We are hosting Elasticsearch on EC2 instances, but are a bit unsure whether we should go for using a completely private subnet for our Elasticsearch cluster or just use a security group.
Can anyone weigh in on this?
I was told that "best practice" is to use a private subnet because we don't want anyone accessing Elasticsearch from the outside, but that causes other issues like needing to use workarounds like bastion instances to allow SSHing into them and creating a NAT instance to allow us to connect to the internet to install updates and things. That seems like a lot of overhead, and I am not seeing the security benefit to that as opposed to a simple Security Group that just disallows all traffic from anywhere other than the API server we created in front of our cluster.
It depends a lot on who has access, and who is able to configure these things. Assuming case b) public subnets + security groups, this means it is down to the person setting up/maintaining the servers to remember every time to lock down the security group. Using a private subnet means that an administrator with VPC permissions can restrict access to ALL EC2s within the subnet, then even if someone set up an EC2 with 0.0.0.0/0 allowed, the traffic would still be blocked on a network layer.
Personally, I think that the hassle of using public subnets, nat instances, bastion hosts etc is not worth the benefits it provides. But of course your use case will differ .
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.