Thediscovery-ec2 plugin allows Elasticsearch to find the master-eligible nodes in a cluster running on AWS EC2 by querying theAWS API for the addresses of the EC2 instances running these nodes.

It is normally a good idea to restrict the discovery process just to the master-eligible nodes in the cluster. This plugin allows you to identify these nodes by certain criteria including their tags, their membership of security groups, and their placement within availability zones. The discovery process will work correctly even if it finds master-ineligible nodes, but master elections will be more efficient if this can be avoided.

The interaction with the AWS API can be authenticated using theinstance role, or else custom credentials can be supplied.

To enable EC2 discovery, configure Elasticsearch to use theec2 seed hosts provider:

discovery.seed_providers: ec2

EC2 discovery supports a number of settings. Some settings are sensitive and must be stored in the Elasticsearch keystore. For example, to authenticate using a particular access key and secret key, add these keys to the keystore by running the following commands:

bin/elasticsearch-keystore add discovery.ec2.access_keybin/elasticsearch-keystore add discovery.ec2.secret_key

Allsecure settings of this plugin are reloadable, allowing you to update the secure settings for this plugin without needing to restart each node. For more information about secure and reloadable settings, go toSecure your settings.

The available settings for the EC2 discovery plugin are as follows.

discovery.ec2.access_key (Secure, reloadable)

An EC2 access key. If set, you must also setdiscovery.ec2.secret_key. If unset,discovery-ec2 will instead use the instance role. This setting is sensitive and must be stored in the Elasticsearch keystore.

discovery.ec2.secret_key (Secure, reloadable)

An EC2 secret key. If set, you must also setdiscovery.ec2.access_key. This setting is sensitive and must be stored in the Elasticsearch keystore.

discovery.ec2.session_token (Secure, reloadable)

An EC2 session token. If set, you must also setdiscovery.ec2.access_key anddiscovery.ec2.secret_key. This setting is sensitive and must be stored in the Elasticsearch keystore.

discovery.ec2.endpoint

The EC2 service endpoint to which to connect. Seehttps://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region to find the appropriate endpoint for the region. This setting defaults toec2.us-east-1.amazonaws.com which is appropriate for clusters running in theus-east-1 region.

discovery.ec2.protocol

The protocol to use to connect to the EC2 service endpoint, which may be eitherhttp orhttps. Defaults tohttps. This setting does not operate from version 9.1 and higher.

discovery.ec2.proxy.host

The address or host name of an HTTP proxy through which to connect to EC2. If not set, no proxy is used.

discovery.ec2.proxy.port

When the address of an HTTP proxy is given indiscovery.ec2.proxy.host, this setting determines the port to use to connect to the proxy. Defaults to80.

discovery.ec2.proxy.scheme

The scheme to use when connecting to the EC2 service endpoint through proxy specified indiscovery.ec2.proxy.host. Valid values arehttp orhttps. Defaults tohttp.

discovery.ec2.proxy.username (Secure, reloadable)

When the address of an HTTP proxy is given indiscovery.ec2.proxy.host, this setting determines the username to use to connect to the proxy. When not set, no username is used. This setting is sensitive and must be stored in the Elasticsearch keystore.

discovery.ec2.proxy.password (Secure, reloadable)

When the address of an HTTP proxy is given indiscovery.ec2.proxy.host, this setting determines the password to use to connect to the proxy. When not set, no password is used. This setting is sensitive and must be stored in the Elasticsearch keystore.

discovery.ec2.read_timeout

The socket timeout for connections to EC2,including the units. For example, a value of60s specifies a 60-second timeout. Defaults to 50 seconds.

discovery.ec2.groups

A list of the names or IDs of the security groups to use for discovery. Thediscovery.ec2.any_group setting determines the behaviour of this setting. Defaults to an empty list, meaning that security group membership is ignored by EC2 discovery.

discovery.ec2.any_group

Defaults totrue, meaning that instances belonging toany of the security groups specified indiscovery.ec2.groups will be used for discovery. If set tofalse, only instances that belong toall of the security groups specified indiscovery.ec2.groups will be used for discovery.

discovery.ec2.host_type

Each EC2 instance has a number of different addresses that might be suitable for discovery. This setting allows you to select which of these addresses is used by the discovery process. It can be set to one ofprivate_ip,public_ip,private_dns,public_dns ortag:TAGNAME whereTAGNAME refers to a name of a tag. This setting defaults toprivate_ip.

If you setdiscovery.ec2.host_type to a value of the formtag:TAGNAME then the value of the tagTAGNAME attached to each instance will be used as that instance’s address for discovery. Instances which do not have this tag set will be ignored by the discovery process.

For example if you tag some EC2 instances with a tag namedelasticsearch-host-name and sethost_type: tag:elasticsearch-host-name then thediscovery-ec2 plugin will read each instance’s host name from the value of theelasticsearch-host-name tag.Read more about EC2 Tags.

discovery.ec2.availability_zones

A list of the names of the availability zones to use for discovery. The name of an availability zone is theregion code followed by a letter, such asus-east-1a. Only instances placed in one of the given availability zones will be used for discovery.

discovery.ec2.tag.TAGNAME

A list of the values of a tag calledTAGNAME to use for discovery. If set, only instances that are tagged with one of the given values will be used for discovery. For instance, the following settings will only use nodes with arole tag set tomaster and anenvironment tag set to eitherdev orstaging.

discovery.ec2.tag.role: masterdiscovery.ec2.tag.environment: dev,staging

discovery.ec2.node_cache_time

Sets the length of time for which the collection of discovered instances is cached. Elasticsearch waits at least this long between requests for discovery information from the EC2 API. AWS may reject discovery requests if they are made too often, and this would cause discovery to fail. Defaults to10s.

Thediscovery-ec2 plugin works by making aDescribeInstances call to the AWS EC2 API. You must configure your AWS account to allow this, which is normally done using an IAM policy. You can create a custom policy via the IAM Management Console. It should look similar to this.

{  "Statement": [    {      "Action": [        "ec2:DescribeInstances"      ],      "Effect": "Allow",      "Resource": [        "*"      ]    }  ],  "Version": "2012-10-17"}

Thediscovery-ec2 plugin can automatically set theaws_availability_zone node attribute to the availability zone of each node. This node attribute allows you to ensure that each shard has copies allocated redundantly across multiple availability zones by using theAllocation Awareness feature.

In order to enable the automatic definition of theaws_availability_zone attribute, setcloud.node.auto_attributes totrue. For example:

cloud.node.auto_attributes: truecluster.routing.allocation.awareness.attributes: aws_availability_zone

Theaws_availability_zone attribute can be automatically set like this when using any discovery type. It is not necessary to setdiscovery.seed_providers: ec2. However this feature does require that thediscovery-ec2 plugin is installed.

It is important to definenetwork.host correctly when deploying a cluster on EC2. By default each Elasticsearch node only binds tolocalhost, which will prevent it from being discovered by nodes running on any other instances.

You can use thecore network host settings to bind each node to the desired address, or you can setnetwork.host to one of the following EC2-specific settings provided by thediscovery-ec2 plugin:

These values are acceptable when using any discovery type. They do not require you to setdiscovery.seed_providers: ec2. However they do require that thediscovery-ec2 plugin is installed.