So round two of Elasticsearch fun, my previous attempt was to use users and roles to secure Elasticsearch but that didn’t work as I’d hoped….
My plan was to use nginx to proxy reqests to elasticsearch. I setup a nginx box with an elastic IP and then configured elasticsearch to only allow access from that IP. This worked great but now I had a single point of failure. So I setup a ELB in front of a pair of nginx boxes and updated my elasticsearch config with both nginx EIP’s. But this was now feeling clunky and we were going to have sevearl elasticsearch clusters that would need my new nginx infastrcture.
So I chatted with one of our AWS consultants. He came back to me the next day and told me he had never tried this but what if I added elasticsearch IP’s to my nat gateways and then configured elasticsearch’s access polices to only allow access from those EIPs. This seemed way too simple in my book (after I have now spent several hours on my nginx setup) but I just completed my proof of concept and it just worked. So now my test elasticsearch can only be accessed by my VPC and is secured from the outside world.