Multiple VPC Private Link Endpoints in one ES Deployment

Daniel.X · October 12, 2021, 11:32pm

Hi there,

We currently have a vpc per environment in our AWS e.g. beta, pre, staging, and production. I've followed the instructions here to setup the AWS Private Link/Traffic Filtering for our vpc: AWS Privatelink traffic filters | Elasticsearch Service Documentation | Elastic. I can connect with one vpc, however I want to also allow other VPC's (other environments). It seems that this configuration is only one-to-one e.g. one deployment per vpc. I want to associate multiple VPC private endpoints with just our single deployment cluster on ES. Is there any way I can do this? Thanks

Shubha_Anjur_Tupil · October 13, 2021, 3:21pm

Yes, you can create and associate more than one VPC endpoint to connect to a deployment. We allow one to many configurations both through the UI and the APIs.

Daniel.X · October 13, 2021, 8:05pm

Hi there,

I am at this stage in the Route 53 where you configure the private hosted zone for the endpoint. Specifically when it says this:

Then create a DNS CNAME alias pointing to the PrivateLink Endpoint. Add the record to a private DNS zone in your VPC. Use * as the record name, and the VPC endpoint DNS name as a value.

I added one VPC endpoint DNS name as a value, but when I add other VPC endpoint DNS name on that CNAME record I get an error.

With the image above, there's only one vpc endpoint, but then if I add other vpc endpoints (just a newline after the first endpoint), it doesn't allow me to. How do I go about adding other vpc endpoints DNS names in my private hosted zone in route 53?

Shubha_Anjur_Tupil · October 18, 2021, 4:07pm

@Daniel.X , are you trying to create multiple endpoints for the same region? Is there a reason you are trying to do this. There are other options for doing this, create another PHZ and another record under that, so you can use another domain for this endpoint.

Daniel.X · October 18, 2021, 9:06pm

Hi Shubha,

We have different VPC's for each environment we have e.g. pre, beta, staging, and production. So I had to create multiple private link endpoints for each of these vpc to connect with es. Yes they are all in the same region (ap-southeast-2). So In this case, I can only create one PHZ e.g. vpce.ap-southeast-2.aws.elastic-cloud.com. Any advice how I can create or add my other vpc endpoints with my PVH?

system · November 15, 2021, 9:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

igor_k · February 23, 2022, 10:05am

Hi @Daniel.X,

Sorry we've dropped the ball on this one. Given you use Elastic Cloud would you mind opening a support ticket with us? (please point to this thread as well).

We have different VPC's for each environment we have e.g. pre, beta, staging, and production.

If I understand this correctly you have a VPC per environment (e.g. the VPC for production, a different VPC for staging, etc.). Then you should be able to create a Private Hosted Zone per VPC. All hosted zones would have the same name.

Would something like that worked for you:

If your architecture looks more like this:

Then indeed I'm afraid this is not supported.

I can offer the following workaround:

This may require a bit of maintenance on your side.
Say you have two deployments:
- aaa-deployment with url: https://aaa-deployment.es.ap-east-1.aws.elastic-cloud.com:9243
- bbb-deployment with url: https://bbb-deployment.es.ap-east-1.aws.elastic-cloud.com:9243
And two VPC endpoints:
- (1) vpce-111.ap-east-1.vpce-svc-0f96fbfaf55558d5c.vpce.amazon.aws.com
- (2) vpce-222.ap-east-1.vpce-svc-0f96fbfaf55558d5c.vpce.amazon.aws.com
You want to use aaa with endpoint 111, and bbb with endpoint 222.

You could add the following records to the Private Hosted Zone:

CNAME aaa-deployment.es.vpce.ap-east-1.aws.elastic-cloud.com	vpce-111.ap-east-1.vpce-svc-0f96fbfaf55558d5c.vpce.amazon.aws.com
CNAME aaa-deployment.kb.vpce.ap-east-1.aws.elastic-cloud.com	vpce-111.ap-east-1.vpce-svc-0f96fbfaf55558d5c.vpce.amazon.aws.com
CNAME aaa-deployment.apm.vpce.ap-east-1.aws.elastic-cloud.com	vpce-111.ap-east-1.vpce-svc-0f96fbfaf55558d5c.vpce.amazon.aws.com
CNAME aaa-deployment.fleet.vpce.ap-east-1.aws.elastic-cloud.com	vpce-111.ap-east-1.vpce-svc-0f96fbfaf55558d5c.vpce.amazon.aws.com
CNAME aaa-deployment.ent.vpce.ap-east-1.aws.elastic-cloud.com	vpce-111.ap-east-1.vpce-svc-0f96fbfaf55558d5c.vpce.amazon.aws.com

CNAME bbb-deployment.es.vpce.ap-east-1.aws.elastic-cloud.com	vpce-222.ap-east-1.vpce-svc-0f96fbfaf55558d5c.vpce.amazon.aws.com
CNAME bbb-deployment.kb.vpce.ap-east-1.aws.elastic-cloud.com	vpce-222.ap-east-1.vpce-svc-0f96fbfaf55558d5c.vpce.amazon.aws.com
CNAME bbb-deployment.apm.vpce.ap-east-1.aws.elastic-cloud.com	vpce-222.ap-east-1.vpce-svc-0f96fbfaf55558d5c.vpce.amazon.aws.com
CNAME bbb-deployment.fleet.vpce.ap-east-1.aws.elastic-cloud.com	vpce-222.ap-east-1.vpce-svc-0f96fbfaf55558d5c.vpce.amazon.aws.com
CNAME bbb-deployment.ent.vpce.ap-east-1.aws.elastic-cloud.com	vpce-222.ap-east-1.vpce-svc-0f96fbfaf55558d5c.vpce.amazon.aws.com

This explicitly maps deployments to endpoints.

Hope that helps. Let us know if this makes sense and feel free to open a support ticket.

igor_k · March 1, 2022, 7:00am

This topic was automatically closed after 5 days. New replies are no longer allowed.