remote cluster traffic from deployments in the same and other ECH organizations, but not from ECE environments. Refer to the list of [supported use cases](/deploy-manage/remote-clusters.md#use-cases-network-security) for more information.
+ You can find the organization ID on the organization page in the top-right menu, and the {{es}} cluster ID of a deployment by selecting **Copy cluster ID** on the deployment management page.
::::
9. Optional: Under **Apply to resources**, associate the new filter with one or more deployments. After you associate the filter with a deployment, it will allow remote cluster traffic coming from the organization or {{es}} IDs defined in the rules.
@@ -89,27 +90,19 @@ To create a remote cluster filter:
3. Select **Create filter**.
4. Select **Remote cluster rule set** as the filter type.
5. Add a meaningful name and description for the rule set.
-6. In the **Organization ID** and **{{es}} ID** fields, enter the organization or cluster ID of the deployments from which you want to allow traffic. Provide one or both values; traffic is allowed if it matches either ID. To add multiple rules to the filter, use the plus (`+`) button.
+6. In the **Organization ID** and **{{es}} ID** fields, enter the ECE environment ID or cluster ID of the deployments from which you want to allow traffic.
+ * Use the **ECE environment ID** as the organization ID to allow traffic from all deployments in that environment.
+ * Use the **{{es}} cluster ID** to allow traffic only from specific deployments.
- :::{note}
- * ECE supports filtering remote cluster traffic from deployments in the same ECE system, in other ECE environments, or in {{ecloud}}.
- * For ECE systems, use the **Environment ID** from **Platform → Trust Management → Trust parameters** as the organization ID.
- * In {{ecloud}}, the organization ID is shown on the organization page in the top-right menu.
- * To get a deployment’s {{es}} ID, select **Copy cluster ID** on its management page in the Cloud UI or {{ecloud}} console.
- :::
+ Provide one or both values; traffic is allowed if it matches either ID. To add multiple rules to the filter, use the plus (`+`) button.
+
+ ::::{tip}
+ You can find the ECE environment ID under **Platform → Trust Management → Trust parameters**, and the {{es}} cluster ID of a deployment by selecting **Copy cluster ID** on the deployment management page.
+ ::::
7. Select if this rule set should be automatically attached to new deployments.
8. Select **Create filter** to create the remote cluster filter.
-:::{important}
-Because this type of filter operates at the proxy level, if the local deployments or organizations in the filter belong to a different ECE environment or to ECH, you must add the transport TLS CA certificate of the local environment to the ECE proxy:
-
-* Find the TLS CA certificate in the **Security -> Remote Connections -> CA certificates** section of any deployment of the environment that initiates the remote connection. In {{ecloud}}, each provider and region has its own CA certificate, while in ECE a single CA certificate is used for the entire installation.
-
-* To add a CA certificate to the ECE proxy, go to **Platform -> Settings -> TLS certificates** in the UI and update the certificate chain used when configuring your ECE installation. Append the required CA certificates to the end of the chain. The final chain should look like this: `Proxy private key`, `Proxy SSL certificate`, `Proxy CA(s)`, followed by the remaining CAs. For more details, refer to [Add a proxy certificate](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md#ece-tls-proxy).
-:::
-
-
::::
:::::