[need help] Securing cluster's node communication with let's encrypt, nodes in different machines in the cloud

usually to secure an elasticsearch cluster (especially communication in between nodes or between nodes or a cluster and kibana or anything else through https) and if all nodes and kibana are in the same infrastructure we use the certutil in elasticsearch to create a CA that will issue certificates (for example elastic-stack-ca.p12) and generates certificates signed by that CA whether it is for internal communication (for example elastic-certificates.p12) or ssl for each node like http.p12 or ssl for kibana like kibana-server.crt and its key kibana-server.key or for communication between kibana and the cluster’s nodes like elasticsearch-ca.pem

and if the infrastructure have a central CA i can sign my certificates with it to secure http for nodes and kibana… (but not for the intercommunication between nodes in the cluster cz For the transport layer, it’s recommended to use a separate, dedicated CA instead of an existing, possibly shared CA so that node membership is tightly controlled. that’s why we Use the elasticsearch-certutil tool to generate a CA for our cluster.)

my question now is :
if my nodes are in the cloud in different places and i have a kibana instance connected to the cluster that regroups all nodes how can i secure communication between nodes in the cluster is it by using elastic-certificates.p12? and between that cluster's nodes and kibana? and how about using let's encrypt SSL certificates ?

please guide me to the best security practices

That doesn't change our recommendations. You should use a dedicated CA for transport layer and your preferred public/corporate CA for HTTP.

hello Tim

thank you for taking the time to answer

an other question please: usually in the case of managed soc for a client you install (reverse proxies + kafka ... + logstash + elasticsearch) in his infra and the kibana instances in the soc managing company ? or is there any better and more common approaches ??