AWS Elasticsearch VPC connectivity

+1 vote

I've created an Elasticsearch domain in AWS.

It's added to my VPC inside a public subnet and I've attached a security group which is currently completely open.

I have this policy attached also:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:eu-central-1:ACCOUNT_ID:domain/DOMAIN_NAME/*"
    }
  ]
}

I am trying to access an endpoint locally but it doesn't seem to be allowed.

The Kibana URL for example is:

https://vpc-bla.bla.bla.eu-central-1.es.amazonaws.com/_plugin/kibana/

Any idea why I'm not able to access this URL?

Sep 4, 2018 in AWS by bug_seeker
• 15,390 points
986 views

1 answer to this question.

+1 vote
VPC Endpoint cannot be accessed outside the subnets that you associated with the elastic-search domain.

you can try performing curl from any EC2 instances that is part of the same subnet that you associated with elastic-search, it should work.

If you need to access the endpoint from internet, then don't create VPC endpoint elastic-search instead create elastic-search domain with internet access. You can specify whether you want VPC or internet accessible cluster when creating the ES domain.
answered Sep 4, 2018 by Priyaj
• 57,510 points
Hi Priyaj, That's a great information. Just to understand more, is it possible to access the elastic search domain within VPC ?

Yes @Gopinaath, it's possible to access the elastic search domain within your VPC. Have a look at these documentations: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html

You can enable proxy using nginx which helps you to access the ES endpoint outside VPC

1. Install nginx and create a SSL certifcate using open ssl

2. Append the below lines under Virtual Host Configs to access ES

server {
            listen 443;
            server_name localhost;

            ssl_certificate        /etc/ssl/private/server.crt;
            ssl_certificate_key    /etc/ssl/private/server.key;
            ssl on;
            ssl_session_cache  builtin:1000  shared:SSL:10m;
            ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
            ssl_prefer_server_ciphers on;
#            server_name ec2-10.1.10.10.compute-1.amazonaws.com 10.1.10.10;

            location ^~ /_plugin/kibana/ {

                    add_header X-XSS-Protection "1; mode=block";
                    add_header X-Content-Type-Options nosniff;
                    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE';
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Host $http_host;
                    proxy_set_header X-Forwarded-Proto https;
                    proxy_redirect off;
                    proxy_connect_timeout      2400;
                    proxy_send_timeout         2400;
                    proxy_read_timeout         2400;
                    proxy_pass https://vpc-address.es.amazonaws.com/_plugin/kibana/;

            }

    }
}
Hello Panneer S,

Thank you so much. It would be great if you could make this, an answer for better readability.

Also, please register at edureka Community and earn points for every contribution(asking a question, answering, commenting or even upvoting). With these points, you can claim a discount on Edureka courses and get a chance to become an admin on this tech community.

Thank you and Happy Learning!

Related Questions In AWS

+5 votes
13 answers

AWS VPC - What is the difference between Internet Gateway & NAT

Internet Gateway An Internet Gateway is a logical connection ...READ MORE

answered Apr 24, 2018 in AWS by Flying geek
• 3,210 points
22,156 views
0 votes
1 answer

how to access AWS S3 from Lambda in VPC

With boto3, the S3 urls are virtual by default, ...READ MORE

answered Sep 28, 2018 in AWS by Priyaj
• 57,510 points
2,639 views
0 votes
1 answer

Is there a way to move AWS Elasticsearch to another account

Create a role with Elasticsearch permission. Provide the iam:PassRole for ...READ MORE

answered Oct 30, 2018 in AWS by Priyaj
• 57,510 points
92 views
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer
0 votes
1 answer

AWS ElasticSearch with cakephp/elastic-search plugin

CakePHP is an open source, MVC framework ...READ MORE

answered Jul 30, 2018 in AWS by Priyaj
• 57,510 points
222 views