Looking for some insight on the following
Current configuration
Elasticnodes (using internal CA) configured with xpack.security.http.ssl.enabled:true so things like kibana and logstash outputs can connect via https. Also a prerequisite for APM "APM configuration as of v8 requires the configuration of basic security for the Elastic Stack plus secured HTTPS traffic."
This works well except that we have AWS Lambda configured to make an http connection directly to a classic load balancer that (passing port 9200 through) that points to our 3 Elasticsearch nodes. Obviously if we have Lambda make an https connection to our nodes it would fail as it doesn't trust our internal CA
Would there be any issues if we didn't configure each Elasticsearch node with xpack.security.http.ssl.enabled:true and simply pointed kibana, logstash outputs etc at a load balancer that offloaded https with our public cert? Lambda would trust the public CA and not fail.
Then only issue I see is that the Elasticsearch nodes would not be configured with xpack.security.http.ssl.enabled:true and therefore would still allow http connections. AWS security groups would be the only protection we'd have?