- Elastic Docs/
- Deploy and manage/
- Security/
- Secure your cluster, deployment, or project/
- Network security/
- Private connectivity
Private connectivity with AWS PrivateLink
You can use AWS PrivateLink to establish a secure connection for your Elastic Cloud Hosted deployments and Elastic Cloud Serverless projects to communicate with other AWS services. AWS routes the PrivateLink traffic within the AWS data center and never exposes it to the public internet.
AWS PrivateLink connects your Virtual Private Cloud (VPC) to the AWS-hosted services that you use, treating them as if they were in your VPC. You can create and use VPC endpoints to securely access AWS-hosted services.
You can also optionally filter traffic to your deployments or projects by creating virtual private connection (VPC) filters as part of your private connection policy in Elastic Cloud. This limits traffic to your deployment or project to the VPC specified in the policy, as well as any other policies applied to the deployment or project.
To learn how private connection policies impact your deployment or project, refer toNetwork security policies in Elastic Cloud.
Elastic Cloud Hosted and Elastic Cloud Serverless also supportIP filters. You can apply both IP filters and private connections to a single Elastic Cloud resource.
Serverless projects require the Serverless Plus add-on to apply private connection policies. During the promotional period, applying a private connection policy to a project opts that project in to Serverless Plus.
You can opt out by disconnecting all policies from the project.
Before you begin, review the following considerations:
Private connectivity with AWS PrivateLink is supported only in AWS regions.
AWS interface virtual private connection (VPC) endpoints are configured for one or more availability zones (AZ). In some regions, our VPC endpoint service is not present in all the possible AZs that a region offers. You can only choose AZs that are common on both sides. As the names of AZs (for exampleus-east-1a) differ between AWS accounts, the following list of AWS regions shows the ID (e.g.use1-az4) of each available AZ for the service.
Refer tointerface endpoint availability zone considerations for more details.
Elasticcharges for inter-node traffic regardless of whether nodes are in the same or different availability zones (AZ). As a result, placing the deployment nodes within a single AZ, instead of two or three, does not reduce inter-node costs.
On the customer VPC side, the inter-availability zone data transfer, within the same AWS region, towards AWS PrivateLink endpoints,is free of charge. As a result, you do not incur charges for cross-AZ data transfer within your VPC when the target is the AWS PrivateLink Elastic Cloud service endpoint. We recommend you set up the VPC endpoints in all supported Elastic Cloud AZs for a particular region for maximum traffic throughput and resiliency.
If Elastic and your VPC overlap in two AZs or less, you can create subnets and VPC PrivateLink endpoints in your VPC within the same availability zones where the Elastic PrivateLink service is present.
Elastic Cloud Serverless does not expose availability zones (AZ) to you—you don't choose or see AZs for your project. On the AWS side, however, interface VPC endpoints are still configured for one or more AZs. Inter-availability zone data transfer within the same AWS region toward AWS PrivateLink endpointsis free of charge. We recommend you set up VPC endpoints in all AZs where the Elastic Cloud PrivateLink service is present for your region, for maximum throughput and resiliency.
Transport client is not supported over PrivateLink connections.
Some metadata might differ between Elastic Cloud Hosted and Elastic Cloud Serverless, even if the region is the same.
PrivateLink Service is set up by Elastic in all supported AWS regions under the following service names:
AWS public regions
| Region | VPC service name | Private hosted zone domain name | AZ names (AZ IDs) |
|---|---|---|---|
| af-south-1 | com.amazonaws.vpce.af-south-1.vpce-svc-0d3d7b74f60a6c32c | vpce.af-south-1.aws.elastic-cloud.com | af-south-1a (afs1-az1),af-south-1b (afs1-az2),af-south-1c (afs1-az3) |
| ap-east-1 | com.amazonaws.vpce.ap-east-1.vpce-svc-0f96fbfaf55558d5c | vpce.ap-east-1.aws.elastic-cloud.com | ap-east-1a (ape1-az1),ap-east-1b (ape1-az2),ap-east-1c (ape1-az3) |
| ap-northeast-1 | com.amazonaws.vpce.ap-northeast-1.vpce-svc-0e1046d7b48d5cf5f | vpce.ap-northeast-1.aws.elastic-cloud.com | ap-northeast-1b (apne1-az4),ap-northeast-1c (apne1-az1),ap-northeast-1d (apne1-az2) |
| ap-northeast-2 | com.amazonaws.vpce.ap-northeast-2.vpce-svc-0d90cf62dae682b84 | vpce.ap-northeast-2.aws.elastic-cloud.com | ap-northeast-2a (apne2-az1),ap-northeast-2b (apne2-az2),ap-northeast-2c (apne2-az3) |
| ap-south-1 | com.amazonaws.vpce.ap-south-1.vpce-svc-0e9c1ae5caa269d1b | vpce.ap-south-1.aws.elastic-cloud.com | ap-south-1a (aps1-az1),ap-south-1b (aps1-az3),ap-south-1c (aps1-az2) |
| ap-southeast-1 | com.amazonaws.vpce.ap-southeast-1.vpce-svc-0cbc6cb9bdb683a95 | vpce.ap-southeast-1.aws.elastic-cloud.com | ap-southeast-1a (apse1-az1),ap-southeast-1b (apse1-az2),ap-southeast-1c (apse1-az3) |
| ap-southeast-2 | com.amazonaws.vpce.ap-southeast-2.vpce-svc-0cde7432c1436ef13 | vpce.ap-southeast-2.aws.elastic-cloud.com | ap-southeast-2a (apse2-az1),ap-southeast-2b (apse2-az3),ap-southeast-2c (apse2-az2) |
| ca-central-1 | com.amazonaws.vpce.ca-central-1.vpce-svc-0d3e69dd6dd336c28 | vpce.ca-central-1.aws.elastic-cloud.com | ca-central-1a (cac1-az1),ca-central-1b (cac1-az2),ca-central-1d (cac1-az4) |
| eu-central-1 | com.amazonaws.vpce.eu-central-1.vpce-svc-081b2960e915a0861 | vpce.eu-central-1.aws.elastic-cloud.com | eu-central-1a (euc1-az2),eu-central-1b (euc1-az3),eu-central-1c (euc1-az1) |
| eu-central-2 | com.amazonaws.vpce.eu-central-2.vpce-svc-07deba12e07d77434 | vpce.eu-central-2.aws.elastic-cloud.com | eu-central-2a (euc2-az1),eu-central-2b (euc2-az2),eu-central-2c (euc2-az3) |
| eu-south-1 | com.amazonaws.vpce.eu-south-1.vpce-svc-03d8fc8a66a755237 | vpce.eu-south-1.aws.elastic-cloud.com | eu-south-1a (eus1-az1),eu-south-1b (eus1-az2),eu-south-1c (eus1-az3) |
| eu-north-1 | com.amazonaws.vpce.eu-north-1.vpce-svc-05915fc851f802294 | vpce.eu-north-1.aws.elastic-cloud.com | eu-north-1a (eun1-az1),eu-north-1b (eun1-az2),eu-north-1c (eun1-az3) |
| eu-west-1 | com.amazonaws.vpce.eu-west-1.vpce-svc-01f2afe87944eb12b | vpce.eu-west-1.aws.elastic-cloud.com | eu-west-1a (euw1-az2),eu-west-1b (euw1-az1),eu-west-1c (euw1-az3) |
| eu-west-2 | com.amazonaws.vpce.eu-west-2.vpce-svc-0e42a2c194c97a1d0 | vpce.eu-west-2.aws.elastic-cloud.com | eu-west-2a (euw2-az2),eu-west-2b (euw2-az3),eu-west-2c (euw2-az1) |
| eu-west-3 | com.amazonaws.vpce.eu-west-3.vpce-svc-0d6912d10db9693d1 | vpce.eu-west-3.aws.elastic-cloud.com | eu-west-3a (euw3-az1),eu-west-3b (euw3-az2),eu-west-3c (euw3-az3) |
| me-south-1 | com.amazonaws.vpce.me-south-1.vpce-svc-0381de3eb670dcb48 | vpce.me-south-1.aws.elastic-cloud.com | me-south-3a (mes1-az1),me-south-3b (mes1-az2),me-south-3c (mes1-az3) |
| sa-east-1 | com.amazonaws.vpce.sa-east-1.vpce-svc-0b2dbce7e04dae763 | vpce.sa-east-1.aws.elastic-cloud.com | sa-east-1a (sae1-az1),sa-east-1b (sae1-az2),sa-east-1c (sae1-az3) |
| us-east-1 | com.amazonaws.vpce.us-east-1.vpce-svc-0e42e1e06ed010238 | vpce.us-east-1.aws.elastic-cloud.com | us-east-1a (use1-az4),us-east-1b (use1-az6),us-east-1e (use1-az2) |
| us-east-2 | com.amazonaws.vpce.us-east-2.vpce-svc-02d187d2849ffb478 | vpce.us-east-2.aws.elastic-cloud.com | us-east-2a (use2-az1),us-east-2b (use2-az2),us-east-2c (use2-az3) |
| us-west-1 | com.amazonaws.vpce.us-west-1.vpce-svc-00def4a16a26cb1b4 | vpce.us-west-1.aws.elastic-cloud.com | us-west-1a (usw1-az1),us-west-1b (usw1-az2),us-west-1c (usw1-az3) |
| us-west-2 | com.amazonaws.vpce.us-west-2.vpce-svc-0e69febae1fb91870 | vpce.us-west-2.aws.elastic-cloud.com | us-west-2a (usw2-az2),us-west-2b (usw2-az1),us-west-2c (usw2-az3) |
GovCloud regions
| Region | VPC service name | Private hosted zone domain name |
|---|---|---|
| us-gov-east-1 (GovCloud) | com.amazonaws.vpce.us-gov-east-1.vpce-svc-0bba5ffa04f0cb26d | vpce.us-gov-east-1.aws.elastic-cloud.com |
To view the service metadata for your selected region, start tocreate a new private connection policy for the region and expand theService metadata dropdown.
The process of setting up a private connection with AWS PrivateLink is split between the AWS console and the Elastic Cloud UI. These are the high-level steps:
| AWS console | Elastic Cloud |
|---|---|
| 1.Create a VPC endpoint using Elastic Cloud service name. | |
| 2.Create a DNS record pointing to the VPC endpoint. | |
| 3.Optional:Create a private connection policy. A private connection policy is required to filter traffic using the VPC endpoint ID. | |
| 4.Optional:Associate the private connection policy with deployments or projects. | |
| 5.Interact with your deployments or projects over PrivateLink. |
After you create your private connection policy, you canedit,disassociate, ordelete it.
Private connection policies are optional for AWS PrivateLink. After the VPC endpoint and DNS record are created, private connectivity is established. You only need to create a private connection policy if you want to filter traffic to your deployment or project using VPC filters.
Before you begin, you should ensure your VPC endpoint is in all availability zones supported by Elastic Cloud for the region and resource type. Placing your VPC endpoint in all supported Elastic Cloud availability zones for the region improves throughput and resiliency when connecting over PrivateLink.
For Elastic Cloud Hosted deployments, if your VPC is not in all supported availability zones, traffic can become imbalanced, saturating some coordinating nodes while underutilizing others, which might impact performance.
You can find the zone name to zone ID mapping with AWS CLI:
$ aws ec2 describe-availability-zones --region us-east-1 | jq -c '.AvailabilityZones[] | { id: .ZoneId, name: .ZoneName } ' | sort{"id":"use1-az1","name":"us-east-1c"}{"id":"use1-az2","name":"us-east-1e"}{"id":"use1-az3","name":"us-east-1d"}{"id":"use1-az4","name":"us-east-1a"}{"id":"use1-az5","name":"us-east-1f"}{"id":"use1-az6","name":"us-east-1b"}The mapping will be different for your region. Our production VPC Service forus-east-1 is located inuse1-az2,use1-az4,use1-az6. We need to create the VPC Endpoint for the preceding mapping in at least one ofus-east-1e,us-east-1a,us-east-1b.
This limitation does not apply tocross-region PrivateLink connections. If you're creating a cross-region connection, then you don't need to check that your VPC is present in all availability zones.
Create a VPC endpoint in your VPC using the service name for your region.
Refer to theAWS documentation for additional details on creating a VPC interface endpoint to an endpoint service.
SelectPrivateLink Ready partner services as the endpoint type. Usethe service name for your region as theService name.
The security group for the endpoint should, at minimum, allow for inbound connectivity from your instances' CIDR range on ports 443 and 9243. Security groups for the instances should allow for outbound connectivity to the endpoint on ports 443 and 9243.
You can also create a cross-region endpoint. Refer toSetting up a cross-region Private Link connection.
Create a DNS record.
Create a Private hosted zone.
For Elastic Cloud Hosted, refer to thePrivate hosted zone domain name column in thePrivateLink service names and aliases table for the name of the zone.
For Elastic Cloud Serverless, to view the service metadata for your selected region, start tocreate a new private connection policy for the region and find theDomain name in theService metadata dropdown.
For example, for Elastic Cloud Hosted deployments in
us-east-1, usevpce.us-east-1.aws.elastic-cloud.comas the zone domain name. For Elastic Cloud Serverless deployments in the same region, useprivate.us-east-1.aws.elastic.cloud.Don’t forget to associate the zone with your VPC.
TipPrivate hosted zone domain names differ between Elastic Cloud Hosted and Elastic Cloud Serverless, even if the region is the same.
