Restrict communication to elsticsearch cluster using searchguard


I would like to restrict elasticsearch cluster communication to certain IPs using searchguard plugin.

I have researched alot on this and could not find a solution for this.

I found that it is possible with Shield and X-pack plugins, but my goal is to achieve this with searchguard.

Please help me to find a solution for this.

Disclaimer: I work for floragunn, the makers of Search Guard.

Search Guard has a different approach for that requirement. We use TLS certificates to control which machines can connect to your cluster. TLS is mandatory on the transport layer and cannot be switched off. So only machines with a valid certificate signed by your Root CA are allowed to join. This offers a more flexible solution since you can add machines without having to re-configure Elasticsearch/Search Guard. In addition, you can configure Search Guard to verify the hostnames in the certificates, and you can check the hostnames against your DNS. By using intermediate certificates, it's also easy to revoke certificates if necessary. We believe this offers a better and more flexible approach than to just use IP restrictions.

You can read more about the Search Guard TLS configuration in the official documentation.

For client/REST communication, you can also use hostname verification to control access.

There's also our Search Guard Google Group for any Search Guard specific questions.

I want to connect to elasticsearch cluster from other IPs that were not configured for cluster, that means:

I have a 3 node cluster with
a) XXX.XXX.X.59 as master
b) XXX.XXX.X.60 and XXX.XXX.X.61 as data nodes.

I have installed searchguard plugin on all these nodes and generated TLS certificates by running script.

now I want to restrict the communication of this cluster to other external IPs say: XXX.XXX.X.70, XXX.XXX.X.62 .

Do I need to generate certificates for above IPs also?

How can I do this. What changes do I need to make for elasticsearch.yml file

Please provide me assistance.

I think you'd have more luck asking on the searchguard forums :slight_smile:

Ok Thank you .

Can I use NGINX to restrict IPs for elasticsearch communication.

If yes please provide me the steps.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.