Normally your 3 nodes are available inside the same DC which means that:
You can keep port 9300 opened only within the same LAN
You can open port 9200 to internet but you need to be extremely careful there
Of course you can use x-pack with its security feature (commercial license needed).
"Normally", end users never access directly elasticsearch but access an Application layer which is running in the same DC (same LAN?) and this one is the only one which can communicate with your cluster. In which case you don't have to really expose elasticsearch on internet.
I'd recommend also giving a look at cloud.elastic.co as it has x-pack built in so you just have to focus on your use case instead of thinking of deploying, buying the license, settings up backups, having to deal with upgrades...
My situation is the following: I have bought the x-pack (commercial offer,
I have paid the license). I have to deploy the cluster on my servers, for
some confidentiality reasons, the data cannot be neither on GCP, AWS or
azure.
I have to assume that my servers are in different data-centers. so the LAN
question, is more complex that that.
So the question: with x-pack and security enabled, do I need to protect the
9200 and 9300 ports? Idealy, I'd like to configure the yml and x-pack to
achieve security.
I edited your post and removed some of your personal informations.
I have bought the x-pack
Great!
I have to assume that my servers are in different data-centers.
Be aware that it's not recommended to split an elasticsearch cluster in different geo regions.
Multiple DC in the same region is fine as the latency is probably good enough (like a fiber network and some hundred of meters of distance).
So the question: with x-pack and security enabled, do I need to protect the
9200 and 9300 ports? Idealy, I'd like to configure the yml and x-pack to
achieve security.
You mean? Adding another layer? I don't think it's absolutely needed.
May be it's better to move this discussion to #x-pack which I just did some experts there can comment better.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.