elastic · eedugon · Mar 13, 2025 · Mar 13, 2025 · Mar 13, 2025 · Mar 13, 2025
@@ -24,9 +24,9 @@ The following sections describe how to customize a {{kib}} deployment to suit yo
 * [Secure settings](k8s-kibana-secure-settings.md)
 * [HTTP Configuration](k8s-kibana-http-configuration.md)
 
-    * [Load balancer settings and TLS SANs](k8s-kibana-http-configuration.md#k8s-kibana-http-publish)
-    * [Provide your own certificate](k8s-kibana-http-configuration.md#k8s-kibana-http-custom-tls)
-    * [Disable TLS](k8s-kibana-http-configuration.md#k8s-kibana-http-disable-tls)
+    * [Load balancer settings and TLS SANs](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-publish)
+    * [Provide your own certificate](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-custom-tls)
+    * [Disable TLS](/deploy-manage/security/secure-http-communications.md#k8s-kibana-http-disable-tls)
     * [Install {{kib}} plugins](k8s-kibana-plugins.md)
 
 * [Autoscaling stateless applications](../../autoscaling/autoscaling-in-eck.md#k8s-stateless-autoscaling): Use [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) for {{kib}} or other stateless applications.

diff --git a/deploy-manage/deploy/self-managed/configure.md b/deploy-manage/deploy/self-managed/configure.md
@@ -66,7 +66,7 @@ Environment variables can be injected into configuration using `${MY_ENV_VAR}` s
 :   Add sources for the [Content Security Policy `report-to` directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to).
 
 $$$csp-strict$$$ `csp.strict`
-:   Blocks {{kib}} access to any browser that does not enforce even rudimentary CSP rules. In practice, this disables support for older, less safe browsers like Internet Explorer. For more information, refer to [Content Security Policy](../../security/secure-http-communications.md#csp-strict-mode). **Default: `true`**
+:   Blocks {{kib}} access to any browser that does not enforce even rudimentary CSP rules. In practice, this disables support for older, less safe browsers like Internet Explorer. For more information, refer to [Content Security Policy](/deploy-manage/security/using-kibana-with-security.md#csp-strict-mode). **Default: `true`**
 
 `csp.warnLegacyBrowsers`
 :   Shows a warning message after loading {{kib}} to any browser that does not enforce even rudimentary CSP rules, though {{kib}} is still accessible. This configuration is effectively ignored when [`csp.strict`](#csp-strict) is enabled. **Default: `true`**

@@ -1,11 +1,12 @@
 ---
+applies_to:
+  self: ga
 navigation_title: "With a different CA"
 mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/update-node-certs-different.html
 ---
 
 
-
 # Different CA [update-node-certs-different]
 
 

@@ -2,6 +2,8 @@
 applies_to:
   deployment:
     self: ga
+mapped_urls:
+  - https://www.elastic.co/guide/en/elastic-stack/current/install-stack-demo-secure.html
 ---
 
 # Tutorial: Securing a self-managed {{stack}} [install-stack-demo-secure]
@@ -14,15 +16,15 @@

 For traffic to be encrypted between {{es}} cluster nodes and between {{kib}} and {{es}}, SSL certificates must be created for the transport ({{es}} inter-node communication) and HTTP (for the {{es}} REST API) layers. Similarly, when setting up {{fleet-server}} you’ll generate and configure a new certificate bundle, and then {{elastic-agent}} uses the generated certificates to communicate with both {{fleet-server}} and {{es}}. The process to set things up is as follows:

 * [Prerequisites and assumptions](secure-your-cluster-deployment.md#install-stack-demo-secure-prereqs)
 * [Step 1: Generate a new self-signed CA certificate](secure-your-cluster-deployment.md#install-stack-demo-secure-ca)
 * [Step 2: Generate a new certificate for the transport layer](secure-your-cluster-deployment.md#install-stack-demo-secure-transport)
 * [Step 3: Generate new certificate(s) for the HTTP layer](secure-your-cluster-deployment.md#install-stack-demo-secure-http)
 * [Step 4: Configure security on additional {{es}} nodes](secure-your-cluster-deployment.md#install-stack-demo-secure-second-node)
 * [Step 5: Generate server-side and client-side certificates for {{kib}}](secure-your-cluster-deployment.md#install-stack-demo-secure-kib-es)
 * [Step 6: Install {{fleet}} with SSL certificates configured](secure-your-cluster-deployment.md#install-stack-demo-secure-fleet)
 * [Step 7: Install {{agent}}](secure-your-cluster-deployment.md#install-stack-demo-secure-agent)
 * [Step 8: View your system data](secure-your-cluster-deployment.md#install-stack-demo-secure-view-data)

 It should take between one and two hours to complete these steps.


@@ -1,4 +1,6 @@
 ---
+applies_to:
+  self: ga
 navigation_title: "With the same CA"
 mapped_pages:
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/update-node-certs-same.html

@@ -1,33 +1,84 @@
 ---
+applies_to:
+  deployment:
+    self:
+    eck:
+    ece:
 mapped_urls:
   - https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-security.html
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html
   - https://www.elastic.co/guide/en/kibana/current/elasticsearch-mutual-tls.html
 ---
 
+
+% TODO: what to do about this page that doesn't exist
+% * [/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-security.md](/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-security.md)
+
+
 # Secure cluster communications
 
-% What needs to be done: Refine
+This page explains how to secure communications between components in your {{stack}} deployment.
 
-% GitHub issue: https://github.com/elastic/docs-projects/issues/346
+For {{ech}} and {{serverless-full}} deployments, communications security is fully managed by Elastic with no configuration required.
 
-% Use migrated content from existing pages that map to this page:
+For ECE, ECK, and self-managed deployments, this page provides specific configuration guidance to secure the various communication channels between components.
 
-% - [ ] ./raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-security.md
-% - [ ] ./raw-migrated-files/elasticsearch/elasticsearch-reference/security-basic-setup.md
-%      Notes: concepts
-% - [ ] ./raw-migrated-files/kibana/kibana/elasticsearch-mutual-tls.md
+:::{tip}
+For a complete comparison of security feature availability and responsibility by deployment type, see [Security features by deployment type](../security.md#security-features-by-deployment-type).
+:::
 
-% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
+## Communication channels overview
 
-$$$generate-certificates$$$
+Your {{stack}} deployment includes several distinct communication channels that must be secured to protect your data and infrastructure.
 
-$$$encrypt-internode-communication$$$
+| **Channel** | **Description** | **Security needs** |
+|-------------|-----------------|--------------------|
+| [Transport layer](#transport-layer-security) | Communication between {{es}} nodes within a cluster | - Mutual TLS (required)<br>- Node authentication<br>- Node role verification |
+| [HTTP layer](#http-layer-security) | Communication between external clients and {{es}} through the REST API | - TLS encryption<br>- Authentication (basic auth, API keys, or token-based)<br>- Optional client certificate authentication |
+| [{{kib}}-to-{{es}}](#kib-to-es-communications) | Communication from the {{kib}} server to {{es}} for user requests and queries | - TLS encryption<br>- Service authentication (API keys, service tokens, or mutual TLS) |
 
-**This page is a work in progress.** The documentation team is working to combine content pulled from the following pages:
 
-% Doesn't exist
-% * [/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-security.md](/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-security.md)
+## Transport layer security
+
+The transport layer is used for communication between {{es}} nodes in a cluster. Securing this layer prevents unauthorized nodes from joining your cluster and protects internode data.
+
+**Deployment type notes:**
+- **Elastic Cloud & Serverless**: Transport security is fully managed by Elastic. No configuration is required.
+- **ECE/ECK**: Transport security is automatically configured by the operator. No direct user configuration is required.
+- **Self-managed**: Transport security must be manually configured following the steps in [Set up basic security](set-up-basic-security.md).
+
+## HTTP layer security
+
+The HTTP layer secures client communication with your {{es}} cluster via its REST API, preventing unauthorized access and protecting data in transit.
+
+**Deployment type notes:**
+- **Elastic Cloud & Serverless**: HTTP security is fully managed by Elastic. No configuration is required.
+- **ECE/ECK**: HTTP security is automatically configured with self-signed certificates. Custom certificates can be configured.
+- **Self-managed**: HTTP security must be manually configured following [Secure HTTP communications](secure-http-communications.md).
+
+## {{kib}}-to-{{es}} communications
+
+{{kib}} connects to {{es}} as a client but requires special configuration as it performs operations on behalf of end users.
+
+**Deployment type notes:**
+- **Elastic Cloud & Serverless**: {{kib}}-{{es}} communication is fully managed using HTTPS and service tokens.
+- **ECE/ECK**: {{kib}}-{{es}} communication is automatically secured with service tokens.
+- **Self-managed**: {{kib}}-{{es}} communication must be manually secured. For mutual TLS configuration, see [Mutual TLS authentication between {{kib}} and {{es}}](secure-http-communications.md#elasticsearch-mutual-tls).
+
+## Certificate management [generate-certificates]
+
+Managing certificates is critical for secure communications. Certificates have limited lifetimes and must be renewed before expiry to prevent service disruptions.
+
+**Deployment type notes:**
+- **Elastic Cloud & Serverless**: Certificate management is fully automated by Elastic.
+- **ECE**: ECE generates certificates for you. Refer to [](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md).
+
+ECK**: Certificate generation and basic rotation is handled by the operator. Custom HTTP certificates require manual management.
+- **Self-managed**: Certificate management is your responsibility. See [Security certificates and keys](security-certificates-keys.md).
+
+## Next steps
 
-* [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-basic-setup.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-basic-setup.md)
-* [/raw-migrated-files/kibana/kibana/elasticsearch-mutual-tls.md](/raw-migrated-files/kibana/kibana/elasticsearch-mutual-tls.md)
+- Configure [basic security and HTTPS](set-up-basic-security-plus-https.md) for self-managed deployments.
+- Learn about [HTTP communication security](secure-http-communications.md) best practices.
+- Understand how to securely manage [security certificates and keys](security-certificates-keys.md).
+- Check [SSL/TLS version compatibility](supported-ssltls-versions-by-jdk-version.md) for optimal encryption.