AWS Elasticsearch VPC connectivity

+1 vote

I've created an Elasticsearch domain in AWS.

It's added to my VPC inside a public subnet and I've attached a security group which is currently completely open.

I have this policy attached also:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:eu-central-1:ACCOUNT_ID:domain/DOMAIN_NAME/*"
    }
  ]
}

I am trying to access an endpoint locally but it doesn't seem to be allowed.

Any idea why I'm not able to access this URL?

Sep 4, 2018 in AWS by bug_seeker
• 15,510 points
4,822 views

1 answer to this question.

+1 vote
VPC Endpoint cannot be accessed outside the subnets that you associated with the elastic-search domain.

you can try performing curl from any EC2 instances that is part of the same subnet that you associated with elastic-search, it should work.

If you need to access the endpoint from internet, then don't create VPC endpoint elastic-search instead create elastic-search domain with internet access. You can specify whether you want VPC or internet accessible cluster when creating the ES domain.
answered Sep 4, 2018 by Priyaj
• 58,020 points
Hi Priyaj, That's a great information. Just to understand more, is it possible to access the elastic search domain within VPC ?

Yes @Gopinaath, it's possible to access the elastic search domain within your VPC. Have a look at these documentations: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html

You can enable proxy using nginx which helps you to access the ES endpoint outside VPC

1. Install nginx and create a SSL certifcate using open ssl

2. Append the below lines under Virtual Host Configs to access ES

server {
            listen 443;
            server_name localhost;

            ssl_certificate        /etc/ssl/private/server.crt;
            ssl_certificate_key    /etc/ssl/private/server.key;
            ssl on;
            ssl_session_cache  builtin:1000  shared:SSL:10m;
            ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
            ssl_prefer_server_ciphers on;
#            server_name ec2-10.1.10.10.compute-1.amazonaws.com 10.1.10.10;

            location ^~ /_plugin/kibana/ {

                    add_header X-XSS-Protection "1; mode=block";
                    add_header X-Content-Type-Options nosniff;
                    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE';
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Host $http_host;
                    proxy_set_header X-Forwarded-Proto https;
                    proxy_redirect off;
                    proxy_connect_timeout      2400;
                    proxy_send_timeout         2400;
                    proxy_read_timeout         2400;
                    proxy_pass https://vpc-address.es.amazonaws.com/_plugin/kibana/;

            }

    }
}
Hello Panneer S,

Thank you so much. It would be great if you could make this, an answer for better readability.

Also, please register at edureka Community and earn points for every contribution(asking a question, answering, commenting or even upvoting). With these points, you can claim a discount on Edureka courses and get a chance to become an admin on this tech community.

Thank you and Happy Learning!

Related Questions In AWS

+9 votes
17 answers

AWS VPC - What is the difference between Internet Gateway & NAT

Internet Gateway An Internet Gateway is a logical connection ...READ MORE

answered Apr 24, 2018 in AWS by Flying geek
• 3,280 points

edited Jul 10, 2023 by Khan Sarfaraz 128,413 views
0 votes
1 answer

how to access AWS S3 from Lambda in VPC

With boto3, the S3 urls are virtual by default, ...READ MORE

answered Sep 28, 2018 in AWS by Priyaj
• 58,020 points
10,106 views
0 votes
1 answer

Is there a way to move AWS Elasticsearch to another account

Create a role with Elasticsearch permission. Provide the iam:PassRole for ...READ MORE

answered Oct 30, 2018 in AWS by Priyaj
• 58,020 points
2,052 views
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer

AWS ElasticSearch with cakephp/elastic-search plugin

CakePHP is an open source, MVC framework ...READ MORE

answered Jul 30, 2018 in AWS by Priyaj
• 58,020 points
1,025 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP