[Remote Clusters] Connection modes and Security models presented in their own pages for all deployment types #3151
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
🔍 Preview links for changed docs |
shainaraskas
approved these changes
Oct 6, 2025
|
|
||
| When configuring remote clusters, you can choose between two security models and two connection modes. Both security models are compatible with either connection mode. | ||
|
|
||
| You can learn more in the following documents: |
There was a problem hiding this comment.
nit: this doesn't really flow nicely because you're also explaining what the models and modes are in this list. I'd probably kill this sentence and just leave the links as implicit.
Comment on lines
+4
to
+8
| deployment: | ||
| ece: ga | ||
| ess: ga | ||
| eck: ga | ||
| self: ga |
There was a problem hiding this comment.
Reading through this, I feel like this should maybe just be labeled as self: ga + MAYBE eck: ga with a note that ece/ech use proxy mode under the hood.
otherwise just label it stack because it's info relevant to all stack-managed deployments
|
|
||
| The choice between sniff and proxy mode depends on your network architecture and deployment type. | ||
|
|
||
| - **Self-managed environments:** If direct connections on the publish addresses between {{es}} nodes in both clusters are possible, you can use sniff mode. If direct connectivity is difficult to implement—for example, when clusters are separated by NAT, firewalls, or containerized environments—you can place a reverse proxy or load balancer in front of the remote cluster and use proxy mode instead. |
There was a problem hiding this comment.
sometimes people refer to ece/eck as "self-managed environments" so this is a tiny bit clearer
Suggested change
| - **Self-managed environments:** If direct connections on the publish addresses between {{es}} nodes in both clusters are possible, you can use sniff mode. If direct connectivity is difficult to implement—for example, when clusters are separated by NAT, firewalls, or containerized environments—you can place a reverse proxy or load balancer in front of the remote cluster and use proxy mode instead. | |
| - **Self-managed clusters:** If direct connections on the publish addresses between {{es}} nodes in both clusters are possible, you can use sniff mode. If direct connectivity is difficult to implement—for example, when clusters are separated by NAT, firewalls, or containerized environments—you can place a reverse proxy or load balancer in front of the remote cluster and use proxy mode instead. |
| products: | ||
| - id: elasticsearch | ||
| --- | ||
| # Remote clusters connection modes |
There was a problem hiding this comment.
Suggested change
| # Remote clusters connection modes | |
| # Remote cluster connection modes |
| Sniff mode is the default connection mode when adding a remote cluster. See [Sniff mode remote cluster settings](remote-clusters-settings.md#remote-cluster-sniff-settings) for more information about configuring sniff mode. | ||
|
|
||
| ::::{note} | ||
| The sniff mode is not supported in {{ech}} and {{ece}} deployments, and it's not recommended in {{eck}} due to its complexity. Use proxy mode instead. |
There was a problem hiding this comment.
Suggested change
| The sniff mode is not supported in {{ech}} and {{ece}} deployments, and it's not recommended in {{eck}} due to its complexity. Use proxy mode instead. | |
| Sniff mode is not supported in {{ech}} and {{ece}} deployments. In {{eck}}, sniff mode is not recommended due to its complexity. In these three cases, use proxy mode instead. |
|
|
||
| With this security model, authorization is enforced jointly by the local and remote cluster, as follows: | ||
|
|
||
| * All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to `my-index` on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search and/or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key. |
There was a problem hiding this comment.
avoid and/or - we can use an "inclusive or"
Suggested change
| * All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to `my-index` on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search and/or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key. | |
| * All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to `my-index` on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key. |
|
|
||
| * All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to `my-index` on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search and/or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key. | ||
|
|
||
| * On the local cluster side, not every local user needs to access every piece of data allowed by the API key. An administrator of the local cluster can further configure additional permission constraints on local users so each user only gets access to the necessary remote data. Note it is only possible to further reduce the permissions allowed by the API key for individual local users. It is impossible to increase the permissions to go beyond what is allowed by the API key. |
There was a problem hiding this comment.
Suggested change
| * On the local cluster side, not every local user needs to access every piece of data allowed by the API key. An administrator of the local cluster can further configure additional permission constraints on local users so each user only gets access to the necessary remote data. Note it is only possible to further reduce the permissions allowed by the API key for individual local users. It is impossible to increase the permissions to go beyond what is allowed by the API key. | |
| * On the local cluster side, not every local user needs to access every piece of data allowed by the API key. An administrator of the local cluster can further configure additional permission constraints on local users so each user only gets access to the necessary remote data. It is only possible to further reduce the permissions allowed by the API key for individual local users. It is impossible to increase the permissions to go beyond what is allowed by the API key. |
|
|
||
| ### Connection details | ||
|
|
||
| In this model, cross-cluster operations use [a dedicated server port](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#remote_cluster.port) (remote cluster interface), for communication between clusters. The default port is `9443`. The remote cluster must enable this port for local clusters to connect. |
There was a problem hiding this comment.
while these brackets make sense, we technically should not use them
Suggested change
| In this model, cross-cluster operations use [a dedicated server port](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#remote_cluster.port) (remote cluster interface), for communication between clusters. The default port is `9443`. The remote cluster must enable this port for local clusters to connect. | |
| In this model, cross-cluster operations use [a dedicated server port](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#remote_cluster.port), referred to as the remote cluster interface, for communication between clusters. The default port is `9443`. The remote cluster must enable this port for local clusters to connect. |
|
|
||
| ### Setup | ||
|
|
||
| Refer to [Remote clusters setup](../remote-clusters.md#setup) for configuration guidance across all deployment types. |
There was a problem hiding this comment.
each setup can be thought of on a one-to-one basis, so we should always make this singular except for when we refer to the concept as a whole
Suggested change
| Refer to [Remote clusters setup](../remote-clusters.md#setup) for configuration guidance across all deployment types. | |
| Refer to [Remote cluster setup](../remote-clusters.md#setup) for configuration guidance across all deployment types. |
|
|
||
| ### Setup | ||
|
|
||
| Refer to [Remote clusters setup](../remote-clusters.md#setup) for configuration guidance across all deployment types. |
There was a problem hiding this comment.
Suggested change
| Refer to [Remote clusters setup](../remote-clusters.md#setup) for configuration guidance across all deployment types. | |
| Refer to [Remote cluster setup](../remote-clusters.md#setup) for configuration guidance across all deployment types. |
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR presents RCS connection modes (proxy & sniff) and security models (TLS certificates & API key) properly within Remote Clusters sections, as currently the detailed information was only available in the self-managed configuration guide for remote clusters.
Pending items after validating the content:
Update links in other docs-content content (and other repos) to these new docs instead of the self-managed configuration guides.
After Remote clusters client settings moved from docs-content elasticsearch#135698 we can link to the ref docs for settings instead of the self-managed doc.
As soon as we merge these new docs (or maybe in this PR also) we will analyze if the self-managed docs can be updated as they might feel repetitive / duplicate. Maybe we can use snippets and then enrich the self-managed content.
Closes #2064