I'm trying to configure tight security rules to my elasticsearch cluster
meaning that the network access rules must be exactly what is needed. Now
I've found that the EC2 Discovery plugin does a call to AWS
(ec2.us-east-1.amazonaws.com:443) and for that I would need to give
internet access to my elasticsearch instances.
That said, it means a big drawback for my security configuration because I
cannot tie the call to a fixed IP, neither to a fixed port and hence my
access rules would be wide open.
Can you please tell me how do you manage this security issue on AWS?
Hi David,
Indeed, the plugin makes AWS API calls ( ec2 describe instances) in order
to find candidates to cluster with. Unfortunately, if memory serves me
right, those are to external IPs...
Hint - tinyproxy with whitelist on your nat gw , and proper env
configuration so that the client side (java , in this case) is aware of the
proxy.
I'm trying to configure tight security rules to my elasticsearch cluster
meaning that the network access rules must be exactly what is needed. Now
I've found that the EC2 Discovery plugin does a call to AWS ( ec2.us-east-1.amazonaws.com:443) and for that I would need to give
internet access to my elasticsearch instances.
That said, it means a big drawback for my security configuration because I
cannot tie the call to a fixed IP, neither to a fixed port and hence my
access rules would be wide open.
Can you please tell me how do you manage this security issue on AWS?
I have the same problem yesterday. What I did is make elastic IP and
associate it with your ec2 instance. In the sercuity group you need open
both private Ip and the elastic IP. try it.
On Wednesday, November 19, 2014 8:01:48 AM UTC-5, David Vasquez wrote:
Hi everyone!
I'm trying to configure tight security rules to my elasticsearch cluster
meaning that the network access rules must be exactly what is needed. Now
I've found that the EC2 Discovery plugin does a call to AWS ( ec2.us-east-1.amazonaws.com:443) and for that I would need to give
internet access to my elasticsearch instances.
That said, it means a big drawback for my security configuration because I
cannot tie the call to a fixed IP, neither to a fixed port and hence my
access rules would be wide open.
Can you please tell me how do you manage this security issue on AWS?
Yes..but this might not be an option if your instance is in a private
subnet...it also means handling all your IPS like this ( though in theory
you don't need internal IPs, security group id/name would do as well...) -
there r limits to how many rules you can add to a secgroup....
At the same time, adding eip would complicate the OP's apparent sec
requirements ...
On 20/11/2014 12:04 pm, wellszhane@xteros.com wrote:
I have the same problem yesterday. What I did is make elastic IP and
associate it with your ec2 instance. In the sercuity group you need open
both private Ip and the elastic IP. try it.
On Wednesday, November 19, 2014 8:01:48 AM UTC-5, David Vasquez wrote:
Hi everyone!
I'm trying to configure tight security rules to my elasticsearch cluster
meaning that the network access rules must be exactly what is needed. Now
I've found that the EC2 Discovery plugin does a call to AWS ( ec2.us-east-1.amazonaws.com:443) and for that I would need to give
internet access to my elasticsearch instances.
That said, it means a big drawback for my security configuration because
I cannot tie the call to a fixed IP, neither to a fixed port and hence my
access rules would be wide open.
Can you please tell me how do you manage this security issue on AWS?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.