yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
a41a4e0331fbc0beff63bb28fa59228cc9a751df
doc-exports/docs/css/umn/css_01_0291.html
zhengxiu 93d856d5c5 css umn 25.6.0 version 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Co-authored-by: zhengxiu <zhengxiu@huawei.com>
Co-committed-by: zhengxiu <zhengxiu@huawei.com>
2025-11-25 11:34:43 +00:00

61 lines
21 KiB
HTML
Raw Blame History

<a name="EN-US_TOPIC_0000001992165621"></a><a name="EN-US_TOPIC_0000001992165621"></a>
<h1 class="topictitle1">Configuring VPC Endpoint Service for an OpenSearch Cluster</h1>
<div id="body0000001992165621"><div class="p" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_p17394551104118">VPC Endpoint enables you to access resources across VPCs using a dedicated gateway, without exposing the network information of servers. A VPC endpoint can be accessed via an IPv4 address or private domain name.<ul id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_ul9685152124416"><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li36859274415">An IPv4 address is automatically allocated when VPC Endpoint is enabled.</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li1968516215443">A private domain name is allocated only when you enable private domain names.</li></ul>
</div>
<p id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001223434404_p8060118">VPC Endpoint uses a shared load balancer for internal network access. If your workloads require faster access, we recommend that you use a dedicated load balancer to handle access to your cluster. For details, see <a href="css_01_0182.html">Configuring a Dedicated Load Balancer for an OpenSearch Cluster</a>.</p>
<div class="section" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_section690418221141"><h4 class="sectiontitle">Impact on Billing</h4><p id="EN-US_TOPIC_0000001992165621__p0481740303"><span id="EN-US_TOPIC_0000001992165621__ph15327165023416">VPC endpoints, if created for the cluster, will incur extra fees, depending on the resource usage. For details, see section "Billing" in <em id="EN-US_TOPIC_0000001992165621__en-us_topic_0000002271391389_i153674820470">VPC Endpoint User Guide</em>.</span></p>
</div>
<div class="section" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_section15462192019594"><h4 class="sectiontitle">Constraints</h4><ul id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_ul8530172418472"><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li135301024164710">You need specific permissions to create VPC endpoints. For details, see the "Permissions" section in the <em id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_i109829356110">VPC Endpoint User Guide</em>.</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li11530152413476">Public network access and the VPC Endpoint service share a load balancer. If you configure a whitelist for public network access, and because this whitelist is deployed to the shared load balancer, it will control not only access from the public network, but also access using private IP addresses through VPCEP. In this case, you need to add IP address <strong id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001965416697_b2474121113146">198.19.128.0/17</strong> to the public network access whitelist to allow traffic through VPCEP.</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li16630142181518">After VPCEP is enabled, access to CSS through a VPCEP IP address or private domain name from within the internal network is not controlled by any cluster security group rules. Rather, you need to configure a VPCEP whitelist to implement access control. For details, see section "Configuring Access Control for an Interface VPC Endpoint" in <em id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_i524265971220">VPC Endpoint User Guide</em>.</li></ul>
</div>
<div class="section" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001223434404_section12521512195113"><h4 class="sectiontitle">Enabling VPC Endpoint</h4><p id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001223434404_p8328122613523">If VPC Endpoint was not enabled when the cluster was created, you can enable it as follows:</p>
<ol id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001223434404_ol146347435519"><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001223434404_li7625635121410"><span id="EN-US_TOPIC_0000001992165621__ph4222205142920">Log in to the CSS management console.</span></li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li4250043448">In the navigation pane on the left, choose <span class="uicontrol" id="EN-US_TOPIC_0000001992165621__uicontrol418602583512"><b>Clusters &gt; OpenSearch</b></span>.</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li123882254220">In the cluster list, click the name of the target cluster. The cluster information page is displayed.</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li69777065519">On the <span class="wintitle" id="EN-US_TOPIC_0000001992165621__wintitle18959343134012"><b>Overview</b></span> tab, check the cluster's subnet information in the <strong id="EN-US_TOPIC_0000001992165621__b8460733153615">Configuration</strong> area. When you add a VPC endpoint, an IP address that belongs to the current subnet of the cluster is automatically assigned to it.<div class="fignone" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_fig0826122816214"><span class="figcap"><b>Figure 1 </b>Checking the current subnet</span><br><span><img id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_image6826828320" src="figure/en-us_image_0000002272229236.png"></span></div>
<p id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_p1178110461430">If you want to use another subnet, switch the subnet first, and then enable VPC Endpoint. For details, see <a href="css_02_0081.html">Can I Expand the Subnet for an Elasticsearch or OpenSearch Cluster?</a></p>
</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li184419262535">Choose <strong id="EN-US_TOPIC_0000001992165621__b1312122343715">Cluster Access</strong> &gt; <strong id="EN-US_TOPIC_0000001992165621__b17800625173714">VPC Endpoint</strong>.</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001223434404_li1068041913586">Toggle on <span class="uicontrol" id="EN-US_TOPIC_0000001992165621__uicontrol17202125722414"><b>VPC Endpoint</b></span>. In the displayed dialog box, select relevant options.
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_table1218430014" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Options for enabling VPC Endpoint</caption><thead align="left"><tr id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_row1718430813"><th align="left" class="cellrowborder" valign="top" width="30%" id="mcps1.3.5.3.6.2.2.3.1.1"><p id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_p618418013117">Option</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="70%" id="mcps1.3.5.3.6.2.2.3.1.2"><p id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_p191841018116">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_row918413013113"><td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.5.3.6.2.2.3.1.1 "><p id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_p184211955173314">Create Private Domain Name</p>
</td>
<td class="cellrowborder" valign="top" width="70%" headers="mcps1.3.5.3.6.2.2.3.1.2 "><p id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_p434854820315">Whether to create a private domain name for the VPC endpoint.</p>
<ul id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_ul188272071167"><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li14827478619">Enable: The system automatically assigns a private domain name to the VPC endpoint. After cluster creation, you can check this private domain name on the <span class="wintitle" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_wintitle1846462719543"><b>VPC Endpoint</b></span> tab of the cluster details page.</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li16827157863">Disable: No private domain name will be configured for the VPC endpoint. The cluster can only be accessed through an IP address assigned to the VPC endpoint.</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li92343402102">Click <span class="uicontrol" id="EN-US_TOPIC_0000001992165621__uicontrol7123133152512"><b>OK</b></span> to enable VPC Endpoint. After the VPC endpoint is enabled, its information is displayed below. When its status changes to <strong id="EN-US_TOPIC_0000001992165621__b6611923152519">Accepted</strong>, the current cluster can be accessed through the VPC endpoint.</li></ol>
</div>
<div class="section" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_section589431913131"><h4 class="sectiontitle">Managing VPC Endpoints</h4><p id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_p7381102561313">After VPC Endpoint is enabled for a cluster, you can set access control, check VPC endpoint information, and deny access from specific VPC endpoints.</p>
<ol id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_ol12348152115188"><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li1073442441816"><span id="EN-US_TOPIC_0000001992165621__ph131038255397">Log in to the CSS management console.</span></li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li4734162411819">In the navigation pane on the left, choose <span class="uicontrol" id="EN-US_TOPIC_0000001992165621__uicontrol846620344375"><b>Clusters &gt; OpenSearch</b></span>.</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li8734122420184">In the cluster list, click the name of the target cluster. The cluster information page is displayed.</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li16734192461815">Choose <strong id="EN-US_TOPIC_0000001992165621__b15219143818375">Cluster Access</strong> &gt; <strong id="EN-US_TOPIC_0000001992165621__b1022093853710">VPC Endpoint</strong>.</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li7741525375"><strong id="EN-US_TOPIC_0000001992165621__b1225131712386">Configure access control for a VPC endpoint</strong>.<ol type="a" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_ol57608711378"><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li3616154714185">Click <strong id="EN-US_TOPIC_0000001992165621__b2818797260">Modify</strong> on the right of <strong id="EN-US_TOPIC_0000001992165621__b4818149122612">VPC Endpoint Whitelist</strong>. In the displayed dialog box, add accounts that are allowed to access the cluster through the VPC endpoint. If no account is added or the account ID is set to <span class="parmvalue" id="EN-US_TOPIC_0000001992165621__parmvalue1069511617263"><b>*</b></span>, all users are allowed to access the cluster through the VPC endpoint.<ul id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_ul8294186172110"><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li529410613213">Click <strong id="EN-US_TOPIC_0000001992165621__b2001981953113758">Add</strong> to add accounts in <strong id="EN-US_TOPIC_0000001992165621__b1418103986113758">Account ID</strong>. To obtain your authorized account ID, point to your username in the upper right corner, and choose <strong id="EN-US_TOPIC_0000001992165621__b1085252118264">My Credentials</strong>. Copy the value of <strong id="EN-US_TOPIC_0000001992165621__b58531421192619">Account ID</strong>.</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li1013739162117">Click <strong id="EN-US_TOPIC_0000001992165621__b599182320261">Delete</strong> in the <strong id="EN-US_TOPIC_0000001992165621__b399222313262">Operation</strong> column to delete an authorized account.</li></ul>
</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li1622121833710">Click <strong id="EN-US_TOPIC_0000001992165621__b731522715262">OK</strong>.</li></ol>
</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li7496164173910"><strong id="EN-US_TOPIC_0000001992165621__b3605151218396">Check VPC endpoint information.</strong><div class="p" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_p198781748392">The VPC endpoint list shows the VPC endpoints created for the current cluster. You can obtain their <span class="parmvalue" id="EN-US_TOPIC_0000001992165621__parmvalue13706183192616"><b>Status</b></span>, <span class="parmvalue" id="EN-US_TOPIC_0000001992165621__parmvalue16707163113260"><b>Service Address</b></span>, and <span class="parmvalue" id="EN-US_TOPIC_0000001992165621__parmvalue67078313265"><b>Private Domain Name</b></span>.<div class="fignone" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_fig134192522616"><span class="figcap"><b>Figure 2 </b>Managing VPC endpoints</span><br><span><img id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_image15341172572610" src="figure/en-us_image_0000002306909041.png"></span></div>
</div>
</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li1433652424013"><a name="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li1433652424013"></a><a name="en-us_topic_0000001938377836_li1433652424013"></a><strong id="EN-US_TOPIC_0000001992165621__b964020544380">Modify VPC endpoint status</strong> to make the cluster accessible or inaccessible through specific endpoints.<ul id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_ul186701057144413"><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li96701257114417">In the VPC endpoint list, select the target endpoint and click <strong id="EN-US_TOPIC_0000001992165621__b798718792719">Reject</strong> in the <strong id="EN-US_TOPIC_0000001992165621__b49878762712">Operation</strong> column. If the endpoint status changes to <strong id="EN-US_TOPIC_0000001992165621__b398715718273">Rejected</strong>, it means the cluster is no longer accessible through this endpoint.</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li367095754413">Select an endpoint whose status is <strong id="EN-US_TOPIC_0000001992165621__b1427216103272">Rejected</strong>. Click <strong id="EN-US_TOPIC_0000001992165621__b15273191012272">Accept</strong> in the <strong id="EN-US_TOPIC_0000001992165621__b8273161062719">Operation</strong> column. If the endpoint status changes to <strong id="EN-US_TOPIC_0000001992165621__b132731410122719">Accepted</strong>, it means the cluster is accessible again through this endpoint.</li></ul>
</li></ol>
</div>
<div class="section" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_section888248113611"><h4 class="sectiontitle">Disabling VPC Endpoint</h4><p id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_p119091928181116">If the cluster no longer requires cross-VPC access via VPC endpoints, disable VPC Endpoint to release resources.</p>
<div class="warning" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_note13359114175710"><span class="warningtitle"><img src="public_sys-resources/warning_3.0-en-us.png"> </span><div class="warningbody"><p id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_p468254675712">After VPC Endpoint is disabled, the cluster is no longer accessible through a VPCEP IP address or private domain name. If you disable VPC Endpoint and then re-enable it, the VPCEP IP address or private domain name for accessing the cluster may change. When it happens, you may need to update the client connection. If you just need to temporarily disable VPC Endpoint (rather than permanently releasing its resources), do so by rejecting specific VPC endpoints. For details, see <a href="#EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li1433652424013">7</a>.</p>
</div></div>
<ol id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_ol1467346409"><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li1115115462408"><span id="EN-US_TOPIC_0000001992165621__ph123221274413">Log in to the CSS management console.</span></li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li1438182155120">In the navigation pane on the left, choose <span class="uicontrol" id="EN-US_TOPIC_0000001992165621__uicontrol9851192813813"><b>Clusters &gt; OpenSearch</b></span>.</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li1138132165115">In the cluster list, click the name of the target cluster. The cluster information page is displayed.</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li3465614135315">Choose <strong id="EN-US_TOPIC_0000001992165621__b224132103812">Cluster Access</strong> &gt; <strong id="EN-US_TOPIC_0000001992165621__b224163210389">VPC Endpoint</strong>.</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li1381202116512">Toggle off <strong id="EN-US_TOPIC_0000001992165621__b18211159122815">VPC Endpoint</strong>. In the displayed dialog box, enter <strong id="EN-US_TOPIC_0000001992165621__b882155918281">CONFIRM</strong> and click <strong id="EN-US_TOPIC_0000001992165621__b38211959102815">OK</strong>.</li></ol>
</div>
<div class="section" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001223434404_section19864153679"><h4 class="sectiontitle">Accessing a Cluster Through a VPC Endpoint</h4><ol id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001223434404_ol852205619137"><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001223434404_li1580072410203">Obtain the private domain name or IP address of a VPC endpoint.<p id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001223434404_p521042354410"><a name="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001223434404_li1580072410203"></a><a name="en-us_topic_0000001938377836_en-us_topic_0000001223434404_li1580072410203"></a>In the VPC endpoint list, check <span class="parmname" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_parmname8801322248"><b>Service Address</b></span> or <span class="parmname" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_parmname1187510181417"><b>Private Domain Name</b></span>.</p>
</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li3222111414112">On the client (e.g., an ECS), run the curl command to access the cluster.<div class="p" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_p16411777327"><a name="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_li3222111414112"></a><a name="en-us_topic_0000001938377836_li3222111414112"></a>For example, run the following command to check the cluster's index information:<ul id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001961178833_ul48942022152318"><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001961178833_li789411220236">For a cluster with the security mode disabled:<pre class="screen" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001961178833_screen12262625142419">curl "http://&lt;host&gt;:9200/_cat/indices"</pre>
</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001961178833_li10172522142412">For a security-mode cluster that uses HTTP:<pre class="screen" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001961178833_screen921113585271">curl -u &lt;user&gt;:&lt;password&gt; "http://&lt;host&gt;:9200/_cat/indices"</pre>
</li><li id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001961178833_li1984395519251">For a security-mode cluster that uses HTTPS:<pre class="screen" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_en-us_topic_0000001961178833_screen7365674284">curl -u &lt;user&gt;:&lt;password&gt; -k "https://&lt;host&gt;:9200/_cat/indices"</pre>
</li></ul>
</div>
<p id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_p892931018359">where, <span class="parmname" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_parmname950193019367"><b>user</b></span> and <span class="parmname" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_parmname923916337362"><b>password</b></span> are the username and password used for access the cluster, and <span class="parmname" id="EN-US_TOPIC_0000001992165621__en-us_topic_0000001938377836_parmname821763715363"><b>host</b></span> indicates the VPC endpoint's private domain name or IP address.</p>
</li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="css_01_0206.html">Configuring Networking for an OpenSearch Cluster</a></div>
</div>
</div>
View Git Blame Copy Permalink