Use envoy proxy between elasticsearch nodes

Is it possible to use envoy proxy between elasticsearch nodes? The purpose is to enable tls verifications for any communication between nodes through envoy proxy.

I am still in the early stage of this task, but would like to know if this is even feasible.

Here is the plan

  1. For a data node, I would like it to talk to local envoy proxy first
  2. and then the local envoy proxy redirect this tcp request to remote envoy proxy with tls
  3. and the remote envoy proxy can redirect this tcp request to remote es port(say 9300) "locally".

In short, I would like to have envoy proxy as a bridge to handle the communication security for es.

Almost certainly not, at least not easily, but others probably have more info - generally, the whole cluster needs to see & talk directly to the rest of the cluster - all the masters talk, all data nodes talk for replication, and everyone talks to the masters, DIRECTLY and in a mesh.

You are trying to replicate that, on different IPs, and ports.

And the IP/ports on which nodes talk to each other is maintained internally and pushed out, not like host files you can just tweak in traditional systems. The cluster has a master list of all nodes, IPs, and ports, and all the nodes use that, so that has to be your envoy IPs/ports.

That said, there are network settings where you can control the advertised IP and port, mostly for things like Docker where these won't be known directly to the running instance - if you had a true envoy mesh and knew in advance the mesh config, IPs and ports, I guess you could try to build this up but I'm not sure you can get beyond the cluster forming and then nodes joining to get their lists.

See the docs on network settings and advertisements - suggest you try with two nodes first, the add one, etc. :wink:

Yeah, what Steve said, it's probably possible with sufficient effort but it's very tricky to get 100% right. The effort seems unnecessary, Elasticsearch natively supports TLS on node-to-node connections.

1 Like

Thanks for the reply

Yeah, I felt the paint and see how messy the log is with tons of handshake exceptions. Thanks for the detail info Steve! I will move to the native tls way as David suggested.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.