‼ Why is metricbeat contacting metadata.tencentyun.com?

Following some issues with our 6.x Elastic stack deployment, I deployed a new cluster to Google Cloud Platform in Belgium running Elasticsearch 7.3.2. I also updated our Filebeat deployment on our Kubernetes cluster to v7.3.2, and installed Metricbeat v7.3.2 using the official Helm chart provided by Elastic at https://helm.elastic.co and Packetbeat v7.3.2 using custom Kubernetes resource manifests. The Metricbeat DaemonSet is running docker.elastic.co/beats/metricbeat:7.3.2 as expected.

What I did not expect to find was Packetbeat reporting a large number of requests to tencentyun.com. Digging into the source of these requests, I was surprised to find it is the Metricbeat pods pinging this domain (query: IN AAAA metadata.tencentyun.com), approximately once per second. What is going on here?

All other domains identified by Packetbeat are expected ones for our system: google.com, cluster.local, es.io, etc. This one is the only one that is unexplained, and I'm really surprised and concerned that it's coming from an Elastic product.

Take a look at https://github.com/elastic/beats/issues/11145 for more details on this.

TLDR it's expected due to the add_cloud_metadata.

1 Like

Great, thanks @warkolm for the quick reply. I couldn't find that issue after searching the internet and GitHub specifically. Odd.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.