elastic · florent-leborgne · Mar 13, 2025 · Mar 12, 2025 · Mar 13, 2025 · Mar 13, 2025
@@ -49,7 +49,7 @@ Transport client is not supported over PrivateLink connections.
 ::::
 
 
-AWS PrivateLink establishes a secure connection between two AWS Virtual Private Clouds (VPCs). The VPCs can belong to separate accounts, i.e. a service provider and its service consumers. AWS routes the PrivateLink traffic within the AWS data center and never exposes it to the public internet. In such a configuration, Elastic Cloud is the third-party service provider and the customers are service consumers.
+AWS PrivateLink establishes a secure connection between two AWS Virtual Private Clouds (VPCs). The VPCs can belong to separate accounts, i.e. a service provider and its service consumers. AWS routes the PrivateLink traffic within the AWS data center and never exposes it to the public internet. In such a configuration, {{ecloud}} is the third-party service provider and the customers are service consumers.
 
 PrivateLink is a connection between a VPC Endpoint and a PrivateLink Service.
 
@@ -94,11 +94,11 @@ PrivateLink Service is set up by Elastic in all supported AWS regions under the
 ::::
 
 
-The process of setting up the PrivateLink connection to your clusters is split between AWS (e.g. by using AWS console) and Elastic Cloud UI. These are the high-level steps:
+The process of setting up the PrivateLink connection to your clusters is split between AWS (e.g. by using AWS console) and {{ecloud}} UI. These are the high-level steps:
 
-| AWS console | Elastic Cloud |
+| AWS console | {{ecloud}} |
 | --- | --- |
-| 1. Create a VPC endpoint using Elastic Cloud service name. |  |
+| 1. Create a VPC endpoint using {{ecloud}} service name. |  |
 | 2. Create a DNS record pointing to the VPC endpoint. |  |
 |  | 3. Create a PrivateLink rule set with your VPC endpoint ID. |
 |  | 4. Associate the PrivateLink rule set with your deployments. |
@@ -108,7 +108,7 @@ The process of setting up the PrivateLink connection to your clusters is split b
 ## Ensure your VPC endpoint is in all availability zones supported by {{ecloud}} on the region for the VPC service [ec-aws-vpc-overlapping-azs]
 
 ::::{note}
-Ensuring that your VPC is in all supported Elastic Cloud availability zones for a particular region avoids potential for a traffic imbalance. That imbalance may saturate some coordinating nodes and underutilize others in the deployment, eventually impacting performance. Enabling all supported Elastic Cloud zones ensures that traffic is balanced optimally.
+Ensuring that your VPC is in all supported {{ecloud}} availability zones for a particular region avoids potential for a traffic imbalance. That imbalance may saturate some coordinating nodes and underutilize others in the deployment, eventually impacting performance. Enabling all supported {{ecloud}} zones ensures that traffic is balanced optimally.
 ::::
 
 
@@ -164,7 +164,7 @@ The mapping will be different for your region. Our production VPC Service for `u
 
     Find out the endpoint of your deployment. You can do that by selecting **Copy endpoint** in the Cloud UI. It looks something like `my-deployment-d53192.es.us-east-1.aws.found.io`. `my-deployment-d53192` is an alias, and `es` is the product you want to access within your deployment.
 
-    To access your Elasticsearch cluster over PrivateLink:
+    To access your {{es}} cluster over PrivateLink:
 
     * If you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
     * Alternatively, use the following URL structure:
@@ -181,7 +181,7 @@ The mapping will be different for your region. Our production VPC Service for `u
     ::::
 
 
-    You can test the AWS console part of the setup with a following curl (substitute the region and Elasticsearch ID with your cluster):
+    You can test the AWS console part of the setup with a following curl (substitute the region and {{es}} ID with your cluster):
 
     ```sh
     $ curl -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
@@ -269,11 +269,11 @@ $ curl -u 'username:password' -v https://my-deployment-d53192.es.vpce.us-east-1.
 ```
 
 ::::{note}
-If you are using AWS PrivateLink together with Fleet, and enrolling the Elastic Agent with a PrivateLink URL, you need to configure Fleet Server to use and propagate the PrivateLink URL by updating the **Fleet Server hosts** field in the **Fleet settings** section of Kibana. Otherwise, Elastic Agent will reset to use a default address instead of the PrivateLink URL. The URL needs to follow this pattern: `https://<Fleet component ID/deployment alias>.fleet.<Private hosted zone domain name>:443`.
+If you are using AWS PrivateLink together with Fleet, and enrolling the Elastic Agent with a PrivateLink URL, you need to configure Fleet Server to use and propagate the PrivateLink URL by updating the **Fleet Server hosts** field in the **Fleet settings** section of {{kib}}. Otherwise, Elastic Agent will reset to use a default address instead of the PrivateLink URL. The URL needs to follow this pattern: `https://<Fleet component ID/deployment alias>.fleet.<Private hosted zone domain name>:443`.
 
-Similarly, the Elasticsearch host needs to be updated to propagate the Privatelink URL. The Elasticsearch URL needs to follow this pattern: `https://<Elasticsearch cluster ID/deployment alias>.es.<Private hosted zone domain name>:443`.
+Similarly, the {{es}} host needs to be updated to propagate the Privatelink URL. The {{es}} URL needs to follow this pattern: `https://<{{es}} cluster ID/deployment alias>.es.<Private hosted zone domain name>:443`.
 
-The settings `xpack.fleet.agents.fleet_server.hosts` and `xpack.fleet.outputs` that are needed to enable this configuration in {{kib}} are currently available on-prem only, and not in the [Kibana settings in {{ecloud}}](/deploy-manage/deploy/elastic-cloud/edit-stack-settings.md).
+The settings `xpack.fleet.agents.fleet_server.hosts` and `xpack.fleet.outputs` that are needed to enable this configuration in {{kib}} are currently available on-prem only, and not in the [{{kib}} settings in {{ecloud}}](/deploy-manage/deploy/elastic-cloud/edit-stack-settings.md).
 
 ::::
 

@@ -54,7 +54,7 @@ Azure Private Link filtering is supported only for Azure regions.
 ::::
 
 
-Azure Private Link establishes a secure connection between two Azure VNets. The VNets can belong to separate accounts, for example a service provider and their service consumers. Azure routes the Private Link traffic within the Azure data centers and never exposes it to the public internet. In such a configuration, Elastic Cloud is the third-party service provider and the customers are service consumers.
+Azure Private Link establishes a secure connection between two Azure VNets. The VNets can belong to separate accounts, for example a service provider and their service consumers. Azure routes the Private Link traffic within the Azure data centers and never exposes it to the public internet. In such a configuration, {{ecloud}} is the third-party service provider and the customers are service consumers.
 
 Private Link is a connection between an Azure Private Endpoint and a Azure Private Link Service.
 
@@ -86,11 +86,11 @@ Private Link Services are set up by Elastic in all supported Azure regions under
 ::::
 
 
-The process of setting up the Private link connection to your clusters is split between Azure (e.g. by using Azure portal), Elastic Cloud Support, and Elastic Cloud UI. These are the high-level steps:
+The process of setting up the Private link connection to your clusters is split between Azure (e.g. by using Azure portal), {{ecloud}} Support, and {{ecloud}} UI. These are the high-level steps:
 
-| Azure portal | Elastic Cloud UI |
+| Azure portal | {{ecloud}} UI |
 | --- | --- |
-| 1. Create a private endpoint using Elastic Cloud service alias. |  |
+| 1. Create a private endpoint using {{ecloud}} service alias. |  |
 | 2. Create a [DNS record pointing to the private endpoint](https://learn.microsoft.com/en-us/azure/dns/private-dns-privatednszone). |  |
 |  | 3. Create an Azure Private Link rule set with the private endpoint **Name** and **ID**. |
 |  | 4. Associate the Azure Private Link rule set with your deployments. |
@@ -185,13 +185,13 @@ Creating the filter approves the Private Link connection.
 
 Let’s test the connection:
 
-1. Find out the Elasticsearch cluster ID of your deployment. You can do that by selecting **Copy cluster id** in the Cloud UI. It looks something like `9c794b7c08fa494b9990fa3f6f74c2f8`.
+1. Find out the {{es}} cluster ID of your deployment. You can do that by selecting **Copy cluster id** in the Cloud UI. It looks something like `9c794b7c08fa494b9990fa3f6f74c2f8`.
 
     ::::{tip}
-    The Elasticsearch cluster ID is **different** from the deployment ID, custom alias endpoint, and Cloud ID values that feature prominently in the user console.
+    The {{es}} cluster ID is **different** from the deployment ID, custom alias endpoint, and Cloud ID values that feature prominently in the user console.
     ::::
 
-2. To access your Elasticsearch cluster over Private Link:
+2. To access your {{es}} cluster over Private Link:
 
     * If you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
 
@@ -209,7 +209,7 @@ Let’s test the connection:
 
         `https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243`
 
-3. You can test the Azure portal part of the setup with the following command (substitute the region and Elasticsearch ID with your cluster).
+3. You can test the Azure portal part of the setup with the following command (substitute the region and {{es}} ID with your cluster).
 
     The output should look like this:
 
@@ -230,7 +230,7 @@ Let’s test the connection:
 
     The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, you haven’t associate the rule set with any deployment yet.
 
-4. In the event that the Private Link connection is not approved by Elastic Cloud, you’ll get an error message like the following. Double check that the filter you’ve created in the previous step uses the right resource name and GUID.
+4. In the event that the Private Link connection is not approved by {{ecloud}}, you’ll get an error message like the following. Double check that the filter you’ve created in the previous step uses the right resource name and GUID.
 
     ```sh
     $ curl -v https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243
@@ -264,7 +264,7 @@ Use the alias you’ve set up as CNAME A record to access your deployment.
 ::::
 
 
-For example, if your Elasticsearch ID is `6b111580caaa4a9e84b18ec7c600155e` and it is located in `eastus2` region you can access it under `https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243`.
+For example, if your {{es}} ID is `6b111580caaa4a9e84b18ec7c600155e` and it is located in `eastus2` region you can access it under `https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243`.
 
 ```sh
 $ curl -u 'username:password'  -v https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243
@@ -274,9 +274,9 @@ $ curl -u 'username:password'  -v https://6b111580caaa4a9e84b18ec7c600155e.priva
 ```
 
 ::::{note}
-If you are using Azure Private Link together with Fleet, and enrolling the Elastic Agent with a Private Link URL, you need to configure Fleet Server to use and propagate the Private Link URL by updating the **Fleet Server hosts** field in the **Fleet settings** section of Kibana. Otherwise, Elastic Agent will reset to use a default address instead of the Private Link URL. The URL needs to follow this pattern: `https://<Fleet component ID/deployment alias>.fleet.<Private hosted zone domain name>:443`.
+If you are using Azure Private Link together with Fleet, and enrolling the Elastic Agent with a Private Link URL, you need to configure Fleet Server to use and propagate the Private Link URL by updating the **Fleet Server hosts** field in the **Fleet settings** section of {{kib}}. Otherwise, Elastic Agent will reset to use a default address instead of the Private Link URL. The URL needs to follow this pattern: `https://<Fleet component ID/deployment alias>.fleet.<Private hosted zone domain name>:443`.
 
-Similarly, the Elasticsearch host needs to be updated to propagate the Private Link URL. The Elasticsearch URL needs to follow this pattern: `https://<Elasticsearch cluster ID/deployment alias>.es.<Private hosted zone domain name>:443`.
+Similarly, the {{es}} host needs to be updated to propagate the Private Link URL. The {{es}} URL needs to follow this pattern: `https://<{{es}} cluster ID/deployment alias>.es.<Private hosted zone domain name>:443`.
 
 ::::
 
@@ -315,7 +315,7 @@ To remove an association through the UI:
 
 Azure supports inter-region Private Link as described in the [Azure documentation](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview). "The Private Link resource can be deployed in a different region than the virtual network and private endpoint."
 
-This means your deployment on Elastic Cloud can be in a different region than the Private Link endpoints or the clients that consume the deployment endpoints.
+This means your deployment on {{ecloud}} can be in a different region than the Private Link endpoints or the clients that consume the deployment endpoints.
 
 :::{image} /images/cloud-ce-azure-inter-region-pl.png
 :alt: Inter-region Private Link
@@ -328,4 +328,4 @@ This means your deployment on Elastic Cloud can be in a different region than th
     2. Create a Private Hosted Zone for region 2, and associate it with VNET1 similar to the step [Create a Private Link endpoint and DNS](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-private-link-azure-dns). Note that you are creating these resources in region 1, VNET1.
 
 2. [Create a traffic filter rule set](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-create-traffic-filter-private-link-rule-set) and [Associate the rule set](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) through the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body), just as you would for any deployment.
-3. [Test the connection](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-access-the-deployment-over-private-link) from a VM or client in region 1 to your Private Link endpoint, and it should be able to connect to your Elasticsearch cluster hosted in region 2.
+3. [Test the connection](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-access-the-deployment-over-private-link) from a VM or client in region 1 to your Private Link endpoint, and it should be able to connect to your {{es}} cluster hosted in region 2.
@@ -1,5 +1,37 @@
-# Secure your data
+---
+applies_to:
+  deployment:
+    ess: ga
+    ece: ga
+    eck: ga
+    self: ga
+  serverless: ga
+---
 
-:::{warning}
-**This page is a work in progress.** 
+# Secure data, objects, and settings
+
+Add another layer of security by defining custom encryption rules for your cluster's data, {{kib}} saved objects, and settings.
+
+**In {{ecloud}}**:
+
+{{ech}} deployments and serverless projects are already encrypted at rest by default. This includes their data, objects, and settings. For serverless projects, security is fully-managed by Elastic. For {{ech}} deployments, some settings are available for you to customize the default security measures in place:
+
+- Instead of the default, Elastic-managed encryption, you can choose to use a [customer-managed encryption key](encrypt-deployment-with-customer-managed-encryption-key.md) from one of our supported providers' KMS to encrypt your {{ech}} deployments.
+- Store sensitive settings using the [{{es}} keystore](secure-settings.md).
+
+**In {{ece}}, {{eck}} and self-managed installations**:
+
+There is no encryption at rest out of the box for deployments orchestrated using [{{ece}}](secure-your-elastic-cloud-enterprise-installation.md) and [{{eck}}](secure-your-eck-installation.md), and for [self-managed clusters](manually-configure-security-in-self-managed-cluster.md). You must instead configure disk-level encryption on your hosts. 
+
+:::{note}
+Configuring dm-crypt or similar technologies is outside the scope of the Elastic documentation, and issues related to disk encryption are outside the scope of support.
 :::
+
+However, some native features are available for you to protect sensitive data and objects:
+
+- Store sensitive settings using the [{{es}} or {{kib}} keystores](secure-settings.md).
+- Enable [encryption for {{kib}} saved objects](secure-saved-objects.md).
+- Customize [{{kib}} session parameters](kibana-session-management.md).
+
+
+
@@ -8,7 +8,7 @@ mapped_urls:
 
 # Manage traffic filtering through the ECE API [ece-traffic-filtering-through-the-api]
 
-This example demonstrates how to use the Elastic Cloud Enterprise RESTful API to manage different types of traffic filters. We cover the following examples:
+This example demonstrates how to use the {{ece}} RESTful API to manage different types of traffic filters. We cover the following examples:
 
 * [Create a traffic filter rule set](ece-traffic-filtering-through-the-api.md#ece-create-a-traffic-filter-rule-set)
 
@@ -19,7 +19,7 @@ This example demonstrates how to use the Elastic Cloud Enterprise RESTful API to
 * [Delete a rule set association with a deployment](ece-traffic-filtering-through-the-api.md#ece-delete-rule-set-association-with-a-deployment)
 * [Delete a traffic filter rule set](ece-traffic-filtering-through-the-api.md#ece-delete-a-rule-set)
 
-Read through the main [Traffic Filtering](traffic-filtering.md) page to learn about the general concepts behind filtering access to your Elastic Cloud Enterprise deployments.
+Read through the main [Traffic Filtering](traffic-filtering.md) page to learn about the general concepts behind filtering access to your {{ece}} deployments.
 
 
 ## Create a traffic filter rule set [ece-create-a-traffic-filter-rule-set]