Connect Elastic Cloud Hosted deployments to an Elastic Cloud Enterprise environment
ECH ECE
This section explains how to configure a deployment to connect remotely to clusters belonging to an Elastic Cloud Enterprise (ECE) environment.
If network security filters are applied to the remote cluster on ECE, the remote cluster administrator must configure an IP filter to allow traffic from Elastic Cloud IP addresses. For more information, refer to Remote clusters and network security.
Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
- API key
- For deployments based on Elastic Stack 8.14 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model offers administrators of both the local and the remote deployment fine-grained access controls.
- TLS certificate (deprecated in Elastic Stack 9.0.0)
- This model uses mutual TLS authentication for cross-cluster operations. User authentication is performed on the local cluster and a user’s role names are passed to the remote cluster. A superuser on the local deployment gains total read access to the remote deployment, so it is only suitable for deployments that are in the same security domain.
API key authentication enables a local cluster to authenticate itself with a remote cluster via a cross-cluster API key. The API key needs to be created by an administrator of the remote cluster. The local cluster is configured to provide this API key on each request to the remote cluster. The remote cluster verifies the API key and grants access, based on the API key’s privileges.
All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to my-index on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search and/or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key.
On the local cluster side, not every local user needs to access every piece of data allowed by the API key. An administrator of the local cluster can further configure additional permission constraints on local users so each user only gets access to the necessary remote data. Note it is only possible to further reduce the permissions allowed by the API key for individual local users. It is impossible to increase the permissions to go beyond what is allowed by the API key.
If you run into any issues, refer to Troubleshooting.
- The local and remote deployments must be on Elastic Stack 8.14 or later.
- Contrary to the certificate security model, the API key security model does not require that both local and remote clusters trust each other.
- On the deployment you will use as remote, use the Elasticsearch API or Kibana to create a cross-cluster API key. Configure it with access to the indices you want to use for cross-cluster search or cross-cluster replication.
- Copy the encoded key (
encodedin the response) to a safe location. You will need it in the next step.
The API key created previously will be used by the local deployment to authenticate with the corresponding set of permissions to the remote deployment. For that, you need to add the API key to the local deployment’s keystore.
The steps to follow depend on whether the Certificate Authority (CA) of the remote ECE environment’s proxy or load balancing infrastructure is public or private.
The CA is public
Log in to the Elastic Cloud Console.
On the home page, find your hosted deployment and select Manage to access it directly. Or, select Hosted deployments to go to the Hosted deployments page to view all of your deployments.
On the Hosted deployments page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
From the navigation menu, select Security.
Locate Remote Connections > Trust management > Connections using API keys and select Add API key.
Fill both fields.
- For the Remote cluster name, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
- For the Cross-cluster API key, paste the encoded cross-cluster API key.
Click Add to save the API key to the keystore.
Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment’s main page (named after your deployment’s name), locate the Actions menu, and select Restart Elasticsearch.
NoteIf the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
If you need to update the remote connection with different permissions later, refer to Change a cross-cluster API key used for a remote connection.
The CA is private
Log in to the Elastic Cloud Console.
On the home page, find your hosted deployment and select Manage to access it directly. Or, select Hosted deployments to go to the Hosted deployments page to view all of your deployments.
On the Hosted deployments page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
Access the Security page of the deployment.
Select Remote Connections > Add trusted environment and choose Elastic Cloud Enterprise. Then click Next.
Select API keys as authentication mechanism and click Next.
Add a the API key:
Fill both fields.
- For the Remote cluster name, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
- For the Cross-cluster API key, paste the encoded cross-cluster API key.
Click Add to save the API key to the keystore.
Repeat these steps for each API key you want to add. For example, if you want to use several deployments of the remote environment for CCR or CCS.
Add the CA certificate of the private proxy or load balancing infrastructure of the remote environment. To find this certificate:
In the remote Elastic Cloud Enterprise environment, go to Platform > Settings > TLS certificates.
Select Show certificate chain under Proxy.
Click Copy root certificate and paste it into a new file. The root certificate is the last certificate shown in the chain.
Save that file as
.crt. It is now ready to be uploaded.
Provide a name for the trusted environment. That name will appear in the trust summary of your deployment’s Security page.
Select Create trust to complete the configuration.
Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment’s main page (named after your deployment’s name), locate the Actions menu, and select Restart Elasticsearch.
NoteIf the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
If you need to update the remote connection with different permissions later, refer to Change a cross-cluster API key used for a remote connection.
A deployment can be configured to trust all or specific deployments in a remote ECE environment:
Access the Security page of the deployment you want to use for cross-cluster operations.
Select Remote Connections > Add trusted environment and choose Elastic Cloud Enterprise. Then click Next.
Select Certificates as authentication mechanism and click Next.
Enter the environment ID of the ECE environment. You can find it under Platform > Trust Management in your ECE administration UI.
Upload the Certificate Authority of the ECE environment. You can download it from Platform > Trust Management in your ECE administration UI.
Choose one of following options to configure the level of trust with the ECE environment:
- All deployments - This deployment trusts all deployments in the ECE environment, including new deployments when they are created.
- Specific deployments - Specify which of the existing deployments you want to trust in the ECE environment. The full Elasticsearch cluster ID must be entered for each remote cluster. The Elasticsearch
Cluster IDcan be found in the deployment overview page under Applications.
Provide a name for the trusted environment. That name will appear in the trust summary of your deployment’s Security page.
Select Create trust to complete the configuration.
Configure the corresponding deployments of the ECE environment to trust this deployment. You will only be able to connect two deployments successfully when both of them trust each other.
The environment ID and cluster IDs must be entered fully and correctly. For security reasons, verification of the IDs is not possible. If cross-environment trust does not appear to be working, double-checking the IDs is a good place to start.
Using the API
You can update a deployment using the appropriate trust settings for the Elasticsearch payload.
In order to trust a deployment with cluster id cf659f7fe6164d9691b284ae36811be1 (NOTE: use the Elasticsearch cluster ID, not the deployment ID) in an ECE environment with environment ID 1053523734, you need to update the trust settings with an additional direct trust relationship like this:
{ "trust":{ "accounts":[ { "account_id":"ec38dd0aa45f4a69909ca5c81c27138a", "trust_all":true } ], "direct": [ { "type" : "ECE", "name" : "My ECE environment", "scope_id" : "1053523734", "certificates" : [ { "pem" : "-----BEGIN CERTIFICATE-----\nMIIDTzCCA...H0=\n-----END CERTIFICATE-----" } ], "trust_all":false, "trust_allowlist":[ "cf659f7fe6164d9691b284ae36811be1" ] } ] } } You can now connect remotely to the trusted clusters.
On the local cluster, add the remote cluster using Kibana or the Elasticsearch API.
Go to the Remote Clusters management page in the navigation menu or use the global search field.
Select Add a remote cluster.
In Select connection type, choose the authentication mechanism you prepared earlier (API keys or Certificates), and then click Next.
In Add connection information, fill in the following fields:
Remote cluster name: This cluster alias is a unique identifier that represents the connection to the remote cluster and is used to distinguish local and remote indices.
When using API key authentication, this alias must match the Remote cluster name you configured when adding the API key in the Cloud UI.
Remote address: This value can be found on the Security page of the Elastic Cloud Enterprise deployment you want to use as a remote. Copy the Proxy address from the Remote cluster parameters section.
NoteIf you’re using API keys as security model, change the port to
9443.Configure advanced options (optional): Expand this section if you need to customize additional settings.
TLS server name: Specify a value if the certificate presented by the remote cluster is signed for a different name than the remote address.
This value can be found on the Security page of the Elastic Cloud Enterprise deployment you want to use as a remote. Copy the Server name from the Remote cluster parameters section.
Socket connections: Define the number of connections to open with the remote cluster.
For a full list of available client connection settings, refer to the remote cluster settings reference.
Click Next.
In Confirm setup, click Add remote cluster (you have already established trust in a previous step).
If you’re having issues establishing the connection and the remote cluster is part of an Elastic Cloud Enterprise environment with a private certificate, make sure that the proxy address and server name match with the the certificate information. For more information, refer to Administering endpoints in Elastic Cloud Enterprise.
To configure a deployment as a remote cluster, use the cluster update settings API. Configure the following fields:
Remote cluster alias: When using API key authentication, the cluster alias must match the one you configured when adding the API key in the Cloud UI as Remote cluster name.mode:proxyproxy_address: This value can be found on the Security page of the Elastic Cloud Enterprise deployment you want to use as a remote. Copy the Proxy address from the Remote cluster parameters section.Using the API, this value can be obtained from the Elasticsearch resource info, concatenating the field
metadata.endpointand port9400using a semicolon.NoteIf you’re using API keys as security model, change the port to
9443.server_name: This value can be found on the Security page of the Elastic Cloud Enterprise deployment you want to use as a remote. Copy the Server name from the Remote cluster parameters section.Using the API, this can be obtained from the Elasticsearch resource info field
metadata.endpoint.
This example shows the API call to add or update a remote cluster. The alias alias-for-my-remote-cluster must match the remote cluster name used when adding the API key to the deployment:
PUT /_cluster/settings { "persistent": { "cluster": { "remote": { "alias-for-my-remote-cluster": { "mode":"proxy", "proxy_address": "a542184a7a7d45b88b83f95392f450ab.192.168.44.10.ip.es.io:9400", "server_name": "a542184a7a7d45b88b83f95392f450ab.192.168.44.10.ip.es.io" } } } } } - Remote cluster alias
For a full list of available client connection settings in proxy mode, refer to the remote cluster settings reference.
To use a remote cluster for cross-cluster replication or cross-cluster search, you need to create user roles with remote indices privileges on the local cluster. Refer to Configure roles and users.