Connect to deployments in a different Elastic Cloud Enterprise environment
This section explains how to configure a deployment to connect remotely to clusters belonging to a different Elastic Cloud Enterprise environment.
In the case of remote clusters, the Elasticsearch cluster or deployment initiating the connection and requests is often referred to as thelocal cluster, while the Elasticsearch cluster or deployment receiving the requests is referred to as theremote cluster.
If network security filters are applied to the remote cluster on ECE, the remote cluster administrator must configure anIP filter to allow connections from the IP addresses (or CIDR ranges) of the local ECE allocator hosts. For more information, refer toRemote clusters and network security.
Before you start, consider thesecurity model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
- API key
For deployments based on Elastic Stack 8.14 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model uses a dedicated service endpoint, on port
9443by default, and gives administrators fine-grained control over remote access. The API key is created on the remote cluster and defines the permissions available to all cross-cluster requests, while local user roles can further restrict, but not extend, those permissions.Starting with Elastic Stack 9.3, the API key security model also supportsstrong identity verification, adding an extra layer of security. With this feature, the API key can be restricted to only be usable by requests that present an allowed certificate identity, which the remote cluster validates during authentication.
- TLS certificate (deprecated in Elastic Stack 9.0.0)
- This model uses mutual TLS authentication over the Elasticsearch transport interface for cross-cluster operations. User authentication is performed on the local cluster and a user's role names are passed to the remote cluster for authorization. Because a superuser on the local cluster automatically gains full read access to the remote cluster, this model is only suitable for clusters within the same security domain.
Follow these steps to configure theAPI key security model for remote clusters. If you run into any issues, refer toTroubleshooting.
- The local and remote deployments must be on Elastic Stack 8.14 or later.
- Unlike the certificate-based security model, the API key model does not require mutual trust between clusters; only the local cluster is required to trust the remote cluster's certificate.
- On the remote cluster, use theElasticsearch API orKibana to create a cross-cluster API key. Configure it to include access to the indices you want to use for cross-cluster search or cross-cluster replication.
- Copy the encoded key (
encodedin the response) to a safe location. It is required for the local cluster configuration.
The API key created previously is needed by the local deployment to authenticate with the corresponding set of permissions to the remote deployment. To enable this, add the API key to the local deployment's keystore.
The steps to follow depend on whether the Certificate Authority (CA) of the remote ECE environment’s proxy or load balancing infrastructure is public or private.
The CA is public
On theDeployments page, select your deployment.
Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
From the navigation menu, selectSecurity.
LocateRemote Connections > Trust management > Connections using API keys and selectAdd API key.
Fill both fields.
- For theRemote cluster name, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
- For theCross-cluster API key, paste the encoded cross-cluster API key.
ClickAdd to save the API key.
Restart the local deployment to reload the new setting. To do that, go to the deployment's main page, locate theActions menu, and selectRestart Elasticsearch.
NoteIf the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
If you need to update the remote connection with different permissions later, refer toChange a cross-cluster API key used for a remote connection.
The CA is private
Before configuring the local deployment, retrieve the CA certificate of the remote ECE proxy. To find this certificate:
In the remote ECE environment, go toPlatform > Settings > TLS certificates.
SelectShow certificate chain underProxy.
ClickCopy root certificate and paste it into a new file. The root certificate is the last certificate shown in the chain.
Save the file as.crt.
You can now proceed to configure the local deployment. The CA file you saved will be used in one of the following steps.
On theDeployments page, select your deployment.
Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
From the navigation menu, selectSecurity.
SelectRemote Connections > Add trusted environment and chooseElastic Cloud Enterprise. Then clickNext.
SelectAPI keys as authentication mechanism and clickNext.
When asked whether the Certificate Authority (CA) of the remote environment’s proxy or load-balancing infrastructure is public, selectNo, it is private.
Add the API key:
Fill both fields.
- For theRemote cluster name, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
- For theCross-cluster API key, paste the encoded cross-cluster API key.
ClickAdd to save the API key.
Repeat these steps for each API key you want to add. For example, if you want to use several clusters of the remote environment for CCR or CCS.
Add the CA certificate of the remote environment.
Provide a name for the trusted environment. That name will appear in the trust summary of your deployment'sSecurity page.
SelectCreate trust to complete the configuration.
Restart the local deployment to reload the new settings. To do that, go to the deployment's main page, locate theActions menu, and selectRestart Elasticsearch.
NoteIf the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
If you need to update the remote connection with different permissions later, refer toChange a cross-cluster API key used for a remote connection.
In order to configure remote clusters in other ECE environments, you first need to establish a bi-directional trust relationship between both ECE environment’s platform:
- Download the certificate and copy the environment ID from your first ECE environment underPlatform >Trust Management >Trust parameters.
- Create a new trust relationship in the other ECE environment underPlatform >Trust Management >Trusted environments using the certificate and environment ID from the previous step.
- Download the certificate and copy the environment ID from your second ECE environment and create a new trust relationship with those in the first ECE environment.
Now, deployments in those environments will be able to configure trust with deployments in the other environment. Trust must always be bi-directional (local cluster must trust remote cluster and vice versa) and it can be configured in each deployment’s security settings.
Access theSecurity page of the deployment you want to use for cross-cluster operations.
SelectRemote Connections > Add trusted environment and chooseElastic Cloud Enterprise. Then clickNext.
SelectCertificates as authentication mechanism and clickNext.
From the dropdown, select one of the environments configured inConfiguring platform level trust.
Choose one of following options to configure the level of trust with the ECE environment:
- All deployments - This deployment trusts all deployments in the ECE environment, including new deployments when they are created.
- Specific deployments - Specify which of the existing deployments you want to trust in the ECE environment. The full Elasticsearch cluster ID must be entered for each remote cluster. The Elasticsearch
Cluster IDcan be found in the deployment overview page underApplications.
SelectCreate trust to complete the configuration.
Configure the corresponding deployments of the ECE environment totrust this deployment. You will only be able to connect 2 deployments successfully when both of them trust each other.
Note that the environment ID and cluster IDs must be entered fully and correctly. For security reasons, no verification of the IDs is possible. If cross-environment trust does not appear to be working, double-checking the IDs is a good place to start.
Using the API
You can update a deployment using the appropriate trust settings for the Elasticsearch payload.
Establishing the trust between the two Elastic Cloud Enterprise environments can be done using thetrust relationships API. For example, the list of trusted environments can be obtained calling thelist trust relationships endpoint:
curl -k -X GET -H "Authorization: ApiKey $ECE_API_KEY" https://$COORDINATOR_HOST:12443//api/v1/regions/ece-region/platform/configuration/trust-relationships?include_certificate=falseFor each remote ECE environment, it will return something like this:
{ "id":"83a7b03f2a4343fe99f09bd27ca3d9ec", "name":"ECE2", "trust_by_default":false, "account_ids":[ "651598b101e54ccab1bfdcd8b6e3b8be" ], "local":false, "last_modified":"2022-01-9T14:33:20.465Z"}In order to trust a deployment with cluster idcf659f7fe6164d9691b284ae36811be1 (NOTE: use the Elasticsearch cluster ID, not the deployment ID) in this environment namedECE2, you need to update the trust settings with an external trust relationship like this:
{ "trust":{ "accounts":[ { "account_id":"ec38dd0aa45f4a69909ca5c81c27138a", "trust_all":true } ], "external":[ { "trust_relationship_id":"83a7b03f2a4343fe99f09bd27ca3d9ec", "trust_all":false, "trust_allowlist":[ "cf659f7fe6164d9691b284ae36811be1" ] } ] }}You can now connect remotely to the trusted clusters.
On the local cluster, add the remote cluster using Kibana or the Elasticsearch API.
This configuration of remote clusters uses theProxy mode and requires the ECE allocators to be able to connect to the remote address endpoint.
To add a remote cluster in Kibana:
Go to theRemote Clusters management page in the navigation menu or use theglobal search field.
SelectAdd a remote cluster.
InSelect connection type, choose the authentication mechanism you prepared earlier (API keys orCertificates), and then clickNext.
InAdd connection information, fill in the following fields:
Remote cluster name: Thiscluster alias is a unique identifier that represents the connection to the remote cluster and is used to distinguish local and remote indices.
When using API key authentication, this alias must match theRemote cluster name you configured whenadding the API key in the Cloud UI.
Remote address: This value can be found on theSecurity page of the Elastic Cloud Enterprise deployment you want to use as a remote. Copy theProxy address from theRemote cluster parameters section.
NoteIf you’re using API keys as security model, change the port to
9443.Configure advanced options (optional): Expand this section if you need to customize additional settings.
TLS server name: Specify a value if the certificate presented by the remote cluster is signed for a different name than the remote address.
This value can be found on theSecurity page of the Elastic Cloud Enterprise deployment you want to use as a remote. Copy theServer name from theRemote cluster parameters section.
Socket connections: Define the number of connections to open with the remote cluster.
For a full list of available client connection settings, refer to theremote cluster settings reference.
ClickNext.
InConfirm setup, clickAdd remote cluster (you have already established trust in a previous step).
If you’re having issues establishing the connection and the remote cluster is part of an Elastic Cloud Enterprise environment with a private certificate, make sure that the proxy address and server name match with the certificate information. For more information, refer toAdministering endpoints in Elastic Cloud Enterprise.
To add a remote cluster, use thecluster update settings API. Configure the following fields:
Remote cluster alias: When using API key authentication, the cluster alias must match the one you configured whenadding the API key in the Cloud UI asRemote cluster name.
mode:
proxyproxy_address: This value can be found on theSecurity page of the Elastic Cloud Enterprise deployment you want to use as a remote. Copy theProxy address from theRemote cluster parameters section.
Using the API, this value can be obtained from the Elasticsearch resource info, concatenating the field
metadata.endpointand port9400using a semicolon.NoteIf you’re using API keys as security model, change the port to
9443.server_name: This value can be found on theSecurity page of the Elastic Cloud Enterprise deployment you want to use as a remote. Copy theServer name from theRemote cluster parameters section.
Using the API, this can be obtained from the Elasticsearch resource info field
metadata.endpoint.
This example shows the API call to add or update a remote cluster. The aliasalias-for-my-remote-cluster must match the remote cluster name used when adding the API key to the deployment:
PUT /_cluster/settings{ "persistent": { "cluster": { "remote": { "alias-for-my-remote-cluster": { "mode":"proxy", "proxy_address": "<REMOTE_CLUSTER_ADDRESS>:9443", "server_name": "<REMOTE_CLUSTER_SERVER_NAME>" } } } }}- Remote cluster alias
For a full list of available client connection settings in proxy mode, refer to theremote cluster settings reference.
If you're using the API key–based security model for cross-cluster replication or cross-cluster search, you can define user roles withremote indices privileges on the local cluster to further restrict the permissions granted by the API key. For more details, refer toConfigure roles and users.