Contact UsGet started

Connecting to an Elasticsearch cluster

Written by
Updated at June 26, 2024

Warning

Yandex Managed Service for Elasticsearch is unavailable as of April 11, 2024.

You can create an OpenSearch cluster in Yandex Cloud as an alternative to Elasticsearch.

You can connect to the hosts in the Managed Service for Elasticsearch cluster with the Data node role:

  • Over the internet, if you configured public access for the appropriate host.

  • From Yandex Cloud VM instances hosted in the same virtual network.

Regardless of the connection method, Managed Service for Elasticsearch only supports cluster host connections with an SSL certificate.

Configuring security groups

To connect to a cluster, security groups must include rules allowing traffic from certain ports, IP addresses, or from other security groups.

Rule settings depend on the connection method you select:

Configure all the cluster security groups to allow incoming traffic from any IP on ports 443 (Kibana GUI and Kibana API) and 9200 (Elasticsearch). To do this, create the following rules for incoming traffic:

  • Port range: 443, 9200
  • Protocol: TCP
  • Source: CIDR
  • CIDR blocks: 0.0.0.0/0

A separate rule is created for each port.

  1. Configure all the cluster security groups to allow incoming traffic on ports 443 (Kibana GUI and Kibana API) and 9200 (Elasticsearch) from the security group where your VM is located. To do this, create the following rules for incoming traffic in these security groups:

    • Protocol: TCP.
    • Port range: 443, 9200.
    • Source: Security group.
    • Security group: If your cluster and VM are in the same security group, select Current (Self). Otherwise, specify the VM security group.

    A separate rule is created for each port.

  2. Configure all the security groups where your VM is located to allow connections to the VM and traffic between the VM and the cluster hosts.

    For example, you can set the following rules for a VM:

    • For incoming traffic:

      • Port range: 22, 443, 9200
      • Protocol: TCP
      • Source: CIDR
      • CIDR blocks: 0.0.0.0/0

      A separate rule is created for each port.

    • For outgoing traffic:

      • Port range: 0-65535
      • Protocol: Any
      • Destination name: CIDR
      • CIDR blocks: 0.0.0.0/0

      This rule allows all outgoing traffic, thus enabling you not only to connect to the cluster but also to install the certificates and utilities your VM needs for the connection.

Note

You can specify more detailed rules for your security groups, e.g., to allow traffic only in specific subnets.

You must configure security groups correctly for all subnets in which the cluster hosts will reside. If security group settings are incomplete or incorrect, you may lose access to the cluster.

For more information about security groups, see Security groups.

Getting an SSL certificate

To use an encrypted connection, get an SSL certificate:

mkdir -p ~/.elasticsearch && \
wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
     --output-document ~/.elasticsearch/root.crt && \
chmod 0600 ~/.elasticsearch/root.crt

The certificate is saved to the ~/.elasticsearch/root.crt file.

mkdir $HOME\.elasticsearch; curl.exe -o $HOME\.elasticsearch\root.crt https://storage.yandexcloud.net/cloud-certs/CA.pem

The certificate is saved to the $HOME\.elasticsearch\root.crt file.

Elasticsearch host FQDN

To connect to a host, you need its fully qualified domain name (FQDN). You can obtain it in one of the following ways:

  • Request a list of cluster hosts.

  • In the management console, copy the command for connecting to the cluster. This command contains the host FQDN. To get the command, go to the cluster page and click Connect.

  • Look up the FQDN in the management console:

    1. Go to the cluster page.
    2. Go to Hosts.
    3. Copy the Host FQDN column value.

Cluster hosts also use special FQDNs.

Automatically selecting a host for connection

When connecting to an Elasticsearch cluster, you can:

  • In the connection strings, explicitly specify the names of the hosts with the Data node role.

    This approach is suitable for any connection method. For example, you can use it to connect over the internet if public access is only enabled for certain hosts.

  • Use a special FQDN, such as c-<Elasticsearch_cluster_ID>.rw.mdb.yandexcloud.net (e.g., https://c-e4ut2....rw.mdb.yandexcloud.net). The host to connect to is selected randomly among all the hosts with the Data node role.

    Use this approach only if you have enabled public access for all hosts with the Data node role, or if you are connecting exclusively from Yandex Cloud instances.

Before you connect from a Docker container

To connect to a Managed Service for Elasticsearch cluster from a Docker container, add the following lines to the Dockerfile:

RUN apt-get update && \
    apt-get install curl --yes

RUN apt-get update && \
    apt-get install wget curl --yes && \
    mkdir --parents ~/.elasticsearch && \
    wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
         --output-document ~/.elasticsearch/root.crt && \
    chmod 0600 ~/.elasticsearch/root.crt

Examples of connection strings

The Linux examples were tested in the following environment:

  • Virtual machine in Yandex Cloud running Ubuntu 20.04 LTS from Cloud Marketplace.
  • Bash: 5.0.16.
  • Python: 3.8.2; pip3: 20.0.2.
  • Go: 1.13.8.

The Windows examples were tested in the following environment:

  • A local machine with Windows 10 Pro build 19042.1052.
  • PowerShell: 5.1.19041.

Before connecting, prepare a certificate.

To connect, enter the username and password used when creating a cluster.

To see code examples with the host FQDN filled in, open the cluster page in the management console and click Connect.

If a host with the Data node role is assigned a public IP address:

  1. Before connecting, install the SSL certificate in your browser's trusted root certificate store (instructions for Mozilla Firefox).
  2. In your browser, go to one of the addresses:
    • https://c-<Elasticsearch_cluster_ID>.rw.mdb.yandexcloud.net, if a public IP address is assigned to all hosts with this role. You can get the cluster ID with a list of clusters in the folder.
    • https://<FQDN_of_any_Data_Node_host_with_public_IP>.mdb.yandexcloud.net.
  3. Enter your username and password.

Note

When using the Kibana API:

  • To send requests, use port 443 instead of standard port 5601.
  • Add the SSL certificate path to your application's configuration to use the API. For example, for Winlogbeat, specify the path in the ssl.certificate_authorities variable.

If no host with the Data node role is assigned a public IP address:

  1. Create a Linux VM in the same network as the cluster.

  2. Connect to the virtual machine over SSH.

  3. Install the dependencies:

    sudo apt update && sudo apt install -y nginx ssl-cert

  4. Copy the downloaded SSL certificate to the /etc/nginx/ directory :

    sudo cp ~/.elasticsearch/root.crt /etc/nginx/root.crt

  5. Edit the NGINX default configuration file, for example, like this:

    /etc/nginx/sites-available/default

    upstream es-datanodes {
   server <FQDN_of_Data_Node_host_1>:443;
   ...
   server <FQDN_of_Data_Node_host_N>:443;
}

server {
   listen 443 ssl;

   ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
   ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

   server_name _;

   location / {

       proxy_pass https://es-datanodes;

       proxy_ssl_trusted_certificate /etc/nginx/root.crt;
       proxy_ssl_session_reuse on;
   }
}

    You can also use the proxy_pass directive with a special FQDN:

    proxy_pass https://c-<Elasticsearch_cluster_ID>.rw.mdb.yandexcloud.net.

    Warning

    This configuration file example uses a self-signed snakeoil certificate from the ssl-cert package. It is not safe to use this certificate in a real cluster. Instead of the self-signed certificate, specify the path to your public and private SSL certificate keys in the ssl_certificate and ssl_certificate_key directives.

  6. Restart NGINX:

    sudo systemctl restart nginx

  7. Add the certificate specified in the ssl_certificate directive to the browser's trusted root certificate store (instructions for Mozilla Firefox).

  8. In your browser, open https://<VM_public_IP_address>.

  9. Enter your username and password.

Note

When using the Kibana API:

  • To send requests, use port 443 instead of standard port 5601.
  • Add the SSL certificate path to your application's configuration to use the API. For example, for Winlogbeat, specify the path in the ssl.certificate_authorities variable.

Command example for connecting via SSL:

curl \
    --user <username>:<password> \
    --cacert ~/.elasticsearch/root.crt \
    --request GET 'https://c-<Elasticsearch_cluster_ID>.rw.mdb.yandexcloud.net:9200/'

Command example for connecting via SSL:

 curl `
   -Certificate <absolute_path_to_certificate_file> `
   -Uri https://c-<Elasticsearch_cluster_ID>.rw.mdb.yandexcloud.net:9200 `
   -Credential <username>

In the window that opens, enter the user's password.

Before connecting, install the dependencies:

sudo apt update && sudo apt install --yes python3 python3-pip && \
pip3 install elasticsearch==7.17.2

Code example for connecting via SSL:

connect.py

from elasticsearch import Elasticsearch

ES_CA = '~/.elasticsearch/root.crt'

ES_USER = '<username>'
ES_PASS = '<password>'

ES_HOSTS = [
  "<FQDN_of_Elasticsearch_host_1_with_the_Data_Node_role>",
  ...,
  "<FQDN_of_Elasticsearch_host_N_with_the_Data_node_role>"
  ]

conn = Elasticsearch(
  ES_HOSTS,
  http_auth=(ES_USER, ES_PASS),
  use_ssl=True,
  verify_certs=True,
  ca_certs=ES_CA)

print(conn.info())

conn.close()

Connection:

python3 connect.py

Before connecting, install the dependencies:

sudo apt update && sudo apt install --yes golang git && \
go get github.com/elastic/go-elasticsearch

Code example for connecting via SSL:

connect.go

package main

import (
      "crypto/tls"
      "crypto/x509"
      "github.com/elastic/go-elasticsearch"
      "io/ioutil"
      "log"
      "net/http"
)

var ES_CA = "/home/<home_directory>/.elasticsearch/root.crt"

var ES_USER = "<username>"
var ES_PASS = "<password>"

var ES_HOSTS = []string{
  "https://<FQDN_of_Elasticsearch_host_1_with_the_Data_Node_role>:9200",
  ...,
  "https://<FQDN_of_Elasticsearch_host_N_with_the_Data_Node_role>:9200"}

func main() {
     caCert, err := ioutil.ReadFile(ES_CA)
      if err != nil {
              log.Fatal(err)
      }
      caCertPool := x509.NewCertPool()
      caCertPool.AppendCertsFromPEM(caCert)

      cfg := elasticsearch.Config{
              Addresses: ES_HOSTS,
              Transport: &http.Transport{
                      TLSClientConfig: &tls.Config{
                              RootCAs: caCertPool,
                      },
              },
              Username: ES_USER,
              Password: ES_PASS,
      }
      conn, err := elasticsearch.NewClient(cfg)
      if err != nil {
              log.Printf("Error creating the client: %s", err)
      } else {
              log.Println(conn.Info())
      }
}

Unlike other connection methods, this code must include the full path to the CA.pem certificate for Elasticsearch in the ES_CA variable.

Connection:

go run connect.go

To learn how to get a host FQDN, see this guide.

If the connection is successful, general information about the Elasticsearch cluster will be displayed.

Previous
Creating a cluster
Next
Configuring SAML authentication