AWS Elasticsearch VPC connectivity

amazon-web-services elasticsearch networking aws-elasticsearch

timothyclifford · Nov 21, 2017 · Viewed 8.9k times · Source

I've created an Elasticsearch domain in AWS.

It's added to my VPC inside a public subnet and I've attached a security group which is currently completely open.

I have this policy attached also:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:eu-central-1:ACCOUNT_ID:domain/DOMAIN_NAME/*"
    }
  ]
}

I am trying to access an endpoint locally but it doesn't seem to be allowed.

The Kibana URL for example is:

https://vpc-bla.bla.bla.eu-central-1.es.amazonaws.com/_plugin/kibana/

Any idea why I'm not able to access this URL?

Answer

After much trial and error, I found the URL generated by ES is internal and cannot be opened to the internet easily via security groups.

Instead, I deployed an simple nginx proxy which forwarded public DNS requests eg es.mydns.com to the internal DNS eg vpc....eu-central-1.es.amazonaws.com/_plugin/kibana/

More nginx info here.

AWS Elasticsearch VPC connectivity

Answer

Related questions