11

I've created an Elasticsearch domain in AWS.

It's added to my VPC inside a public subnet and I've attached a security group which is currently completely open.

I have this policy attached also:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:eu-central-1:ACCOUNT_ID:domain/DOMAIN_NAME/*"
    }
  ]
}

I am trying to access an endpoint locally but it doesn't seem to be allowed.

The Kibana URL for example is:

https://vpc-bla.bla.bla.eu-central-1.es.amazonaws.com/_plugin/kibana/

Any idea why I'm not able to access this URL?

timothyclifford
  • 6,799
  • 7
  • 57
  • 85
  • I'm stuck with the exact same problem. Did you find a solution to this? – Harsha Bhat Mar 18 '18 at 15:06
  • The URL generated by ES is internal and cannot be opened to the internet easily via security groups. Instead, I deployed an simple nginx proxy which forwarded public DNS requests eg `es.mydns.com` to the internal DNS eg `https://vpc-bla.bla.bla.eu-central-1.es.amazonaws.com/_plugin/kibana/`. More nginx info here https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/ – timothyclifford Mar 19 '18 at 08:09
  • Thanks! I'll try the same! – Harsha Bhat Mar 22 '18 at 09:36
  • What if you add your desktop IP to the ES security group? – Learner Jul 22 '18 at 11:40

3 Answers3

8

After much trial and error, I found the URL generated by ES is internal and cannot be opened to the internet easily via security groups.

Instead, I deployed an simple nginx proxy which forwarded public DNS requests eg es.mydns.com to the internal DNS eg vpc....eu-central-1.es.amazonaws.com/_plugin/kibana/

More nginx info here.

timothyclifford
  • 6,799
  • 7
  • 57
  • 85
  • I did this, but then I get that "User anonmyous has no rights to access ["es:ESHttpGet"]...What is the correct way to create a policy for this to work? I created an EC2 full access role for the es domain but still it does not work. What am I missing? – transient_loop May 29 '20 at 17:16
4

VPC Endpoint cannot be accessed outside the subnets that you associated with the elastic-search domain.

you can try performing curl from any EC2 instances that is part of the same subnet that you associated with elastic-search, it should work.

If you need to access the endpoint from internet, then don't create VPC endpoint elastic-search instead create elastic-search domain with internet access. You can specify whether you want VPC or internet accessible cluster when creating the ES domain.

Vengadanathan Srinivasan
  • 381
  • 5
  • 12
0

Steps to access elastic search VPC

  • Create ec2 environment in AWS.
  • Install ngnix in ec2 and configure.
  • Add two inbound request in security group i.e. all traffic and ssh.
  • Then use public ip to access from internet.
shamim ahmed
  • 1
  • 2