Contact UsGet started

Networking in Managed Service for Elasticsearch

Written by
Updated at October 14, 2024

Warning

Yandex Managed Service for Elasticsearch is unavailable as of April 11, 2024.

You can create an OpenSearch cluster in Yandex Cloud as an alternative to Elasticsearch.

When creating a cluster, you can:

  • Specify a network for the entire cluster.
  • Specify subnets for each host in the cluster.
  • Request public access to connect to cluster hosts with the Data node role from outside Yandex Cloud.

You can create a cluster without specifying any subnets for the hosts if the availability zone selected for each host contains exactly one subnet of the cluster network.

Host name and FQDN

Managed Service for Elasticsearch generates a name for each cluster host when it is created. This name will be the host's fully qualified domain name (FQDN). The host name and, consequently, FQDN cannot be changed.

To learn how to get a host FQDN, see this guide.

You can use the FQDN to access the host within a single cloud network. For more information, see the Yandex Virtual Private Cloud documentation.

Public access to a host

Any cluster host can be accessible from outside Yandex Cloud if you requested public access when creating the host. To connect to such a host, use its FQDN.

You cannot request public access after creating a host.

When deleting a host with a public FQDN, the assigned IP address is revoked.

Security groups

Security groups follow the All traffic that is not allowed is prohibited principle. To connect to a cluster, security groups must include rules allowing traffic from certain ports, IP addresses, or other security groups.

For example, let's assume public access is enabled for a host with the Data node role. If there is no security group rule that allows connecting to it from the internet on port 443, you will not be able to connect to the Kibana web interface. Furthermore, you will not be able to access a host either, unless it has a security group rule configured that explicitly allows incoming traffic on port 9200.

Tip

If you connect to a cluster from within its cloud network, configure security groups both for the cluster and the connecting host.

Specifics of working with security groups:

  • Even if the cluster and host are in the same security group, rules allowing traffic between them must be in place to establish a connection to the cluster from that host. By default, such rules are included in the security group created together with the cloud network. They are the Self rules that allow unlimited traffic within a security group.

  • Security group settings only affect whether it will be possible to connect to the cluster. They do not affect cluster features, such as replication, sharding, and backups.

For more information, see the Virtual Private Cloud documentation.

Previous
Host classes
Next
Quotas and limits