Deploy elasticsearch cluster over internet


(olivier hodac) #1

Hello,

I want to deploy a 3 node cluster of ES with x-pack (security)

I was wondering about security: My 3 nodes have to communicate (discovery, etc...). but of course, the question of the security is raised.

What is the best practice?

SIMPLEST: Is there a way of handling this thru elasticsearch configuration?

MIDDLE: Do I have to expose the ports (9300, 9200...) on internet and security from x-pack is taking care of the rest? what about DOS?

COMPLEX: Do I have to take care of the security by setting up a firewall like UFW to expose the 9XXX ports and create rules to enable only some IPs?

thank's


X-pack security module for a cluster on internet
(olivier hodac) #2

no answer... Maybe I am not clear. Do I need to reformulate?


(David Pilato) #3

Normally your 3 nodes are available inside the same DC which means that:

  • You can keep port 9300 opened only within the same LAN
  • You can open port 9200 to internet but you need to be extremely careful there

Of course you can use x-pack with its security feature (commercial license needed).

"Normally", end users never access directly elasticsearch but access an Application layer which is running in the same DC (same LAN?) and this one is the only one which can communicate with your cluster. In which case you don't have to really expose elasticsearch on internet.

I'd recommend also giving a look at cloud.elastic.co as it has x-pack built in so you just have to focus on your use case instead of thinking of deploying, buying the license, settings up backups, having to deal with upgrades...

HTH


(olivier hodac) #4

Hello David,

My situation is the following: I have bought the x-pack (commercial offer,
I have paid the license). I have to deploy the cluster on my servers, for
some confidentiality reasons, the data cannot be neither on GCP, AWS or
azure.

I have to assume that my servers are in different data-centers. so the LAN
question, is more complex that that.

So the question: with x-pack and security enabled, do I need to protect the
9200 and 9300 ports? Idealy, I'd like to configure the yml and x-pack to
achieve security.


(David Pilato) #5

I edited your post and removed some of your personal informations.

I have bought the x-pack

Great!

I have to assume that my servers are in different data-centers.

Be aware that it's not recommended to split an elasticsearch cluster in different geo regions.
Multiple DC in the same region is fine as the latency is probably good enough (like a fiber network and some hundred of meters of distance).

So the question: with x-pack and security enabled, do I need to protect the
9200 and 9300 ports? Idealy, I'd like to configure the yml and x-pack to
achieve security.

You mean? Adding another layer? I don't think it's absolutely needed.
May be it's better to move this discussion to #x-pack which I just did some experts there can comment better.


(olivier hodac) #6

OK, great waiting for their piece of advice.

My servers are in the same region but in different DC (the provider has several locations)


(David Pilato) #7

What's the latency like? Under a ms?


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.