Getting started with Managed Service for OpenSearch

Written by

Yandex Cloud

Improved by

Updated at April 25, 2025

Getting started
Create a cluster
Configure security groups
Connect to the cluster
Connect to OpenSearch Dashboards
What's next

To get started with the service:

Getting started

Log in to the management console or sign up if you do not have an account yet.
If you do not have a folder yet, create one:
1. In the management console, select the appropriate cloud from the list on the left.
2. At the top right, click Create folder.
3. Give your folder a name. The naming requirements are as follows:
  - It must be from 2 to 63 characters long.
  - It may contain lowercase Latin letters, numbers, and hyphens.
  - It must start with a letter and cannot end with a hyphen.
4. Optionally, specify the description for your folder.
5. Select Create a default network. This will create a network with subnets in each availability zone. Within this network, you will also have a default security group, inside which all network traffic will be allowed.
6. Click Create.
Assign the vpc.user role and the managed-opensearch.editor role or higher to your Yandex Cloud account. These roles allow you to create a cluster.

To link the service account to a cluster, e.g., to use Yandex Object Storage, your account also needs the iam.serviceAccounts.user role or higher.

Note

If you are unable to manage roles, contact your cloud or organization administrator.
You can connect to an OpenSearch cluster both from inside Yandex Cloud and from the internet:
- To connect from inside Yandex Cloud, create a Linux VM in the same network as the cluster.
- To connect to a cluster from the internet, request public access to hosts with the DATA role when creating the cluster.

Note

These instructions assume that you are connecting to the cluster from the internet.

Create a cluster

In the management console, select the folder where you want to create a cluster.
Select Managed Service for OpenSearch.
Click Create cluster. For more information, see Creating clusters.
Set the cluster parameters.

To gain access to the OpenSearch Dashboards web interface, request public access. To do this, navigate to Virtual node group with the Dashboards group type and select Public access.

Tip

You can use OpenSearch Dashboards even if you can't request public access to the hosts (for example, for security reasons). To do this, proxy the connections via the virtual machine in Yandex Compute Cloud that is hosted in the same network as the cluster. For more information, see Connecting to OpenSearch Dashboards.
Click Create cluster.
Wait until the cluster is ready: its status on the Managed Service for OpenSearch dashboard changes to Creating and then to Alive. This may take some time.

Configure security groups

To connect to a cluster, security groups must include rules allowing traffic from certain ports, IP addresses, or from other security groups.

Settings of access policies depend on the connection method you select:

Over the internet

From a VM in Yandex Cloud

Configure all the cluster security groups to allow incoming traffic on ports 443 (Dashboards) and 9200 (OpenSearch) from any IP address. To do this, create the following rules for incoming traffic:

Port range: 443, 9200
Protocol: TCP
Source: CIDR
CIDR blocks: 0.0.0.0/0

A separate rule is created for each port.

Configure all the cluster security groups to allow incoming traffic on ports 443 (Dashboards) and 9200 (OpenSearch) from the security group where the VM is located. To do this, create the following rules for incoming traffic in these security groups:
- Port range: 443, 9200
- Protocol: TCP
- Source: Security group
- Security group: If your cluster and VM are in the same security group, select Current (Self). Otherwise, specify the VM security group.
A separate rule is created for each port.
Configure all the security groups where your VM is located to allow connections to the VM and traffic between the VM and cluster hosts.

For example, you can set the following rules for a VM:
- For incoming traffic:
  - Port range: 22, 443, 9200
  - Protocol: TCP
  - Source: CIDR
  - CIDR blocks: 0.0.0.0/0
  A separate rule is created for each port.
- For outgoing traffic:
  - Port range: 0-65535
  - Protocol: Any (Any)
  - Destination name: CIDR
  - CIDR blocks: 0.0.0.0/0
  This rule allows all outgoing traffic, thus enabling you not only to connect to the cluster but also to install the certificates and utilities your VM needs for the connection.

Note

You can specify more detailed rules for your security groups, e.g., to allow traffic only in specific subnets.

You must configure security groups correctly for all subnets in which the cluster hosts will reside. If security group settings are incomplete or incorrect, you may lose access to the cluster.

For more information about security groups, see Security groups.

Connect to the cluster

It is assumed that all the steps below are performed on Linux.

To connect to a cluster:

Install an SSL certificate:
Linux (Bash)/macOS (Zsh)

Windows (PowerShell)
```
mkdir -p ~/.opensearch && \
wget "https://storage.yandexcloud.net/cloud-certs/CA.pem" \
     --output-document ~/.opensearch/root.crt && \
chmod 0600 ~/.opensearch/root.crt
```
The certificate will be saved to the ~/.opensearch/root.crt file.
```
mkdir $HOME\.opensearch; curl.exe -o $HOME\.opensearch\root.crt https://storage.yandexcloud.net/cloud-certs/CA.pem
```
The certificate will be saved to the $HOME\.opensearch\root.crt file.

Corporate policies and antivirus software can block the download of certificates. For more information, see FAQ.

Connect to the cluster using cURL:

curl \
    --user admin:<password> \
    --cacert ~/.opensearch/root.crt \
    --request GET 'https://<FQDN_of_the_OpenSearch_host_with_the_DATA_role>:9200/'

To connect, enter admin for username and the password you set when creating the cluster.

A message like this is displayed if the connection is successful:

{
  "name" : "....mdb.yandexcloud.net",
  "cluster_name" : "...",
  "cluster_uuid" : "...",
  "version" : {
  "distribution" : "opensearch",
  ...
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Connect to OpenSearch Dashboards

In your browser, connect to the OpenSearch Dashboards web interface:
1. Make sure hosts with the DASHBOARDS role are publicly accessible.
2. Install the SSL certificate in your browser's trusted root certificate store (instructions for Mozilla Firefox).
3. On the cluster page in the management console, click OpenSearch Dashboards or go to https://c-<OpenSearch_cluster_ID>.rw.mdb.yandexcloud.net> in your browser.
4. Enter admin for username and the password you set when creating the cluster.
Explore a set of sample data:
1. On the OpenSearch Dashboards welcome screen, click Add sample data.
2. Next, click View data for the desired dataset.

Learn more about working with OpenSearch Dashboards in the OpenSearch documentation.

What's next

Read about service concepts.
Learn more about creating a cluster and connecting to a cluster.

Getting started with Managed Service for OpenSearch

Getting startedGetting started

Create a clusterCreate a cluster

Configure security groupsConfigure security groups

Connect to the clusterConnect to the cluster

Connect to OpenSearch DashboardsConnect to OpenSearch Dashboards