elastic · eedugon · Oct 6, 2025 · Sep 18, 2025 · Sep 18, 2025 · Sep 18, 2025
@@ -34,7 +34,53 @@ Depending on the environment the local and remote clusters are deployed on and t
 
 Find the instructions with details on the supported security models and available connection modes for your specific scenario:
 
-- [Remote clusters with {{ech}}](remote-clusters/ec-enable-ccs.md)
-- [Remote clusters with {{ece}}](remote-clusters/ece-enable-ccs.md)
-- [Remote clusters with {{eck}}](remote-clusters/eck-remote-clusters.md)
-- [Remote clusters with self-managed installations](remote-clusters/remote-clusters-self-managed.md)
+- [Remote clusters on {{ech}}](remote-clusters/ec-enable-ccs.md)
+- [Remote clusters on {{ece}}](remote-clusters/ece-enable-ccs.md)
+- [Remote clusters on {{eck}}](remote-clusters/eck-remote-clusters.md)
+- [Remote clusters on self-managed installations](remote-clusters/remote-clusters-self-managed.md)
+
+## Remote clusters and network security [network-security]
+```{applies_to}
+deployment:
+  ece: ga
+  ess: ga
+```
+
+In {{ech}} (ECH) and {{ece}} (ECE), the remote clusters functionality interacts with [network security](/deploy-manage/security/network-security.md) traffic filtering rules in different ways, depending on the [security model](/deploy-manage/remote-clusters/remote-clusters-self-managed.md#remote-clusters-security-models) you use.
+
+* **TLS certificate–based authentication (deprecated):**
+  For remote clusters configured using the TLS certificate–based security model, network security policies or rule sets have no effect on remote clusters functionality. Connections established with this method (mTLS) are already considered secure and are always accepted, regardless of any filtering policies or rule sets applied on the local or remote deployment to restrict other traffic.
+
+* **API key–based authentication (recommended):**
+  When remote clusters use the API key–based authentication model, network security policies or rule sets on the **destination (remote) deployment** do affect remote cluster functionality if enabled. In this case, you can use traffic filters to explicitly control which deployments are allowed to connect to the remote cluster service endpoint.
+
+  ::::{note}
+  Because of [how network security works](/deploy-manage/security/network-security.md#how-network-security-works):
+    * If network security is disabled, all traffic is allowed by default, and remote clusters work without requiring any specific filtering policy.
+    * If network security is enabled on the remote cluster, apply a [remote cluster filter](/deploy-manage/security/remote-cluster-filtering.md#create-remote-cluster-filter) to allow incoming connections from the local clusters. Without this filter, the connections are blocked.
+  ::::
+
+This section explains how remote clusters interact with network security when using API key–based authentication, and describes the supported use cases.
+
+### Filter types for remote clusters traffic
+
+Network security for remote cluster incoming connections using API key authentication supports two types of filters:
+
+* [IP filters](/deploy-manage/security/ip-filtering.md), which allow traffic based on IP addresses or CIDR ranges. These can be difficult to manage in orchestrated environments, where the source IP of individual {{es}} instances may change.  
+* [Remote cluster filters](/deploy-manage/security/remote-cluster-filtering.md), which allow filtering by organization ID or {{es}} cluster ID. This method is more reliable and recommended, as it combines mTLS with API key authentication for stronger security.
+
+### Use cases for remote clusters and network security [use-cases-network-security]
+
+Network security is supported to control remote cluster traffic in the following scenarios:
+
+* Local and remote clusters are {{ech}} deployments in the same organization
+* Local and remote clusters are {{ech}} deployments in different organizations 
+* Local and remote clusters are {{ece}} deployments in the same ECE environment
+* Local and remote clusters are {{ece}} deployments in different ECE environments
+* The local deployment is on {{ech}} and the remote deployment is on an {{ece}} environment
+
+::::{note}
+Network security isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
+::::
+
+Refer to [Remote cluster filtering](/deploy-manage/security/remote-cluster-filtering.md) for instructions on creating and applying remote cluster filters in ECH or ECE.
@@ -19,6 +19,10 @@ You can configure an {{ech}} deployment to either connect to remote clusters or
 * A deployment in an {{eck}} installation
 * A self-managed installation.
 
+::::{note}
+Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for details on how remote clusters interact with network security policies and the implications for your deployments.
+::::
+
 
 ## Prerequisites [ec-ccs-ccr-prerequisites]
 
@@ -51,20 +55,6 @@ The steps, information, and authentication method required to configure CCS and
     * [From a self-managed cluster](remote-clusters-self-managed.md)
     * [From an ECK environment](ec-enable-ccs-for-eck.md)
 
-
 ## Remote clusters and network security [ec-ccs-ccr-network-security]
 
-::::{note}
-[Network security](../security/network-security.md) isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
-::::
-
-You can use [network security policies](../security/network-security.md) to restrict access to deployments used as a local or remote cluster, without impacting cross-cluster search or cross-cluster replication.
-
-Network security for remote clusters supports the following methods:
-
-* [Filtering by IP addresses and Classless Inter-Domain Routing (CIDR) masks](../security/ip-filtering.md)
-* Filtering by Organization or {{es}} cluster ID with a **Remote cluster** private connection policy. You can configure this type of policy from the **Access and security** > **Network security** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.
-
-::::{note}
-When setting up network security policies for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. This is regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections.
-::::
+If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to your deployment, then you might need to take extra steps to allow a cluster to make requests to your cluster. Some remote cluster configurations are not compatible with network security, including incoming connections from {{eck}} and self-managed clusters. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
@@ -14,6 +14,10 @@ products:
 
 This section explains how to configure a deployment to connect remotely to clusters belonging to an {{ECE}} (ECE) environment.
 
+::::{note}
+If network security filters are applied to the remote cluster on ECE, the remote cluster administrator must configure a [remote cluster security filter](/deploy-manage/security/remote-cluster-filtering.md), using either the organization ID or the Elasticsearch cluster ID of the local ECH cluster as the filtering criteria. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+::::
+
 ## Allow the remote connection [ec_allow_the_remote_connection_3]
 
 Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
@@ -143,7 +147,7 @@ A deployment can be configured to trust all or specific deployments in a remote
 
 7. Provide a name for the trusted environment. That name will appear in the trust summary of your deployment’s **Security** page.
 8. Select **Create trust** to complete the configuration.
-9. Configure the corresponding deployments of the ECE environment to [trust this deployment](/deploy-manage/remote-clusters/ece-enable-ccs.md). You will only be able to connect two deployments successfully when both of them trust each other.
+9. Configure the corresponding deployments of the ECE environment to [trust this deployment](/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md#ece-trust-ec). You will only be able to connect two deployments successfully when both of them trust each other.
 
 ::::{note}
 The environment ID and cluster IDs must be entered fully and correctly. For security reasons, verification of the IDs is not possible. If cross-environment trust does not appear to be working, double-checking the IDs is a good place to start.

@@ -14,7 +14,7 @@ products:
 This section explains how to configure a deployment to connect remotely to clusters belonging to a different {{ecloud}} organization.
 
 ::::{note}
-If network security policies are applied to the remote cluster, the remote cluster administrator must configure a private connection policy of type remote cluster, using either the organization ID or the Elasticsearch cluster ID as the filtering criteria. For detailed instructions, refer to [Remote clusters and network security](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-network-security).
+If network security policies are applied to the remote cluster, the remote cluster administrator must configure a [private connection policy of type remote cluster](/deploy-manage/security/remote-cluster-filtering.md), using either the organization ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
 ::::
 
 ## Allow the remote connection [ec_allow_the_remote_connection_2]

@@ -14,7 +14,7 @@ products:
 This section explains how to configure a deployment to connect remotely to clusters belonging to the same {{ecloud}} organization.
 
 ::::{note}
-If network security is enabled on the remote cluster, the remote cluster administrator must configure a private connection policy of type **Remote cluster**, specifying either the organization ID or the Elasticsearch cluster ID. For detailed instructions, refer to [Remote clusters and network security](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-network-security).
+If network security policies are applied to the remote cluster, the remote cluster administrator must configure a [private connection policy of type remote cluster](/deploy-manage/security/remote-cluster-filtering.md), using either the organization ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
 ::::
 
 ## Allow the remote connection [ec_allow_the_remote_connection]

@@ -19,6 +19,9 @@ You can configure an {{ece}} deployment to either connect to remote clusters or
 * A deployment running on an {{eck}} installation
 * A self-managed installation
 
+::::{note}
+Refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security) for details on how remote clusters interact with network security filters and the implications for your deployments.
+::::
 
 ## Prerequisites [ece-ccs-ccr-prerequisites]
 
@@ -57,21 +60,6 @@ The steps, information, and authentication method required to configure CCS and
     * [From a self-managed cluster](/deploy-manage/remote-clusters/remote-clusters-self-managed.md)
     * [From an ECK environment](ece-enable-ccs-for-eck.md)
 
-
 ## Remote clusters and network security [ece-ccs-ccr-network-security]
 
-::::{note}
-Network security isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
-::::
-
-
-For remote clusters configured using TLS certificate authentication, [network security](../security/network-security.md) can be enabled to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.
-
-Traffic filtering for remote clusters supports two methods:
-
-* [Filtering by IP addresses and Classless Inter-Domain Routing (CIDR) masks](../security/ip-filtering-ece.md)
-* Filtering by Organization or {{es}} cluster ID with a Remote cluster type filter. You can configure this type of filter from the **Platform** > **Security** page of your environment or using the [{{ece}} API](https://www.elastic.co/docs/api/doc/cloud-enterprise) and apply it from each deployment’s **Security** page.
-
-::::{note}
-When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. This is regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections. This applies regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections.
-::::
+If you have [network security filters](/deploy-manage/security/ece-filter-rules.md) applied to your deployment, then you might need to take extra steps to allow a cluster to make requests to your cluster. Some remote cluster configurations are not compatible with network security, including incoming connections from {{eck}} and self-managed clusters. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
@@ -14,6 +14,14 @@ products:
 
 This section explains how to configure a deployment to connect remotely to clusters belonging to an {{ecloud}} organization.
 
+::::{note}
+* [Network security](../security/network-security.md) policies are not supported for cross-cluster operations from an {{ece}} environment to a remote {{ech}} deployment when using the API key–based authentication model.
+
+* If you configure remote clusters with the deprecated TLS certificate–based authentication model, connections work regardless of network security policies on the remote deployment.  
+
+For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+::::
+
 ## Allow the remote connection [ece_allow_the_remote_connection_3]
 
 Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.

@@ -13,6 +13,10 @@ products:
 
 This section explains how to configure a deployment to connect remotely to clusters belonging to a different {{ece}} environment.
 
+::::{note}
+If network security filters are applied to the remote cluster, the remote cluster administrator must configure a [remote cluster filter](/deploy-manage/security/remote-cluster-filtering.md), using either the ECE environment ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+::::
+
 
 ## Allow the remote connection [ece_allow_the_remote_connection_2]
 

@@ -13,6 +13,9 @@ products:
 
 This section explains how to configure a deployment to connect remotely to clusters belonging to the same {{ece}} environment.
 
+::::{note}
+If network security filters are applied to the remote cluster, the remote cluster administrator must configure a [remote cluster filter](/deploy-manage/security/remote-cluster-filtering.md), using either the ECE environment ID or the Elasticsearch cluster ID of the local cluster as the filtering criteria. For more information, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security).
+::::
 
 ## Allow the remote connection [ece_allow_the_remote_connection]
 

@@ -0,0 +1,4 @@
+1. Open the deployment management page in the Cloud UI.
+2. Select the **Security** tab on the left-hand side menu bar.
+3. Under **Traffic filters**, select **Apply filter**.
+4. Choose the filter you want to apply and select **Apply filter**.
@@ -0,0 +1,4 @@
+1. Open the deployment management page in the Cloud UI.
+2. Select the **Security** tab on the left-hand side menu bar.
+3. Under **Traffic filters**, choose the filter you want to detach and select the **X** icon in the **Actions** column.
+4. In the confirmation dialog, select **Remove filter**.
@@ -57,18 +57,17 @@ To create a rule set:
 
 After you’ve created the rule set, you’ll need to associate it with your deployment:
 
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters**, select **Apply filter**.
-3. Choose the filter you want to apply and select **Apply filter**.
+:::{include} _snippets/associate-filter-ece.md
+:::
 
 At this point, the IP filtering rule set is active. You can remove or edit it at any time.
 
 ## Remove an IP filtering rule set association from your deployment [remove-filter-deployment]
 
 If you want to remove any traffic restrictions from a deployment or delete a rule set, you’ll need to remove any rule set associations first. To remove an association through the UI:
 
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters** select **Remove**.
+:::{include} _snippets/detach-filter-ece.md
+:::
 
 ## Edit an IP filtering rule set
 

@@ -44,6 +44,7 @@ You can also allow traffic to or from a [remote cluster](/deploy-manage/remote-c
 | Filter type | Description | Applicable deployment types |
 | --- | --- | --- |
 | [IP filters](ip-filtering.md) | Filter traffic from the public internet by allowlisting specific IP addresses and Classless Inter-Domain Routing (CIDR) masks.<br><br>• [In {{serverless-short}} or ECH](/deploy-manage/security/ip-filtering-cloud.md)<br><br>• [In ECE](/deploy-manage/security/ip-filtering-ece.md)<br><br>• [In ECK or self-managed](/deploy-manage/security/ip-filtering-basic.md) | {{serverless-short}}, ECH, ECE, ECK, and self-managed clusters |
+| [Remote cluster filters](./remote-cluster-filtering.md) | Filter incoming remote cluster traffic by validating the client certificate against its `organization_id` and `cluster_id`.<br><br>Only applicable with the API key–based authentication model.<br><br>Not supported for ECE → ECH traffic. | ECH and ECE, limited to [these use cases](/deploy-manage/remote-clusters.md#use-cases-network-security) |
 | [Private connectivity and VPC filtering](/deploy-manage/security/private-connectivity.md) | Establish private connections between {{es}} and other resources hosted by the same cloud provider using private link services, and further secure these connections using VPC filtering. Choose the relevant option for your region:<br><br>• AWS regions: [AWS PrivateLink](/deploy-manage/security/private-connectivity-aws.md)<br><br>• Azure regions: [Azure Private Link](/deploy-manage/security/private-connectivity-azure.md)<br><br>• GCP regions: [GCP Private Service Connect](/deploy-manage/security/private-connectivity-gcp.md) | {{ech}} only |
 | [Kubernetes network policies](/deploy-manage/security/k8s-network-policies.md) | Isolate pods by restricting incoming and outgoing network connections to a trusted set of sources and destinations. | {{eck}} only |