Serverless AWS PrivateLink support#5075
Conversation
✅ Vale Linting ResultsNo issues found on modified lines! The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
| The security group for the endpoint should, at minimum, allow for inbound connectivity from your instances' CIDR range on ports 443 and 9243. Security groups for the instances should allow for outbound connectivity to the endpoint on ports 443 and 9243. | ||
|
|
||
| <!--need to verify this for serverless--> |
There was a problem hiding this comment.
@alxchalkias can anyone help to clarify what the requirement for the endpoint security group (inbound/outbound connectivity on the endpoint)?
There was a problem hiding this comment.
@bobbybho or @igor-kupczynski can you confirm please?
|
@shainaraskas to be confirmed with @bobbybho, but I think we need to add the "Serverless" badge to the claim ownership API doc page if this is supported to work with projects. |
bobbybho
left a comment
bobbybho
left a comment
There was a problem hiding this comment.
I think we also need to update the section "Create a DNS record" in https://www.elastic.co/docs/deploy-manage/security/private-connectivity-aws#ec-aws-vpc-dns. The sample screen capture is used for ECH, we should have a different screen capture (or a note) to show that the Host zone for serverless should be "private.us-east-1.aws.elastic.com"
| **Request** | ||
| ```sh | ||
| $ curl -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com -u {username}:{password} | ||
| $ curl -v https://my-resource-d53192.es.vpce.us-east-1.aws.elastic-cloud.com -u {username}:{password} |
There was a problem hiding this comment.
for serverless projects, the URL is
my-resource-d53192.es.private.us-east-1.aws.elastic.cloud
replace "vpce" with "private"
There was a problem hiding this comment.
will those be updated in the product? that's data that I got from the QA environment
assuming yes, just double-checking
There was a problem hiding this comment.
I think the data shown above is for ECH. In Serverless, the service name is vpce-svc-0197c33d7deffd2fa.eu-west-1.vpce.amazonaws.com.
@tpanagiot — could you check with the UI team whether they’re calling the network-api metadata-api endpoint to fetch the Serverless PrivateLink endpoints?
There was a problem hiding this comment.
@bobbybho @shainaraskas We verified that the UI team is not calling the network-api but they are working on fixing it.
I think the screenshot is ok here because we're telling them to enter the PHZ domain name for their region. I've added a quick tip to warn people away from just assuming the name in the screenshot (and a couple of other places) applies to them: 
|
bobbybho
left a comment
bobbybho
left a comment
There was a problem hiding this comment.
LGTM. Thanks for addressing my comments.
No—today, the Serverless project and network APIs don’t support the _claim endpoints. |
5 participants
Summary
Core changes
The rest are updating compatibility updates / wayfinding from the security > network security pages (see files changed)
Generative AI disclosure
Tool(s) and model(s) used: cursor auto
Open questions