Is a direct client-elasticsearch connection safe with X-Pack?

Hello everyone,
I'm working on a personal-mobile application that needs search capabilities and, since I'm not enough confident to deploy/secure/maintain my own server, I'm really interested on elastic cloud and its features (X-Pack with Shield in particular).
The question is:
is it safe to perform direct queries to elasticsearch within mobile clients with Shield enabled?
I know that normally it's strongly discouraged to expose elasticsearch to web in general, so I was wondering if X-Pack could simplify me the process.
Many thanks

Hello @The5785alex ,

Yes, you can safely expose Elasticsearch with X-Pack Security (formerly known as Shield) to your mobile app clients.

I will lay down the rough steps. You can find help for more specific questions on other topics in this forum.

You need to have a cluster with security enabled and set up TLS on its HTTP interface (or transport).

The CA certificate which signs the certificates of the cluster nodes (see generating certificates) can be distributed inside your packaged application (aka certificate pinning). You have to add this CA certificate to the truststore of your embedded elasticsearch HTTP client or transport client. This way you will achieve connection encryption and the authentication of the ES cluster to your mobile app client.

You still need to solve authenticating the app to the cluster. See how authn works and specifically native or pki authn realms. XPack exposes APIs for creating users, BUT you will have to manage the process of registering and tying the credentials to a specific app installation and/or user device. This might be platform dependent. As for the passing of credentials form the mobile app via the HTTP client I recommend trying the token service. Otherwise, basic auth is king.


Hello Albert,
first of all many thanks for your kind and detailed reply, I really appreciated.
I'll need a bit to familiarize myself with the documentation you linked me but it's definitely a good point that Shield allows a safe direct connection with elasticsearch: I really needed a confirmation before facing this new challenge!
Kind reagards

Just because you can, doesn't mean you should.

X-Pack security can make this relatively safe, but you still need to worry about Denial of Service issues, how you will handle passwords and authentication from the clients, how you will manage upgrades (both from a potential downtime point of view, and from an API compatibility point of view).

Personally, I would always put some sort of proxy in between my mobile/web clients and the Elasticsearch servers.

Hello @TimV,
thanks for your clarification.
As you can easily understand, I'm focused on client-mobile side and I lack on experience about server and security fields. I typically integrate my apps with pure managed services: for example I use Firebase platform for storage, database etc. Firebase functions for logic and so on.
According to your statement, more work is involved to deploy an elastic cloud cluster than a "click to install" as I supposed to be.
Is there any plan to provide this kind of experience for your cloud service in the future?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.