Please review my multi-client ELK infrastructure design

Hi!

I'm new to Elastic, and evaluating how I would use it for a business I am considering creating.

The business is a Managed Security Service Provider (MSSP). I would like to collect logs from my client's endpoints and servers, bring that data into elastic, then perform aggregate security analysis across all client data. Each client should also have access to a kibana dashboard customised for their business, which only has access to their business's data.

From reading the documentation, I came up with the following high level infrastructure plan. I would absolutely love if someone could provide feedback on:

1. Will this design work? Have I understood the docs about clustering correctly?
2. Can I do this with multi-cluster design using Elastic Cloud? or AWS Elasticsearch?
3. Any improvements/tips/issues?

Thank you very much!

Untitled Diagram (1).jpg1334×1161 181 KB

The architecture you have outlined will rely on you hosting the clusters yourself, as I do not believe Elastic Cloud nor AWS Elasticsearch currently supports cross-cluster search.

If using Elastic Cloud, where you have access to role-based access controls, you could change the architecture and have a single cluster for all clients. You could then provide them access to their indices using different roles. The Kibana hosted within Elastic Cloud would be your Master Kibana Dashboard, covering all data.

In order to give each client access to their own dashboards, you could host a Kibana instance (or more than one for HA) outside Elastic Cloud for each client, and let each client have their own Kibana index, e.g. .kibana-clientA in the central cluster.