Getting started with Managed Service for OpenSearch
To get started with the service:
- Create a cluster.
- Configure security groups.
- Connect to the cluster.
- Connect to OpenSearch Dashboards.
Getting started
-
Log in to the management console
or sign up if you do not have an account yet. -
If you do not have a folder yet, create one:
-
In the management console
, select the appropriate cloud from the list on the left. -
At the top right, click Create folder.
-
Enter the folder name. The naming requirements are as follows:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
(Optional) Enter a description of the folder.
-
Select Create a default network. This will create a network with subnets in each availability zone. Within this network, a default security group will be created, inside which all network traffic is allowed.
-
Click Create.
-
-
Make sure your account has the vpc.user role and the managed-opensearch.editor role or higher for creating a cluster.
To link the service account to a cluster, e.g., to use Yandex Object Storage, your account also needs the iam.serviceAccounts.user role or higher.
-
You can connect to an OpenSearch cluster both from inside Yandex Cloud and from the internet:
-
To connect from inside Yandex Cloud, create a Linux VM in the same network as the cluster.
-
To connect to a cluster from the internet, request public access to hosts with the
DATA
role when creating the cluster.
-
Note
These instructions assume that you are connecting to the cluster from the internet.
Create a cluster
-
In the management console
, select the folder where you want to create a cluster. -
Select Managed Service for OpenSearch.
-
Click Create cluster. For more information, see Creating clusters.
-
Set the cluster parameters.
To gain access to the OpenSearch Dashboards web interface, request public access. To do this, navigate to Virtual node group with the Dashboards group type and select Public access.
Tip
You can use OpenSearch Dashboards even if you can't request public access to the hosts (for example, for security reasons). To do this, proxy the connections via the virtual machine in Yandex Compute Cloud that is hosted in the same network as the cluster. For more information, see Connecting to OpenSearch Dashboards.
-
Click Create cluster.
-
Wait until the cluster is ready: its status on the Managed Service for OpenSearch dashboard changes to Creating and then to Alive. This may take some time.
Configure security groups
To connect to a cluster, security groups must include rules allowing traffic from certain ports, IP addresses, or from other security groups.
Settings of access policies depend on the connection method you select:
Configure all the cluster security groups to allow incoming traffic on ports 443 (Dashboards) and 9200 (OpenSearch) from any IP address. To do this, create the following rules for incoming traffic:
- Port range:
443
,9200
- Protocol:
TCP
- Source:
CIDR
- CIDR blocks:
0.0.0.0/0
A separate rule is created for each port.
-
Configure all the cluster security groups to allow incoming traffic on ports 443 (Dashboards) and 9200 (OpenSearch) from the security group where the VM is located. To do this, create the following rules for incoming traffic in these security groups:
- Port range:
443
,9200
- Protocol:
TCP
- Source:
Security group
- Security group: If your cluster and VM are in the same security group, select
Current
(Self
). Otherwise, specify the VM security group.
A separate rule is created for each port.
- Port range:
-
Configure all the security groups where your VM is located to allow connections to the VM and traffic between the VM and cluster hosts.
For example, you can set the following rules for a VM:
-
For incoming traffic:
- Port range:
22
,443
,9200
- Protocol:
TCP
- Source:
CIDR
- CIDR blocks:
0.0.0.0/0
A separate rule is created for each port.
- Port range:
-
For outgoing traffic:
- Port range:
0-65535
- Protocol:
Any
(Any
) - Destination name:
CIDR
- CIDR blocks:
0.0.0.0/0
This rule allows all outgoing traffic, thus enabling you not only to connect to the cluster but also to install the certificates and utilities your VM needs for the connection.
- Port range:
-
Note
You can specify more detailed rules for your security groups, e.g., to allow traffic only in specific subnets.
You must configure security groups correctly for all subnets in which the cluster hosts will reside. If security group settings are incomplete or incorrect, you may lose access to the cluster.
For more information about security groups, see Security groups.
Connect to the cluster
It is assumed that all the steps below are performed on Linux.
To connect to a cluster:
-
Install an SSL certificate:
Linux (Bash)/macOS (Zsh)Windows (PowerShell)mkdir -p ~/.opensearch && \ wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \ --output-document ~/.opensearch/root.crt && \ chmod 0600 ~/.opensearch/root.crt
The certificate will be saved to the
~/.opensearch/root.crt
file.mkdir $HOME\.opensearch; curl --output $HOME\.opensearch\root.crt https://storage.yandexcloud.net/cloud-certs/CA.pem
The certificate will be saved to the
$HOME\.opensearch\root.crt
file.Corporate policies and antivirus software can block the download of certificates. For more information, see FAQ.
-
Connect to the cluster using cURL
:curl \ --user admin:<password> \ --cacert ~/.opensearch/root.crt \ --request GET 'https://<FQDN_of_the_OpenSearch_host_with_the_DATA_role>:9200/'
To connect, enter
admin
for username and the password you set when creating the cluster.A message like this is displayed if the connection is successful:
{ "name" : "....mdb.yandexcloud.net", "cluster_name" : "...", "cluster_uuid" : "...", "version" : { "distribution" : "opensearch", ... }, "tagline" : "The OpenSearch Project: https://opensearch.org/" }
Connect to OpenSearch Dashboards
-
In your browser, connect to the OpenSearch Dashboards
web interface:-
Make sure hosts with the
DASHBOARDS
role are publicly accessible. -
Install the SSL certificate
in your browser's trusted root certificate store (instructions for Mozilla Firefox). -
On the cluster page, in the management console, click OpenSearch Dashboards or go to
https://c-<OpenSearch_cluster_ID>.rw.mdb.yandexcloud.net>
in your browser. -
Enter
admin
for username and the password you set when creating the cluster.
-
-
Explore a set of sample data:
- On the OpenSearch Dashboards welcome screen, click Add sample data.
- Next, click View data for the desired dataset.
Learn more about working with OpenSearch Dashboards in the OpenSearch documentation
What's next
- Read about service concepts.
- Learn more about creating a cluster and connecting to a cluster.