diff --git a/deploy-manage/_snippets/ecloud-security.md b/deploy-manage/_snippets/ecloud-security.md
index 803969ea26..415fe5a63a 100644
--- a/deploy-manage/_snippets/ecloud-security.md
+++ b/deploy-manage/_snippets/ecloud-security.md
@@ -1,7 +1,9 @@
{{ecloud}} has built-in security. For example, HTTPS communications between {{ecloud}} and the internet, as well as inter-node communications, are secured automatically, and cluster data is encrypted at rest.
+In both {{ech}} amd {{serverless-full}}, you can also configure [IP filtering network security policies](/deploy-manage/security/ip-filtering-cloud.md) to prevent unauthorized access to your deployments and projects.
+
In {{ech}}, you can augment these security features in the following ways:
-* Configure [traffic filtering](/deploy-manage/security/traffic-filtering.md) to prevent unauthorized access to your deployments.
+* [Configure private connections and apply VCPE filtering](/deploy-manage/security/traffic-filtering.md) to establish a secure connection for your Elastic Cloud deployments to communicate with other cloud services, and restrict traffic to deployments based on those private connections.
* Encrypt your deployment with a [customer-managed encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md).
* [Secure your settings](/deploy-manage/security/secure-settings.md) using {{es}} and {{kib}} keystores.
* Use the list of [{{ecloud}} static IPs](/deploy-manage/security/elastic-cloud-static-ips.md) to allow or restrict communications in your infrastructure.
diff --git a/deploy-manage/deploy/cloud-enterprise/working-with-deployments.md b/deploy-manage/deploy/cloud-enterprise/working-with-deployments.md
index 36c61e5933..3340769499 100644
--- a/deploy-manage/deploy/cloud-enterprise/working-with-deployments.md
+++ b/deploy-manage/deploy/cloud-enterprise/working-with-deployments.md
@@ -57,7 +57,7 @@ From the deployment main page, you can quickly access the following configuratio
From the **Deployment > Security** view, you can manage security settings, authentication, and access controls. Refer to [Secure your clusters](../../../deploy-manage/users-roles/cluster-or-deployment-auth.md) for more details on security options for your deployments.
* [Reset the `elastic` user password](../../users-roles/cluster-or-deployment-auth/manage-elastic-user-cloud.md)
-* [Set up traffic filters](../../security/traffic-filtering.md) to restrict traffic to your deployment
+* [Set up IP filters](../../security/traffic-filtering.md) to restrict traffic to your deployment over the public internet
* Configure {{es}} keystore settings, also known as [secure settings](../../security/secure-settings.md)
* Configure trust relationships for [remote clusters](../../remote-clusters/ece-enable-ccs.md)
diff --git a/deploy-manage/deploy/elastic-cloud/azure-native-isv-service.md b/deploy-manage/deploy/elastic-cloud/azure-native-isv-service.md
index 39f9f4d9c4..7013a03a7b 100644
--- a/deploy-manage/deploy/elastic-cloud/azure-native-isv-service.md
+++ b/deploy-manage/deploy/elastic-cloud/azure-native-isv-service.md
@@ -349,7 +349,7 @@ $$$azure-integration-monitor$$$How do I monitor my existing Azure services?
::::{note}
-If you want to send platform logs to a deployment that has [IP or Private Link traffic filters](../../security/traffic-filtering.md) enabled, then you need to contact [the Elastic Support Team](#azure-integration-support) to perform additional configurations. Refer support to the article [Azure++ Resource Logs blocked by Traffic Filters](https://support.elastic.co/knowledge/18603788).
+If you want to send platform logs to a deployment that has [network security policies](../../security/traffic-filtering.md) applied, then you need to contact [the Elastic Support Team](#azure-integration-support) to perform additional configurations. Refer support to the article [Azure++ Resource Logs blocked by Traffic Filters](https://support.elastic.co/knowledge/18603788).
::::
@@ -477,20 +477,15 @@ $$$azure-integration-deployment-failed-traffic-filter$$$My {{ecloud}} deployment
]
```
- One possible cause of a deployment creation failure is the default traffic filtering rules. Deployments fail to create if a previously created traffic filter has enabled the **Include by default** option. When this option is enabled, traffic to the deployment is blocked, including traffic that is part of the {{ecloud}} Azure Native ISV Service. As a result, some of the integration components are not successfully provisioned and the deployment creation fails.
+ One possible cause of a deployment creation failure is the default network security policies. Deployments fail to create if a previously created network security policy has enabled the **Include by default** option. When this option is enabled, traffic to the deployment is blocked, including traffic that is part of the {{ecloud}} Azure Native ISV Service. As a result, some of the integration components are not successfully provisioned and the deployment creation fails.
Follow these steps to resolve the problem:
1. Login to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
- 2. Go to the [Traffic filters page](https://cloud.elastic.co/deployment-features/traffic-filters).
- 3. Edit the traffic filter and disable the **Include by default** option.
-
- :::{image} /deploy-manage/images/cloud-ec-marketplace-azure-traffic-filter-option.png
- :alt: The Include by default option under Add to Deployments on the Traffic Filter page
- :::
-
+ 2. Go to the [Network security page](https://cloud.elastic.co/deployment-features/traffic-filters).
+ 3. Edit the policy and disable the **Include by default** option.
4. In Azure, create a new {{ecloud}} deployment.
- 5. After the deployment has been created successfully, go back to the [Traffic filters page](https://cloud.elastic.co/deployment-features/traffic-filters) in {{ecloud}} and re-enable the **Include by default** option.
+ 5. After the deployment has been created successfully, go back to the [Network security page](https://cloud.elastic.co/deployment-features/traffic-filters) in {{ecloud}} and re-enable the **Include by default** option.
If your deployment still does not create successfully, [contact the Elastic Support Team](#azure-integration-support) for assistance.
@@ -511,7 +506,7 @@ Mimicking this metadata by manually adding tags to an {{ecloud}} deployment will
$$$azure-integration-logs-not-ingested$$$My {{ecloud}} Azure Native ISV Service logs are not being ingested.
: * When you set up monitoring for your Azure services, if your Azure and Elastic resources are in different subscriptions, you need to make sure that the `Microsoft.Elastic` resource provider is registered in the subscription in which the Azure resources exist. Check [How do I monitor my existing Azure services?](#azure-integration-monitor) for details.
-* If you are using [IP or Private Link traffic filters](../../security/traffic-filtering.md), reach out to [the Elastic Support Team](#azure-integration-support).
+* If you are using [network security policies](../../security/traffic-filtering.md), reach out to [the Elastic Support Team](#azure-integration-support).
diff --git a/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md b/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md
index 78d51b180b..6d6396fa74 100644
--- a/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md
+++ b/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md
@@ -66,7 +66,7 @@ This table compares the core platform capabilities between {{ech}} deployments a
| **Deployment monitoring** | AutoOps or monitoring cluster | Managed | Monitoring is handled by Elastic |
| **Hardware configuration** | Limited control | Managed | Hardware choices are managed by Elastic |
| **High availability** | ✅ | ✅ | Automatic resilience |
-| **Network security** | Public IP traffic filtering, private connectivity (VPCs, PrivateLink) | **Planned** | - Traffic filtering anticipated in a future release
- Private connectivity options anticipated in a future release |
+| **Network security** | Public IP filtering, private connectivity (VPCs, PrivateLink) | Public IP filtering | Private connectivity options anticipated in a future release |
| **Node management** | User-controlled | Managed | No node configuration access by design |
| **Snapshot/restore** | ✅ | **Planned** | User-initiated snapshots are anticipated in a future release |
diff --git a/deploy-manage/deploy/elastic-cloud/ec-customize-deployment-components.md b/deploy-manage/deploy/elastic-cloud/ec-customize-deployment-components.md
index 016fa01d89..be015c0d60 100644
--- a/deploy-manage/deploy/elastic-cloud/ec-customize-deployment-components.md
+++ b/deploy-manage/deploy/elastic-cloud/ec-customize-deployment-components.md
@@ -129,7 +129,7 @@ Refer to [Manage your Integrations Server](manage-integrations-server.md) to lea
## Security [ec_security]
-Here, you can configure features that keep your deployment secure: reset the password for the `elastic` user, set up traffic filters, and add settings to the {{es}} keystore. You can also set up remote connections to other deployments.
+Here, you can configure features that keep your deployment secure: reset the password for the `elastic` user, set up network security policies, and add settings to the {{es}} keystore. You can also set up remote connections to other deployments.
## Actions [ec_actions]
diff --git a/deploy-manage/deploy/elastic-cloud/heroku.md b/deploy-manage/deploy/elastic-cloud/heroku.md
index 72e0fe21ca..f9de1c5876 100644
--- a/deploy-manage/deploy/elastic-cloud/heroku.md
+++ b/deploy-manage/deploy/elastic-cloud/heroku.md
@@ -82,7 +82,7 @@ You might want to add more layers of security to your deployment, such as:
* Add more users to the deployment with third-party authentication providers and services like [SAML](../../users-roles/cluster-or-deployment-auth/saml.md), [OpenID Connect](../../users-roles/cluster-or-deployment-auth/openid-connect.md), or [Kerberos](../../users-roles/cluster-or-deployment-auth/kerberos.md).
* Do not use clients that only support HTTP to connect to {{ecloud}}. If you need to do so, you should use a reverse proxy setup.
-* Create [traffic filters](../../security/traffic-filtering.md) and apply them to your deployments.
+* Create [network security policies](../../security/traffic-filtering.md) and apply them to your deployments.
* If needed, you can [reset](../../users-roles/cluster-or-deployment-auth/built-in-users.md) the `elastic` password.
### Scale or adjust your deployment [echscale_or_adjust_your_deployment]
diff --git a/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md b/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md
index f1ecfeed94..5a0214788d 100644
--- a/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md
+++ b/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md
@@ -20,8 +20,8 @@ When using {{ecloud}}, there are some limitations you should be aware of:
* [Private Link and SSO to {{kib}} URLs](#ec-restrictions-traffic-filters-kibana-sso)
* [PDF report generation using Alerts or Watcher webhooks](#ec-restrictions-traffic-filters-watcher)
* [Kibana](#ec-restrictions-kibana)
-% * [APM Agent central configuration with Private Link or traffic filters](#ec-restrictions-apm-traffic-filters)
-* [Fleet with Private Link or traffic filters](#ec-restrictions-fleet-traffic-filters)
+% * [APM Agent central configuration with network security policies](#ec-restrictions-apm-traffic-filters)
+* [Fleet with network security policies](#ec-restrictions-fleet-traffic-filters)
* [Restoring a snapshot across deployments](#ec-snapshot-restore-enterprise-search-kibana-across-deployments)
* [Migrate Fleet-managed {{agents}} across deployments by restoring a snapshot](#ec-migrate-elastic-agent)
* [Regions and Availability Zones](#ec-regions-and-availability-zone)
@@ -88,13 +88,13 @@ Alternatively, a custom mail server can be configured as described in [Configuri
## Private Link and SSO to {{kib}} URLs [ec-restrictions-traffic-filters-kibana-sso]
-Currently you can’t use SSO to login directly from {{ecloud}} into {{kib}} endpoints that are protected by Private Link traffic filters. However, you can still SSO into Private Link protected {{kib}} endpoints individually using the [SAML](../../users-roles/cluster-or-deployment-auth/saml.md) or [OIDC](../../users-roles/cluster-or-deployment-auth/openid-connect.md) protocol from your own identity provider, just not through the {{ecloud}} console. Stack level authentication using the {{es}} username and password should also work with `{{kibana-id}}.{vpce|privatelink|psc}.domain` URLs.
+Currently you can’t use SSO to login directly from {{ecloud}} into {{kib}} endpoints that are protected by Private Link network security policies. However, you can still SSO into Private Link protected {{kib}} endpoints individually using the [SAML](../../users-roles/cluster-or-deployment-auth/saml.md) or [OIDC](../../users-roles/cluster-or-deployment-auth/openid-connect.md) protocol from your own identity provider, just not through the {{ecloud}} console. Stack level authentication using the {{es}} username and password should also work with `{{kibana-id}}.{vpce|privatelink|psc}.domain` URLs.
## PDF report generation using Alerts or Watcher webhooks [ec-restrictions-traffic-filters-watcher]
* PDF report automatic generation via Alerts is not possible on {{ecloud}}.
-* PDF report generation isn’t possible for deployments running on {{stack}} version 8.7.0 or before that are protected by traffic filters. This limitation doesn’t apply to public webhooks such as Slack, PagerDuty, and email. For deployments running on {{stack}} version 8.7.1 and beyond, [PDF report automatic generation via Watcher webhook](../../../explore-analyze/report-and-share/automating-report-generation.md#use-watcher) is possible using the `xpack.notification.webhook.additional_token_enabled` configuration setting to bypass traffic filters.
+* PDF report generation isn’t possible for deployments running on {{stack}} version 8.7.0 or before that are protected by IP filters. This limitation doesn’t apply to public webhooks such as Slack, PagerDuty, and email. For deployments running on {{stack}} version 8.7.1 and beyond, [PDF report automatic generation via Watcher webhook](../../../explore-analyze/report-and-share/automating-report-generation.md#use-watcher) is possible using the `xpack.notification.webhook.additional_token_enabled` configuration setting to bypass IP filters.
## {{kib}} [ec-restrictions-kibana]
@@ -103,18 +103,18 @@ Currently you can’t use SSO to login directly from {{ecloud}} into {{kib}} end
* Running an external {{kib}} in parallel to {{ecloud}}’s {{kib}} instances may cause errors, for example [`Unable to decrypt attribute`](../../../explore-analyze/alerts-cases/alerts/alerting-common-issues.md#rule-cannot-decrypt-api-key), due to a mismatched [`xpack.encryptedSavedObjects.encryptionKey`](kibana://reference/configuration-reference/security-settings.md#security-encrypted-saved-objects-settings) as {{ecloud}} does not [allow users to set](edit-stack-settings.md) nor expose this value. While workarounds are possible, this is not officially supported nor generally recommended.
-% ## APM Agent central configuration with PrivateLink or traffic filters [ec-restrictions-apm-traffic-filters]
+% ## APM Agent central configuration with network security policies [ec-restrictions-apm-traffic-filters]
% If you are using APM 7.9.0 or older:
-% * You cannot use [APM Agent central configuration](/solutions/observability/apm/apm-agent-central-configuration.md) if your deployment is secured by [traffic filters](../../security/traffic-filtering.md).
+% * You cannot use [APM Agent central configuration](/solutions/observability/apm/apm-agent-central-configuration.md) if your deployment is secured by [network security policies](../../security/traffic-filtering.md).
% * If you access your APM deployment over [PrivateLink](../../security/aws-privatelink-traffic-filters.md), to use APM Agent central configuration you need to allow access to the APM deployment over public internet.
-## Fleet with PrivateLink or traffic filters [ec-restrictions-fleet-traffic-filters]
+## Fleet with network security policies [ec-restrictions-fleet-traffic-filters]
-% * You cannot use Fleet 7.13.x if your deployment is secured by [traffic filters](../../security/traffic-filtering.md). Fleet 7.14.0 and later works with traffic filters (both Private Link and IP filters).
-* If you are using Fleet 8.12+, using a remote {{es}} output with a target cluster that has [traffic filters](../../security/traffic-filtering.md) enabled is not currently supported.
+% * You cannot use Fleet 7.13.x if your deployment is secured by [network security policies](../../security/traffic-filtering.md). Fleet 7.14.0 and later works with network security policies (both IP filters and private connection policies).
+* If you are using Fleet 8.12+, using a remote {{es}} output with a target cluster that has [network security policies](../../security/traffic-filtering.md) applied is not currently supported.
## Restoring a snapshot across deployments [ec-snapshot-restore-enterprise-search-kibana-across-deployments]
diff --git a/deploy-manage/deploy/elastic-cloud/tools-apis.md b/deploy-manage/deploy/elastic-cloud/tools-apis.md
index 916cb76d53..9368502fa9 100644
--- a/deploy-manage/deploy/elastic-cloud/tools-apis.md
+++ b/deploy-manage/deploy/elastic-cloud/tools-apis.md
@@ -30,7 +30,7 @@ The following REST APIs allow you to manage your {{ecloud}} organization, users,
| Area | API | Tasks |
| --- | --- | --- |
-| {{ecloud}} organization
{{ech}} deployments | [{{ecloud}} API](https://www.elastic.co/docs/api/doc/cloud/) | Manage your Cloud organization, members, costs, billing, and more.
Manage your hosted deployments and all of the resources associated with them, including scaling or autoscaling resources, and managing traffic filters, deployment extensions, remote clusters, and {{stack}} versions.
Refer to [{{ecloud}} RESTful API](cloud://reference/cloud-hosted/ec-api-restful.md) for usage information and examples. |
+| {{ecloud}} organization
{{ech}} deployments | [{{ecloud}} API](https://www.elastic.co/docs/api/doc/cloud/) | Manage your Cloud organization, members, costs, billing, and more.
Manage your hosted deployments and all of the resources associated with them, including scaling or autoscaling resources, and managing network security policies, deployment extensions, remote clusters, and {{stack}} versions.
Refer to [{{ecloud}} RESTful API](cloud://reference/cloud-hosted/ec-api-restful.md) for usage information and examples. |
| {{serverless-full}} projects | [{{serverless-full}} API](https://www.elastic.co/docs/api/doc/elastic-cloud-serverless) | Manage {{serverless-full}} projects. |
| {{ecloud}} services | [Service Status API](https://status.elastic.co/api/) | Programmatically ingest [service status](/deploy-manage/cloud-organization/service-status.md) updates. |
diff --git a/deploy-manage/remote-clusters/ec-enable-ccs.md b/deploy-manage/remote-clusters/ec-enable-ccs.md
index 66e2724a8e..4b17c76394 100644
--- a/deploy-manage/remote-clusters/ec-enable-ccs.md
+++ b/deploy-manage/remote-clusters/ec-enable-ccs.md
@@ -52,21 +52,21 @@ The steps, information, and authentication method required to configure CCS and
* [From an ECK environment](ec-enable-ccs-for-eck.md)
-## Remote clusters and traffic filtering [ec-ccs-ccr-traffic-filtering]
+## Remote clusters and network security [ec-ccs-ccr-traffic-filtering]
::::{note}
-Traffic filtering isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
+[Network security](../security/traffic-filtering.md) isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
::::
-API key authentication for remote clusters cannot be used in combination with traffic filtering.
+API key authentication for remote clusters cannot be used in combination with network security.
-For remote clusters configured using TLS certificate authentication, [traffic filtering](../security/traffic-filtering.md) can be enabled to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.
+For remote clusters configured using TLS certificate authentication, [network security policies](../security/traffic-filtering.md) can be applies to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.
-Traffic filtering for remote clusters supports 2 methods:
+Network security for remote clusters supports 2 methods:
* [Filtering by IP addresses and Classless Inter-Domain Routing (CIDR) masks](../security/ip-traffic-filtering.md)
-* Filtering by Organization or {{es}} cluster ID with a Remote cluster type filter. You can configure this type of filter from the **Features** > **Traffic filters** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.
+* Filtering by Organization or {{es}} cluster ID with a **Remote cluster** private connection policy. You can configure this type of policy from the **Access and security** > **Network security** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.
::::{note}
-When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection.
+When setting up network security for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection.
::::
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
index e4bcc47851..27a084198c 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
@@ -39,7 +39,7 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
### Prerequisites and limitations [ec_prerequisites_and_limitations_3]
* The local and remote deployments must be on {{stack}} 8.14 or later.
-* API key authentication can’t be used in combination with traffic filters.
+* API key authentication can’t be used in combination with [network security](/deploy-manage/security/traffic-filtering.md).
* Contrary to the certificate security model, the API key security model does not require that both local and remote clusters trust each other.
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md b/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
index 0f3998ff7d..603e4ff756 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
@@ -14,7 +14,7 @@ products:
This section explains how to configure a deployment to connect remotely to clusters belonging to a different {{ecloud}} organization.
::::{note}
-If traffic filtering is enabled on the remote cluster, the remote cluster administrator must configure a traffic filter of type remote cluster, using either the organization ID or the Elasticsearch cluster ID as the filtering criteria. For detailed instructions, refer to [Remote clusters and traffic filtering](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-traffic-filtering).
+If network security policies are applied to the remote cluster, the remote cluster administrator must configure a network security private connection policy of type remote cluster, using either the organization ID or the Elasticsearch cluster ID as the filtering criteria. For detailed instructions, refer to [Remote clusters and traffic filtering](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-traffic-filtering).
::::
## Allow the remote connection [ec_allow_the_remote_connection_2]
diff --git a/deploy-manage/security.md b/deploy-manage/security.md
index 82827fd47f..6c33e73f24 100644
--- a/deploy-manage/security.md
+++ b/deploy-manage/security.md
@@ -18,6 +18,7 @@ products:
- id: cloud-kubernetes
- id: cloud-enterprise
- id: cloud-hosted
+ - id: cloud-serverless
---
# Security
diff --git a/deploy-manage/security/_snippets/associate-filter.md b/deploy-manage/security/_snippets/associate-filter.md
index 79acbdaede..4b30a99a4e 100644
--- a/deploy-manage/security/_snippets/associate-filter.md
+++ b/deploy-manage/security/_snippets/associate-filter.md
@@ -1,3 +1,8 @@
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters** select **Apply filter**.
-3. Choose the filter you want to apply and select **Apply filter**.
\ No newline at end of file
+::::{tab-set}
+:group: hosted-serverless
+
+1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+
+ On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Security** page, under **Network security**, select **Apply policies** > **{{policy-type}}**.
+3. Choose the policy you want to apply and select **Apply**.
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/cluster-communication-network.md b/deploy-manage/security/_snippets/cluster-communication-network.md
index 7d16451e88..3cf287d6e2 100644
--- a/deploy-manage/security/_snippets/cluster-communication-network.md
+++ b/deploy-manage/security/_snippets/cluster-communication-network.md
@@ -3,5 +3,5 @@
* **The transport layer**: Used mainly for inter-node communications, and in certain cases for cluster to cluster communication.
* In self-managed {{es}} clusters, you can also [Configure {{kib}} and {{es}} to use mutual TLS](/deploy-manage/security/kibana-es-mutual-tls.md).
* [Enable cipher suites for stronger encryption](/deploy-manage/security/enabling-cipher-suites-for-stronger-encryption.md): The TLS and SSL protocols use a cipher suite that determines the strength of encryption used to protect the data. You may want to enable the use of additional cipher suites, so you can use different cipher suites for your TLS communications or communications with authentication providers.
-* [Restrict connections using traffic filtering](/deploy-manage/security/traffic-filtering.md): Traffic filtering allows you to limit how your deployments can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust. Restrict access based on IP addresses or CIDR ranges, or, in {{ech}} deployments, secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
+* [Secure your network using IP filtering and private connections](/deploy-manage/security/traffic-filtering.md): Network security allows you to limit how your deployments can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust. Restrict access based on IP addresses or CIDR ranges, or, in {{ech}} deployments, secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
* [Allow or deny {{ech}} IP ranges](/deploy-manage/security/elastic-cloud-static-ips.md): {{ecloud}} publishes a list of IP addresses used by its {{ech}} services for both incoming and outgoing traffic. Users can use these lists to configure their network firewalls as needed to allow or restrict traffic related to {{ech}} services.
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/cluster-comparison.md b/deploy-manage/security/_snippets/cluster-comparison.md
index b72ca09fb8..d4f3bf264a 100644
--- a/deploy-manage/security/_snippets/cluster-comparison.md
+++ b/deploy-manage/security/_snippets/cluster-comparison.md
@@ -19,8 +19,8 @@ Select your deployment type below to see what's available and how implementation
|------------------|------------|--------------|-------------|
| **Communication** | TLS (HTTP layer) | Fully managed | Automatically configured by Elastic |
| | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
-| | Private link | Configurable | [Establish a secure VPC connection](/deploy-manage/security/private-link-traffic-filters.md) |
+| **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
+| | Private connections and VPC filtering | Configurable | [Establish a secure VPC connection](/deploy-manage/security/private-link-traffic-filters.md) |
| | Kubernetes network policies | N/A | |
| **Data** | Encryption at rest | Managed | You can [bring your own encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md) |
| | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |
@@ -36,8 +36,8 @@ Select your deployment type below to see what's available and how implementation
|------------------|------------|--------------|-------------|
| **Communication** | TLS (HTTP layer) | Fully managed | Automatically configured by Elastic |
| | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
-| **Network** | IP traffic filtering | N/A | |
-| | Private link | N/A | |
+| **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
+| | Private connections and VPC filtering | N/A | |
| | Kubernetes network policies | N/A | |
| **Data** | Encryption at rest | Fully managed | Automatically encrypted by Elastic |
| | Secure settings | N/A | |
@@ -53,8 +53,8 @@ Select your deployment type below to see what's available and how implementation
|------------------|------------|--------------|-------------|
| **Communication** | TLS (HTTP layer) | Managed | You can [configure custom certificates](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md) |
| | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
-| | Private link | N/A | |
+| **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
+| | Private connections and VPC filtering | N/A | |
| | Kubernetes network policies | N/A | |
| **Data** | Encryption at rest | N/A | |
| | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |
@@ -70,8 +70,8 @@ Select your deployment type below to see what's available and how implementation
|------------------|------------|--------------|-------------|
| **Communication** | TLS (HTTP layer) | Managed | [Multiple options](/deploy-manage/security/k8s-https-settings.md) for customization |
| | TLS (Transport layer) | Managed | [Multiple options](/deploy-manage/security/k8s-transport-settings.md) for customization |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
-| | Private link | N/A | |
+| **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
+| | Private connections and VPC filtering | N/A | |
| | Kubernetes network policies | Configurable | [Apply network policies to your Pods](/deploy-manage/security/k8s-network-policies.md) |
| **Data** | Encryption at rest | N/A | |
| | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/k8s-secure-settings.md) |
@@ -88,8 +88,8 @@ Select your deployment type below to see what's available and how implementation
|------------------|------------|--------------|-------------|
| **Communication** | TLS (HTTP layer) | Configurable | Can be automatically or manually configured. See [Initial security setup](/deploy-manage/security/self-setup.md) |
| | TLS (Transport layer) | Configurable | Can be automatically or manually configured. See [Initial security setup](/deploy-manage/security/self-setup.md) |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
-| | Private link | N/A | |
+| **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
+| | Private connections and VPC filtering | N/A | |
| | Kubernetes network policies | N/A | |
| **Data** | Encryption at rest | N/A | |
| | Keystore security | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |
diff --git a/deploy-manage/security/_snippets/create-filter.md b/deploy-manage/security/_snippets/create-filter.md
index 72cfe87c62..e438ad8c12 100644
--- a/deploy-manage/security/_snippets/create-filter.md
+++ b/deploy-manage/security/_snippets/create-filter.md
@@ -1,4 +1,6 @@
+% NO LONGER USED
+
1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-3. Under the **Features** tab, open the **Traffic filters** page.
-4. Select **Create filter**.
\ No newline at end of file
+2. From any deployment or project on the home page, select **Manage**.
+3. Under the **Features** tab, open the **Network security** page.
+ % From the left navigation menu, select **Access and security** > **Network security**.
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/delete-ruleset.md b/deploy-manage/security/_snippets/delete-ruleset.md
index 3cf7899c99..6ba92aa028 100644
--- a/deploy-manage/security/_snippets/delete-ruleset.md
+++ b/deploy-manage/security/_snippets/delete-ruleset.md
@@ -1,8 +1 @@
-If you need to remove a rule set, you must first remove any associations with deployments.
-
-To delete a rule set with all its rules:
-
-1. [Remove any deployment associations](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md#remove-filter-deployment).
-2. From the **Account** menu, select **Traffic filters**.
-3. Find the rule set you want to edit.
-4. Select the **Remove** icon. The icon is inactive if there are deployments assigned to the rule set.
\ No newline at end of file
+% no longer used
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/eck-traffic-filtering.md b/deploy-manage/security/_snippets/eck-traffic-filtering.md
index cb7d47acd2..c43daaecaf 100644
--- a/deploy-manage/security/_snippets/eck-traffic-filtering.md
+++ b/deploy-manage/security/_snippets/eck-traffic-filtering.md
@@ -1,3 +1,3 @@
:::{tip}
-Elastic recommends that you use Kubernetes network policies over IP traffic filters for {{eck}}. This is because, in containerized environments like Kubernetes, IP addresses are usually dynamic, making network policies a more robust option.
+Elastic recommends that you use Kubernetes network policies over IP filters for {{eck}}. This is because, in containerized environments like Kubernetes, IP addresses are usually dynamic, making network policies a more robust option.
:::
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/find-endpoint.md b/deploy-manage/security/_snippets/find-endpoint.md
new file mode 100644
index 0000000000..e13325253f
--- /dev/null
+++ b/deploy-manage/security/_snippets/find-endpoint.md
@@ -0,0 +1,17 @@
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+
+2. Under **Hosted deployments**, find your deployment.
+
+:::{tip}
+If you have many deployments, you can instead go to the **Hosted deployments** ({{ech}}) page. On that page, you can narrow your deployments by name, ID, or choose from several other filters.
+:::
+
+3. Select **Manage**.
+4. In the deployment overview, under **Applications**, find the application that you want to test.
+5. Click **Copy endpoint**. The value looks something like the following:
+
+```text subs=true
+https://my-deployment-d53192.es.{{example-default-dn}}
+```
+
+In this endpoint, `my-deployment-d53192` is an alias, and `es` is the product you want to access within your deployment.
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/network-security-page.md b/deploy-manage/security/_snippets/network-security-page.md
new file mode 100644
index 0000000000..7a2c28c07b
--- /dev/null
+++ b/deploy-manage/security/_snippets/network-security-page.md
@@ -0,0 +1,3 @@
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. From any deployment or project on the home page, select **Manage**.
+3. From the left navigation menu, select **Access and security** > **Network security**.
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/private-connection-fleet.md b/deploy-manage/security/_snippets/private-connection-fleet.md
new file mode 100644
index 0000000000..5596c6d907
--- /dev/null
+++ b/deploy-manage/security/_snippets/private-connection-fleet.md
@@ -0,0 +1,15 @@
+If you are using {{service-name}} together with Fleet, and enrolling the Elastic Agent with a PrivateLink URL, you need to configure Fleet Server to use and propagate the {{service-name}} URL by updating the **Fleet Server hosts** field in the **Fleet settings** section of {{kib}}. Otherwise, Elastic Agent will reset to use a default address instead of the {{service-name}} URL.
+
+The URL needs to follow this pattern:
+
+```text
+https://{{fleet_component_ID_or_deployment_alias}}.fleet.{{private_hosted_zone_domain_name}}:443`
+```
+
+Similarly, the {{es}} host needs to be updated to propagate the PrivateLink URL. The {{es}} URL needs to follow this pattern:
+
+```text
+https://elasticsearch_cluster_ID_or_deployment_alias}}.es.{{private_hosted_zone_domain_name}}:443
+```
+
+The settings `xpack.fleet.agents.fleet_server.hosts` and `xpack.fleet.outputs` that are needed to enable this configuration in {{kib}} are not available in the {{kib}} settings in {{ecloud}}.
\ No newline at end of file
diff --git a/deploy-manage/security/_snippets/private-url-struct.md b/deploy-manage/security/_snippets/private-url-struct.md
new file mode 100644
index 0000000000..620b4989ef
--- /dev/null
+++ b/deploy-manage/security/_snippets/private-url-struct.md
@@ -0,0 +1,18 @@
+Use the following URL structure. This URL is built from endpoint information retrieved from your Elastic deployment and the private hosted zone domain name that you registered.
+
+ ```
+ https://{{alias}}.{{product}}.{{private_hosted_zone_domain_name}}
+ ```
+
+ For example:
+
+ ```text subs=true
+ https://my-deployment-d53192.es.{{example-phz-dn}}
+ ```
+
+
+:::{tip}
+You can use either 443 or 9243 as a port.
+
+You can also connect to the cluster using the {{es}} cluster ID, for example, https://6b111580caaa4a9e84b18ec7c600155e.{{example-phz-dn}}
+:::
\ No newline at end of file
diff --git a/deploy-manage/security/aws-privatelink-traffic-filters.md b/deploy-manage/security/aws-privatelink-traffic-filters.md
index f9fa308070..c0c55edafc 100644
--- a/deploy-manage/security/aws-privatelink-traffic-filters.md
+++ b/deploy-manage/security/aws-privatelink-traffic-filters.md
@@ -7,32 +7,39 @@ applies_to:
ess: ga
products:
- id: cloud-hosted
+navigation_title: AWS PrivateLink
+sub:
+ policy-type: "Private connection"
+ service-name: "AWS PrivateLink"
+ example-phz-dn: "vpce.us-east-1.aws.elastic-cloud.com"
+ example-default-dn: "us-east-1.aws.elastic-cloud.com"
---
-# AWS PrivateLink traffic filters
+# AWS PrivateLink private connections
-Traffic filtering to only AWS PrivateLink connections is one of the security layers available in {{ech}}. It allows you to limit how your deployments can be accessed.
+You can use AWS PrivateLink to establish a secure connection for your {{ecloud}} deployments to communicate with other AWS services. AWS routes the PrivateLink traffic within the AWS data center and never exposes it to the public internet.
-Refer to [](/deploy-manage/security/traffic-filtering.md) to learn more about traffic filtering in {{ech}}, and how traffic filter rules work.
+AWS PrivateLink connects your Virtual Private Cloud (VPC) to the AWS-hosted services that you use, treating them as if they were in your VPC. You can create and use VPC endpoints to securely access AWS-hosted services.
-AWS PrivateLink establishes a secure connection between two AWS Virtual Private Clouds (VPCs). The VPCs can belong to separate accounts, i.e. a service provider and its service consumers. AWS routes the PrivateLink traffic within the AWS data center and never exposes it to the public internet. In such a configuration, {{ecloud}} is the third-party service provider and the customers are service consumers.
+You can also optionally filter traffic to your deployments by creating virtual private connection endpoint (VCPE) filters as part of your private connection policy in {{ecloud}}. This limits traffic to your deployment to the VCPE specified in the policy, as well as any other policies applied to the deployment.
-PrivateLink is a connection between a VPC Endpoint and a PrivateLink Service.
-
-Read more about [Traffic Filtering](/deploy-manage/security/traffic-filtering.md) for the general concepts behind traffic filtering in {{ecloud}}.
+To learn how private connection policies impact your deployment, refer to [](/deploy-manage/security/network-security-policies.md).
+:::{tip}
+{{ech}} also supports [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
+:::
## Considerations
Before you begin, review the following considerations:
-### PrivateLink filtering and regions
+### Private connections and regions
-AWS PrivateLink filtering is supported only for AWS regions. Elastic does not yet support cross-region AWS PrivateLink connections. Your PrivateLink endpoint needs to be in the same region as your target deployments. Additional details can be found in the [AWS VPCE Documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-limitations).
+Private connections over AWS PrivateLink are only supported only for AWS regions. Elastic does not yet support cross-region AWS PrivateLink connections. Your PrivateLink endpoint needs to be in the same region as your target deployments. Additional details can be found in the [AWS VPCE Documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-limitations).
-AWS interface VPC endpoints are configured for one or more availability zones (AZ). In some regions, our VPC endpoint *service* is not present in all the possible AZs that a region offers. You can only choose AZs that are common on both sides. As the *names* of AZs (for example `us-east-1a`) differ between AWS accounts, the following list of AWS regions shows the *ID* (e.g. `use1-az4`) of each available AZ for the service.
+AWS interface virtual private connection (VPC) endpoints are configured for one or more availability zones (AZ). In some regions, our VPC endpoint service is not present in all the possible AZs that a region offers. You can only choose AZs that are common on both sides. As the names of AZs (for example `us-east-1a`) differ between AWS accounts, the following list of AWS regions shows the ID (e.g. `use1-az4`) of each available AZ for the service.
-Check [interface endpoint availability zone considerations](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-availability-zones) for more details.
+Refer to [interface endpoint availability zone considerations](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-availability-zones) for more details.
### Availability zones
@@ -40,7 +47,7 @@ Elastic [charges](/deploy-manage/cloud-organization/billing/cloud-hosted-deploym
On the customer VPC side, the inter-availability zone data transfer, within the same AWS region, towards AWS PrivateLink endpoints, [is free of charge](https://aws.amazon.com/about-aws/whats-new/2022/04/aws-data-transfer-price-reduction-privatelink-transit-gateway-client-vpn-services/). As a result, you do not incur charges for cross-AZ data transfer within your VPC when the target is the AWS Privatelink {{ecloud}} service endpoint. We recommend you set up the VPC endpoints in all supported {{ecloud}} AZs for a particular region for maximum traffic throughput and resiliency.
-If Elastic and your VPC overlap in two AZs or less, you can create subnets and VPC PrivateLink endpoints in your VPC within the same availability zones where Elastic PrivateLink service has presence.
+If Elastic and your VPC overlap in two AZs or less, you can create subnets and VPC PrivateLink endpoints in your VPC within the same availability zones where the Elastic PrivateLink service is present.
### Transport client
@@ -51,7 +58,7 @@ Transport client is not supported over PrivateLink connections.
PrivateLink Service is set up by Elastic in all supported AWS regions under the following service names:
::::{dropdown} AWS public regions
-| **Region** | **VPC Service Name** | **Private hosted zone domain name** | **AZ Names (AZ IDs)** |
+| Region | VPC service name | Private hosted zone domain name | AZ names (AZ IDs) |
| --- | --- | --- | --- |
| af-south-1 | `com.amazonaws.vpce.af-south-1.vpce-svc-0d3d7b74f60a6c32c` | `vpce.af-south-1.aws.elastic-cloud.com` | `af-south-1a` (`afs1-az1`), `af-south-1b` (`afs1-az2`), `af-south-1c` (`afs1-az3`) |
| ap-east-1 | `com.amazonaws.vpce.ap-east-1.vpce-svc-0f96fbfaf55558d5c` | `vpce.ap-east-1.aws.elastic-cloud.com` | `ap-east-1a` (`ape1-az1`), `ap-east-1b` (`ape1-az2`), `ap-east-1c` (`ape1-az3`) |
@@ -74,35 +81,44 @@ PrivateLink Service is set up by Elastic in all supported AWS regions under the
| us-east-2 | `com.amazonaws.vpce.us-east-2.vpce-svc-02d187d2849ffb478` | `vpce.us-east-2.aws.elastic-cloud.com` | `us-east-2a` (`use2-az1`), `us-east-2b` (`use2-az2`), `us-east-2a` (`use2-az3`) |
| us-west-1 | `com.amazonaws.vpce.us-west-1.vpce-svc-00def4a16a26cb1b4` | `vpce.us-west-1.aws.elastic-cloud.com` | `us-west-1a` (`usw1-az1`), `us-west-1b` (`usw1-az2`), `us-west-1c` (`usw1-az3`) |
| us-west-2 | `com.amazonaws.vpce.us-west-2.vpce-svc-0e69febae1fb91870` | `vpce.us-west-2.aws.elastic-cloud.com` | `us-west-2a` (`usw2-az2`), `us-west-2b` (`usw2-az1`), `us-west-2c` (`usw2-az3`) |
-
::::
::::{dropdown} GovCloud regions
-| **Region** | **VPC Service Name** | **Private hosted zone domain name** |
+| Region | VPC service name | Private hosted zone domain name |
| --- | --- | --- |
| us-gov-east-1 (GovCloud) | `com.amazonaws.vpce.us-gov-east-1.vpce-svc-0bba5ffa04f0cb26d` | `vpce.us-gov-east-1.aws.elastic-cloud.com` |
-
::::
+## Set up a private connection
-The process of setting up the PrivateLink connection to your clusters is split between AWS (e.g. by using AWS console) and {{ecloud}} UI. These are the high-level steps:
+The process of setting up a private connection with AWS PrivateLink is split between the AWS console and the {{ecloud}} UI. These are the high-level steps:
| AWS console | {{ecloud}} |
| --- | --- |
-| 1. Create a VPC endpoint using {{ecloud}} service name. | |
-| 2. Create a DNS record pointing to the VPC endpoint. | |
-| | 3. Create a PrivateLink rule set with your VPC endpoint ID. |
-| | 4. Associate the PrivateLink rule set with your deployments. |
-| | 5. Interact with your deployments over PrivateLink. |
+| 1. [Create a VPC endpoint using {{ecloud}} service name.](#ec-aws-vpc-dns) | |
+| 2. [Create a DNS record pointing to the VPC endpoint.](#ec-aws-vpc-dns) | |
+| | 3. **Optional**: [Create a private connection policy.](ec-add-vpc-elastic)
A private connection policy is required to filter traffic using the VCP endpoint ID. |
+| | 4. **Optional**: [Associate the private connection policy with deployments](#ec-associate-traffic-filter-private-link-rule-set). |
+| | 5. [Interact with your deployments over PrivateLink](#ec-access-the-deployment-over-private-link). |
+After you create your private connection policy, you can [edit](#ec-edit-traffic-filter-private-link-rule-set), [disconnect](#remove-filter-deployment), or [delete](#ec-delete-traffic-filter-private-link-rule-set) it.
-## Ensure your VPC is in all availability zones [ec-aws-vpc-overlapping-azs]
+:::{admonition} Private connection policies are optional
+Private connection policies are optional for AWS PrivateLink. After the VPC endpoint and DNS record are created, private connectivity is established.
-Ensure your VPC endpoint is in all availability zones supported by {{ecloud}} on the region for the VPC service.
+Creating a private connection policy and associating it with your deployments allows you to do the following:
-Ensuring that your VPC is in all supported {{ecloud}} availability zones for a particular region avoids potential for a traffic imbalance. That imbalance may saturate some coordinating nodes and underutilize others in the deployment, eventually impacting performance. Enabling all supported {{ecloud}} zones ensures that traffic is balanced optimally.
+* Record that you've established private connectivity between AWS and Elastic in the applicable region.
+* Filter traffic to your deployment using VCPE filters.
+:::
+
+
+### Before you begin [ec-aws-vpc-overlapping-azs]
+Before you begin, you should ensure your VPC endpoint is in all availability zones supported by {{ecloud}} on the region for the VPC service.
+
+Ensuring that your VPC is in all supported {{ecloud}} availability zones for a particular region avoids potential for a traffic imbalance. That imbalance may saturate some coordinating nodes and underutilize others in the deployment, eventually impacting performance. Enabling all supported {{ecloud}} zones ensures that traffic is balanced optimally.
You can find the zone name to zone ID mapping with AWS CLI:
@@ -119,77 +135,64 @@ $ aws ec2 describe-availability-zones --region us-east-1 | jq -c '.AvailabilityZ
The mapping will be different for your region. Our production VPC Service for `us-east-1` is located in `use1-az2`, `use1-az4`, `use1-az6`. We need to create the VPC Endpoint for the preceding mapping in at least one of `us-east-1e`, `us-east-1a`, `us-east-1b`.
-## Create your VPC endpoint and DNS entries in AWS [ec-aws-vpc-dns]
+### Create your VPC endpoint and DNS entries in AWS [ec-aws-vpc-dns]
1. Create a VPC endpoint in your VPC using the service name for your region.
- Follow the [AWS instructions](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint) for details on creating a VPC interface endpoint to an endpoint service.
+ Refer to the [AWS documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint) for details on creating a VPC interface endpoint to an endpoint service.
- Use [the service name for your region](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-private-link-service-names-aliases).
+ Use [the service name for your region](#ec-private-link-service-names-aliases).
:::{image} /deploy-manage/images/cloud-ec-private-link-service.png
:alt: PrivateLink
:screenshot:
:::
- The security group for the endpoint should at minimum allow for inbound connectivity from your instances CIDR range on ports 443 and 9243. Security groups for the instances should allow for outbound connectivity to the endpoint on ports 443 and 9243.
+ The security group for the endpoint should, at minimum, allow for inbound connectivity from your instances' CIDR range on ports 443 and 9243. Security groups for the instances should allow for outbound connectivity to the endpoint on ports 443 and 9243.
2. Create a DNS record.
- 1. Create a *Private hosted zone*. Consult *Private hosted zone domain name* in *PrivateLink service names and aliases* for the name of the zone. For example, in *us-east-1* use `vpce.us-east-1.aws.elastic-cloud.com` as the zone domain name. Don’t forget to associate the zone with your VPC.
+ 1. Create a Private hosted zone.
+
+ Refer to the **Private hosted zone domain name** column in the [PrivateLink service names and aliases](#ec-private-link-service-names-aliases) table for the name of the zone. For example, in `us-east-1`, use `vpce.us-east-1.aws.elastic-cloud.com` as the zone domain name.
+
+ Don’t forget to associate the zone with your VPC.
:::{image} /deploy-manage/images/cloud-ec-private-link-private-hosted-zone-example.png
:alt: Private hosted zone example
:screenshot:
:::
- 2. Then create a DNS CNAME alias pointing to the PrivateLink Endpoint. Add the record to a private DNS zone in your VPC. Use `*` as the record name, and the VPC endpoint DNS name as a value.
+ 2. Create a DNS CNAME alias pointing to the PrivateLink endpoint. Add the record to a private DNS zone in your VPC. Use `*` as the record name, and the VPC endpoint DNS name as a value.
- Follow the [AWS instructions](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) for details on creating a CNAME record which points to your VPC endpoint DNS name.
+ Refer to the [AWS documentation](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) for details on creating a CNAME record which points to your VPC endpoint DNS name.
:::{image} /deploy-manage/images/cloud-ec-private-link-cname.png
:alt: PrivateLink CNAME
:screenshot:
:::
-3. Test the connection.
-
- Find out the endpoint of your deployment. You can do that by selecting **Copy endpoint** in the Cloud UI. It looks something like:
-
- ```
- my-deployment-d53192.es.us-east-1.aws.found.io
- ```
+### Test the connection
- where `my-deployment-d53192` is an alias, and `es` is the product you want to access within your deployment.
-
- To access your {{es}} cluster over PrivateLink:
-
- * If you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
- * Alternatively, use the following URL structure:
-
- ```
- https://{{alias}}.{product}.{{private_hosted_zone_domain_name}}
- ```
-
- For example:
-
- ```text
- https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
- ```
+After you create your VPC endpoint and DNS entries, check that you are able to reach your cluster over PrivateLink.
+:::{include} _snippets/private-url-struct.md
+:::
- ::::{tip}
- You can use either 443, or 9243 as a port.
- ::::
+To test the connection:
+1. If needed, find the endpoint of an application in your deployment:
+
+ :::{include} _snippets/find-endpoint.md
+ :::
- You can test the AWS console part of the setup with a following curl (substitute the region and {{es}} ID with your cluster):
+2. Test the setup using the following cURL command. Make sure to replace the URL with your deployment's endpoint information and the private hosted zone domain name that you registered.
- Request:
+ **Request**
```sh
$ curl -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
```
- Response:
+ **Response**
```sh
* Server certificate:
* subject: CN=*.us-east-1.aws.elastic-cloud.com
@@ -199,21 +202,30 @@ The mapping will be different for your region. Our production VPC Service for `u
* Connection #0 to host my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com left intact
```
- The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, because you haven’t allowed the traffic over this PrivateLink connection yet.
+The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, because you haven’t allowed the traffic over this PrivateLink connection yet.
+% needs to be edited
+## Optional: Create a private connection policy [ec-add-vpc-elastic]
-## Add the private link rules to your deployments [ec-add-vpc-elastic]
+After you test your PrivateLink connection, you can create a private connection policy in {{ecloud}}.
-Follow these high-level steps to add private link rules to your deployments.
+Private connection policies are optional for AWS PrivateLink. After the VPC endpoint and DNS record are created, private connectivity is established.
-1. [Find your VPC endpoint ID](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-find-your-endpoint).
-2. [Create rules using the VPC endpoint](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-create-traffic-filter-private-link-rule-set).
-3. [Associate the VPC endpoint with your deployment](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set).
-4. [Access the deployment over a private link](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-access-the-deployment-over-private-link).
+Creating a private connection policy and associating it with your deployments allows you to do the following:
+* Record that you've established private connectivity between AWS and Elastic in the applicable region.
+* Filter traffic to your deployment using VCPE filters.
-### Find your VPC endpoint ID [ec-find-your-endpoint]
+Follow these high-level steps to add a private connection policy that can be associated with your deployments.
+
+1. Optional: [Find your VPC endpoint ID](#ec-find-your-endpoint).
+2. [Create rules using the VPC endpoint](#ec-create-traffic-filter-private-link-rule-set).
+3. [Associate the VPC endpoint with your deployment](#ec-associate-traffic-filter-private-link-rule-set).
+
+### Optional: Find your VPC endpoint ID [ec-find-your-endpoint]
+
+The VPC endpoint ID is only required if you want to filter traffic to your deployment using VCPE filters.
You can find your VPC endpoint ID in the AWS console:
@@ -222,86 +234,138 @@ You can find your VPC endpoint ID in the AWS console:
:screenshot:
:::
+### Create a new private connection policy [ec-create-traffic-filter-private-link-rule-set]
-### Create rules with the VPC endpoint [ec-create-traffic-filter-private-link-rule-set]
-
-Once you know your VPC endpoint ID you can create a private link traffic filter rule set.
+Create a new private connection policy.
-
-:::{include} _snippets/create-filter.md
+:::{include} _snippets/network-security-page.md
:::
-1. Select **Private link endpoint**.
-2. Create your rule set, providing a meaningful name and description.
-3. Select the region for the rule set.
-4. Enter your VPC endpoint ID.
-5. Select if this rule set should be automatically attached to new deployments.
+4. Select **Private connection**.
+3. Select the resource type that the private connection will be applied to. Currently, only hosted deployments are supported.
+10. Select the cloud provider and region for the private connection.
+
+ :::{tip}
+ Network security policies are bound to a single region, and can be assigned only to deployments in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
+ :::
+11. Under **Connectivity**, select **Privatelink**.
+12. Optional: Under **VPCE filter**, enter your VPC endpoint ID. You should only specify a VPC endpoint ID if you want to filter traffic to your deployment.
+
+ If you don't specify a VPCE filter, then the private connection policy acts only as a record that you've established private connectivity between AWS and Elastic in the applicable region.
+
+ :::{tip}
+ You can assign multiple policies to a single deployment. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
+
+ [Learn more about how network security policies affect your deployment](network-security-policies.md).
+ :::
- ::::{note}
- Each rule set is bound to a particular region and can be only assigned to deployments in the same region.
- ::::
+13. Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments. If you specified a VPCE filter, then after you associate the filter with a deployment, it starts filtering traffic.
+14. To automatically attach this private connection policy to new deployments, select **Apply by default**.
+15. Click **Create**.
+16. (Optional) You can [claim your VPC endpoint ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a traffic filter ruleset.
-6. (Optional) You can [claim your VPC endpoint ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a traffic filter ruleset.
+The next step is to [associate the policy](#ec-associate-traffic-filter-private-link-rule-set) with your deployment.
-The next step is to [associate the rule set](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) with your deployments.
+### Optional: Associate a policy with a deployment [ec-associate-traffic-filter-private-link-rule-set]
+You can associate a network security policy with your deployment from the policy's settings, or from your deployment's settings.
-### Associate a PrivateLink rule set with your deployment [ec-associate-traffic-filter-private-link-rule-set]
+If the policy contains a VCPE filter, then after you associate the policy with a deployment, it starts filtering traffic.
-To associate a private link rule set with your deployment:
+If the policy doesn't contain a VCPE filter, then the association can serve as a reminder that a VCP endpoint exists for the deployment's region.
+
+#### From a deployment
:::{include} _snippets/associate-filter.md
:::
-### Access the deployment over a PrivateLink [ec-access-the-deployment-over-private-link]
+#### From the policy settings
+
+:::{include} _snippets/network-security-page.md
+:::
+5. Find the policy you want to edit.
+6. Under **Apply to resources**, associate the policy with one or more deployments.
+7. Click **Update** to save your changes.
+
+## Access the deployment over a PrivateLink [ec-access-the-deployment-over-private-link]
-For traffic to connect with the deployment over a PrivateLink, the client making the request needs to be located within the VPC where you’ve created the VPC endpoint. You can also setup network traffic to flow through the originating VPC from somewhere else, such as another VPC or VPN from your corporate network. This assumes that the VPC endpoint and the DNS record are also available within that context. Check your service provider documentation for setup instructions.
+For traffic to connect with the deployment over a PrivateLink, the client making the request needs to be located within the VPC where you’ve created the VPC endpoint. You can also set up network traffic to flow through the originating VPC from somewhere else, such as another VPC or VPN from your corporate network. This assumes that the VPC endpoint and the DNS record are also available within that context. Check your service provider documentation for setup instructions.
::::{important}
Use the alias you’ve set up as CNAME DNS record to access your deployment.
::::
+:::{include} _snippets/private-url-struct.md
+:::
-If your deployment alias is `my-deployment-12ab9b` and it is located in `us-east-1` region you can access it at the following URL:
+To access the deployment:
-```
-https://my-deployment-12ab9b.es.vpce.us-east-1.aws.elastic-cloud.com
-```
+1. If needed, find the endpoint of an application in your deployment:
+
+ :::{include} _snippets/find-endpoint.md
+ :::
-Request:
-```sh
-$ curl -u 'username:password' -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
-```
+2. Send a request:
-Response:
-```
-< HTTP/1.1 200 OK
-..
-```
+ **Request**
+ ```sh
+ $ curl -u 'username:password' -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com
+ ```
-::::{note}
-If you are using AWS PrivateLink together with Fleet, and enrolling the Elastic Agent with a PrivateLink URL, you need to configure Fleet Server to use and propagate the PrivateLink URL by updating the **Fleet Server hosts** field in the **Fleet settings** section of {{kib}}. Otherwise, Elastic Agent will reset to use a default address instead of the PrivateLink URL. The URL needs to follow this pattern: `https://.fleet.:443`.
+ **Response**
+ ```
+ < HTTP/1.1 200 OK
+ ..
+ ```
-Similarly, the {{es}} host needs to be updated to propagate the Privatelink URL. The {{es}} URL needs to follow this pattern: `https://.es.:443`.
+### AWS PrivateLink and Fleet
-The settings `xpack.fleet.agents.fleet_server.hosts` and `xpack.fleet.outputs` that are needed to enable this configuration in {{kib}} are currently available on-prem only, and not in the [{{kib}} settings in {{ecloud}}](/deploy-manage/deploy/elastic-cloud/edit-stack-settings.md).
+:::{include} _snippets/private-connection-fleet.md
+:::
-::::
+## Manage policies
+After you create your private connection policy, you can edit it, remove it from your deployment, or delete it.
+### Edit a policy [ec-edit-traffic-filter-private-link-rule-set]
-## Edit a PrivateLink connection [ec-edit-traffic-filter-private-link-rule-set]
+You can edit a policy's name, description, VPC endpoint ID, and more.
-You can edit a rule set name or to change the VPC endpoint ID.
+:::{include} _snippets/network-security-page.md
+:::
+1. Find the policy you want to edit, then click the **Edit** icon.
+2. Click **Update** to save your changes.
-:::{include} _snippets/edit-ruleset.md
+:::{tip}
+You can also edit network security policies from your deployment's **Security** page or your project's **Network security** page.
:::
-### Delete a PrivateLink rule set [ec-delete-traffic-filter-private-link-rule-set]
+### Remove a policy from your deployment [remove-filter-deployment]
+
+If you want to a specific policy from a deployment, or delete the policy, then you need to disconnect it from any associated deployments first. You can do this from the policy's settings, or from your deployment's settings. To remove an association through the UI:
-:::{include} _snippets/delete-ruleset.md
+#### From your deployment
+
+1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+
+ On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Security** page, under **Network security**, find the IP filter policy that you want to disconnect.
+3. Under **Actions**, click the **Delete** icon.
+
+#### From the IP filter policy settings
+
+:::{include} _snippets/network-security-page.md
:::
+5. Find the policy you want to edit, then click the **Edit** icon.
+6. Under **Apply to resources**, click the `x` beside the resource that you want to disconnect.
+7. Click **Update** to save your changes.
+
+
+### Delete a policy [ec-delete-traffic-filter-private-link-rule-set]
+
+If you need to remove a policy, you must first remove any associations with deployments.
-### Remove a PrivateLink rule set association from your deployment [remove-filter-deployment]
+To delete a policy:
-:::{include} _snippets/remove-filter.md
+:::{include} _snippets/network-security-page.md
:::
+4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments associated with the policy.
\ No newline at end of file
diff --git a/deploy-manage/security/azure-private-link-traffic-filters.md b/deploy-manage/security/azure-private-link-traffic-filters.md
index f8331fb0b9..56fef91afa 100644
--- a/deploy-manage/security/azure-private-link-traffic-filters.md
+++ b/deploy-manage/security/azure-private-link-traffic-filters.md
@@ -7,30 +7,40 @@ applies_to:
ess: ga
products:
- id: cloud-hosted
+navigation_title: Azure Private Link
+sub:
+ policy-type: "Private connection"
+ service-name: "Azure Private Link"
+ example-phz-dn: "privatelink.eastus2.azure.elastic-cloud.com"
+ example-default-dn: "eastus2.azure.elastic-cloud.com"
---
# Azure Private Link traffic filters
-Traffic filtering to allow only Azure Private Link connections is one of the security layers available in {{ech}}. It allows you to limit how your deployments can be accessed.
+You can use Azure Private Link to establish a secure connection for your {{ecloud}} deployments to communicate with other Azure services. Azure routes the Private Link traffic within the Azure data center and never exposes it to the public internet.
-Refer to [](/deploy-manage/security/traffic-filtering.md) to learn more about traffic filtering in {{ech}}, and how traffic filter rules work.
+Azure Private Link establishes a secure connection between two Azure VNets. The VNets can belong to separate accounts, for example a service provider and their service consumers. Azure routes the Private Link traffic within the Azure data centers and never exposes it to the public internet. In such a configuration, {{ecloud}} is the third-party service provider and the customers are service consumers.
-::::{note}
-Azure Private Link filtering is supported only for Azure regions.
-::::
+Private Link is a connection between an Azure Private Endpoint and a Azure Private Link Service.
+Azure Private Link requires that you also filter traffic to your deployments by creating virtual private connection endpoint (VCPE) filters as part of your private connection policy in {{ecloud}}. This limits traffic to your deployment to the VCPE specified in the policy, as well as any other filters defined in policies applied to the deployment.
-Azure Private Link establishes a secure connection between two Azure VNets. The VNets can belong to separate accounts, for example a service provider and their service consumers. Azure routes the Private Link traffic within the Azure data centers and never exposes it to the public internet. In such a configuration, {{ecloud}} is the third-party service provider and the customers are service consumers.
+To learn how private connection policies impact your deployment, refer to [](/deploy-manage/security/network-security-policies.md).
-Private Link is a connection between an Azure Private Endpoint and a Azure Private Link Service.
+:::{tip}
+{{ech}} also supports [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
+:::
+## Considerations
+
+Azure Private Link filtering is supported only for Azure regions.
## Azure Private Link Service aliases [ec-private-link-azure-service-aliases]
Private Link Services are set up by Elastic in all supported Azure regions under the following aliases:
::::{dropdown} Azure public regions
-| **Region** | **Azure Private Link Service alias** | **Private hosted zone domain name** |
+| Region | Azure Private Link Service alias | Private hosted zone domain name |
| --- | --- | --- |
| australiaeast | australiaeast-prod-012-privatelink-service.a0cf0c1a-33ab-4528-81e7-9cb23608f94e.australiaeast.azure.privatelinkservice | privatelink.australiaeast.azure.elastic-cloud.com |
| centralus | centralus-prod-009-privatelink-service.49a041f7-2ad1-4bd2-9898-fba7f7a1ff77.centralus.azure.privatelinkservice | privatelink.centralus.azure.elastic-cloud.com |
@@ -51,35 +61,38 @@ Private Link Services are set up by Elastic in all supported Azure regions under
::::
+## Set up a private connection
-The process of setting up the Private link connection to your clusters is split between Azure (e.g. by using Azure portal), {{ecloud}} Support, and {{ecloud}} UI. These are the high-level steps:
+The process of setting up the private connection with Azure Private link is split between Azure (e.g. by using Azure portal), and the {{ecloud}} UI. These are the high-level steps:
-| Azure portal | {{ecloud}} UI |
+| Azure portal | {{ecloud}} |
| --- | --- |
-| 1. Create a private endpoint using {{ecloud}} service alias. | |
-| 2. Create a [DNS record pointing to the private endpoint](https://learn.microsoft.com/en-us/azure/dns/private-dns-privatednszone). | |
-| | 3. Create an Azure Private Link rule set with the private endpoint **Name** and **ID**. |
-| | 4. Associate the Azure Private Link rule set with your deployments. |
-| | 5. Interact with your deployments over Private Link. |
+| 1. [Create a private endpoint using {{ecloud}} service alias.](#ec-private-link-azure-dns) | |
+| 2. [Create a DNS record pointing to the private endpoint](#ec-private-link-azure-dns). | |
+| | 3. [Create a private connection policy.](#ec-azure-allow-traffic-from-link-id) |
+| | 4. [Associate the Azure Private Link rule set with your deployments](#ec-associate-traffic-filter-private-link-rule-set). |
+| | 5. [Interact with your deployments over Private Link.](#ec-azure-access-the-deployment-over-private-link) |
-## Create your private endpoint and DNS entries in Azure [ec-private-link-azure-dns]
+### Create your private endpoint and DNS entries in Azure [ec-private-link-azure-dns]
1. Create a private endpoint in your VNet using the alias for your region.
Follow the [Azure instructions](https://docs.microsoft.com/en-us/azure/private-link/create-private-endpoint-portal#create-a-private-endpoint) for details on creating a private endpoint to an endpoint service.
- Use [the service aliases for your region](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-private-link-azure-service-aliases). Select the "Connect to an Azure resource by resource ID or alias" option. For example for the region `eastus2` the service alias is `eastus2-prod-002-privatelink-service.64359fdd-7893-4215-9929-ece3287e1371.eastus2.azure.privatelinkservice`
+ Use [the service aliases for your region](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-private-link-azure-service-aliases). Select the **Connect to an Azure resource by resource ID or alias** option. For example for the region `eastus2` the service alias is `eastus2-prod-002-privatelink-service.64359fdd-7893-4215-9929-ece3287e1371.eastus2.azure.privatelinkservice`
::::{note}
- You will notice that the Private Link endpoint is in the `Awaiting Approval` state. We validate and approve the endpoints when you create the ruleset using the Private Link `resource name` and `resource ID`, as described in the next section [Add the Private Link rules to your deployments](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-allow-traffic-from-link-id).
+ The Private Link endpoint is created in the `Awaiting Approval` state. We validate and approve the endpoints when you create the private connection policy using the Private Link `resource ID`, as described in the next section [Create a private connection policy](#ec-azure-allow-traffic-from-link-id).
::::
2. Create a DNS record.
- 1. Create a *Private DNS Zone*. Get the private hosted zone domain name in *Azure Private Link Service Alias* for the name of the zone. For example, in `eastus2`, use `privatelink.eastus2.azure.elastic-cloud.com` as the zone domain name. Using this zone domain name is required to ensure certificate names match.
- 2. After creating the *Private DNS Zone*, associate the zone with your VNet by creating a [virtual network link](https://learn.microsoft.com/en-us/azure/dns/private-dns-getstarted-portal).
- 3. Then create a DNS A record pointing to the private endpoint. Use `*` as the record name, `A` as the type, and put the private endpoint IP address as the record value.
+ 1. Create a private DNS zone.
+
+ Refer to the **Azure Private Link Service Alias** column in the [Azure Private Link Service aliases](#ec-private-link-azure-service-aliases) table for the name of the zone. For example, in `eastus2`, use `privatelink.eastus2.azure.elastic-cloud.com` as the zone domain name. Using this zone domain name is required to ensure certificate names match.
+ 2. After creating the private DNS zone, associate the zone with your VNet by creating a [virtual network link](https://learn.microsoft.com/en-us/azure/dns/private-dns-getstarted-portal).
+ 3. Create a DNS A record pointing to the private endpoint. Use `*` as the record name, `A` as the type, and put the private endpoint IP address as the record value.
Follow the [Azure instructions](https://docs.microsoft.com/en-us/azure/dns/private-dns-getstarted-portal#create-an-additional-dns-record) for details on creating an A record which points to your private endpoint IP address.
@@ -89,23 +102,16 @@ The process of setting up the Private link connection to your clusters is split
-## Add the Private Link rules to your deployments [ec-azure-allow-traffic-from-link-id]
+## Create a private connection policy [ec-azure-allow-traffic-from-link-id]
-Follow these high-level steps to add Private Link rules to your deployments.
+After you create your private endpoint and DNS entries, you can create a private connection policy in {{ecloud}}.
-1. [Find your private endpoint resource name](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-find-your-resource-name).
-2. [Find your private endpoint resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-find-your-resource-id).
-3. [Create rules using the Private Link Endpoint Resource Name and Resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-create-traffic-filter-private-link-rule-set).
-4. [Associate the private endpoint with your deployment](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-associate-traffic-filter-private-link-rule-set).
-5. [Access the deployment over a Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-access-the-deployment-over-private-link).
-
-
-### Find your private endpoint resource name [ec-find-your-resource-name]
-
-1. Go to your Private Link Endpoint in the Azure Portal.
-2. Select **JSON View**.
-3. Copy the value of the top level **name** property.
+Follow these high-level steps to add a private connection policy that can be associated with your deployments.
+1. [Find your private endpoint resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-find-your-resource-id).
+2. [Create policies using the Private Link Endpoint resource ID](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-create-traffic-filter-private-link-rule-set).
+3. [Test the connection](#test-the-connection).
+4. [Associate the private endpoint with your deployment](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set).
### Find your private endpoint resource ID [ec-find-your-resource-id]
@@ -114,85 +120,78 @@ Follow these high-level steps to add Private Link rules to your deployments.
3. Copy the value of the **properties.resourceGUID** property.
:::{image} /deploy-manage/images/cloud-ec-private-link-azure-json-view.png
-:alt: Private endpoint JSON View
+:alt: Private endpoint JSON view
:screenshot:
:::
:::{image} /deploy-manage/images/cloud-ec-private-link-azure-properties.png
-:alt: Private endpoint Properties
+:alt: Private endpoint properties
:screenshot:
:::
+% fix me
-### Create rules using the Private Link Endpoint Resource Name and Resource ID [ec-azure-create-traffic-filter-private-link-rule-set]
+### Create a policy using the Private Link Endpoint resource ID [ec-azure-create-traffic-filter-private-link-rule-set]
-When you have your private endpoint name and ID, you can create a Private Link traffic filter rule set.
+When you have your private endpoint ID, you can create a private connection policy.
::::{note}
-The Private Link connection will be approved automatically after the traffic filter is created.
+The Private Link connection will be approved automatically after the private connection policy is created.
::::
-1. From the **Account** menu, select **Traffic filters**.
-2. Select **Create filter**.
-3. Select **Private link endpoint**.
-4. Create your rule set, providing a meaningful name and description.
-5. Select the region for the rule set.
-6. Enter your Private Endpoint Resource Name and Resource ID.
-7. Select if this rule set should be automatically attached to new deployments.
-
- ::::{note}
- Each rule set is bound to a particular region and can be only assigned to deployments in the same region.
- ::::
-
-8. (Optional) You can [claim your Private Endpoint Resource Name and Resource ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a traffic filter ruleset.
+:::{include} _snippets/network-security-page.md
+:::
+4. Select **Private connection**.
+5. Select the resource type that the private connection will be applied to. Currently, only hosted deployments are supported.
+6. Select the cloud provider and region for the private connection.
+
+ :::{tip}
+ Network security policies are bound to a single region, and can be assigned only to deployments in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
+ :::
+7. Under **Connectivity**, select **Privatelink**.
+8. Under **VPCE filter**, enter your Private Endpoint resource ID.
+
+
+ :::{tip}
+ You can assign multiple policies to a single deployment. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
+
+ [Learn more about how network security policies affect your deployment](network-security-policies.md).
+ :::
+
+9. Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments. After you associate the filter with a deployment, it starts filtering traffic.
+10. To automatically attach this private connection policy to new deployments, select **Apply by default**.
+11. Click **Create**.
+12. (Optional) You can [claim your Private Endpoint resource ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a private connection policy.
Creating the filter approves the Private Link connection.
-Let’s test the connection:
+After the private link connection is approved, you can optionally [test the connection](#test-the-connection), and then [associate the policy](#ec-associate-traffic-filter-private-link-rule-set) with your deployment.
-1. Find out the {{es}} cluster ID of your deployment. You can do that by selecting **Copy cluster id** in the Cloud UI. It looks something like `9c794b7c08fa494b9990fa3f6f74c2f8`.
+### Test the connection
- ::::{tip}
- The {{es}} cluster ID is **different** from the deployment ID, custom alias endpoint, and Cloud ID values that feature prominently in the user console.
- ::::
-
-2. To access your {{es}} cluster over Private Link:
-
- * If you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
-
- ```
- https://{{alias}}.{product}.{{private_hosted_zone_domain_name}}
- ```
-
- For example:
+After you create your private connection, you can check that you're able to reach a cluster over Private Link.
- ```text
- https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com
- ```
-
- * Alternatively, use the following URL structure:
-
- ```
- https://{{elasticsearch_cluster_ID}}.{private_hosted_zone_domain_name}:9243
- ```
+:::{include} _snippets/private-url-struct.md
+:::
- For example:
+To test the connection:
- ```text
- https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243
- ```
+1. If needed, find the endpoint of an application in your deployment:
+
+ :::{include} _snippets/find-endpoint.md
+ :::
-3. You can test the Azure portal part of the setup with the following command (substitute the region and {{es}} ID with your cluster):
+2. Test the setup using the following cURL command. Make sure to replace the URL with your deployment's endpoint information and the private hosted zone domain name that you registered.
```sh
- $ curl -v https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243
+ $ curl -v https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243
```
The output should look like this:
```sh
- * Rebuilt URL to: https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243/
+ * Rebuilt URL to: https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243/
* Trying 192.168.46.5... # note this IP address
..
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
@@ -207,35 +206,49 @@ Let’s test the connection:
The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, you haven’t associate the rule set with any deployment yet.
-4. In the event that the Private Link connection is not approved by {{ecloud}}, you’ll get an error message like the following. Double check that the filter you’ve created in the previous step uses the right resource name and GUID.
+In the event that the Private Link connection is not approved by {{ecloud}}, you’ll get an error message like the following. Double check that the filter you’ve created in the previous step uses the right resource ID.
- Request:
- ```sh
- $ curl -v https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243
- ```
+**Request**
+```sh
+$ curl -v https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243
+```
- Response:
- ```sh
- * Rebuilt URL to: https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243/
- * Trying 192.168.46.5...
- * connect to 192.168.46.5 port 9243 failed: No route to host
- * Failed to connect to 6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com port 9243: No route to host
- * Closing connection 0
- curl: (7) Failed to connect to 6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com port 9243: No route to host
- ```
+**Response**
+```sh
+* Rebuilt URL to: https:/my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243/
+* Trying 192.168.46.5...
+* connect to 192.168.46.5 port 9243 failed: No route to host
+* Failed to connect to my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com port 9243: No route to host
+* Closing connection 0
+curl: (7) Failed to connect to my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com port 9243: No route to host
+```
+
+
+The next step is to [associate the policy](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) with your deployment.
-The next step is to [associate the rule set](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) with your deployments.
+### Associate a policy with a deployment [ec-associate-traffic-filter-private-link-rule-set]
+% is this optional?
-### Associate a Private Link rule set with your deployment [ec-azure-associate-traffic-filter-private-link-rule-set]
+You can associate a network security policy with your deployment from the policy's settings, or from your deployment's settings.
-To associate a Private Link rule set with your deployment:
+After you associate the policy with a deployment, it starts filtering traffic.
+
+#### From a deployment
:::{include} _snippets/associate-filter.md
:::
-### Access the deployment over a Private Link [ec-azure-access-the-deployment-over-private-link]
+#### From the policy settings
+
+:::{include} _snippets/network-security-page.md
+:::
+5. Find the policy you want to edit.
+6. Under **Apply to resources**, associate the policy with one or more deployments.
+7. Click **Update** to save your changes.
+
+## Access the deployment over a Private Link [ec-azure-access-the-deployment-over-private-link]
For traffic to connect with the deployment over Azure Private Link, the client making the request needs to be located within the VNet where you’ve created the private endpoint. You can also setup network traffic to flow through the originating VNet from somewhere else, such as another VNet or a VPN from your corporate network. This assumes that the private endpoint and the DNS record are also available within that context. Check your service provider documentation for setup instructions.
@@ -243,67 +256,98 @@ For traffic to connect with the deployment over Azure Private Link, the client m
Use the alias you’ve set up as CNAME A record to access your deployment.
::::
+:::{include} _snippets/private-url-struct.md
+:::
-For example, if your {{es}} ID is `6b111580caaa4a9e84b18ec7c600155e` and it is located in `eastus2` region you can access it at the following URL:
-
-```text
-https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243
-```
+To access the deployment:
-Request:
-```sh
-$ curl -u 'username:password' -v https://6b111580caaa4a9e84b18ec7c600155e.privatelink.eastus2.azure.elastic-cloud.com:9243
-```
+1. If needed, find the endpoint of an application in your deployment:
+
+ :::{include} _snippets/find-endpoint.md
+ :::
-Response:
-```
-< HTTP/1.1 200 OK
-..
-```
+2. Send a request:
-::::{note}
-If you are using Azure Private Link together with Fleet, and enrolling the Elastic Agent with a Private Link URL, you need to configure Fleet Server to use and propagate the Private Link URL by updating the **Fleet Server hosts** field in the **Fleet settings** section of {{kib}}. Otherwise, Elastic Agent will reset to use a default address instead of the Private Link URL. The URL needs to follow this pattern: `https://.fleet.:443`.
+ **Request**
+ ```sh
+ $ curl -u 'username:password' -v https://my-deployment-d53192.es.privatelink.eastus2.azure.elastic-cloud.com:9243
+ ```
-Similarly, the {{es}} host needs to be updated to propagate the Private Link URL. The {{es}} URL needs to follow this pattern: `https://.es.:443`.
+ **Response**
+ ```
+ < HTTP/1.1 200 OK
+ ..
+ ```
-::::
+### Azure Pivate Link and Fleet
+:::{include} _snippets/private-connection-fleet.md
+:::
+## Setting up an inter-region Private Link connection [ec-azure-inter-region-private-link]
-## Edit a Private Link connection [ec-azure-edit-traffic-filter-private-link-rule-set]
+Azure supports inter-region Private Link as described in the [Azure documentation](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview).
-You can edit a rule set name or to change the endpoint ID.
+This means your deployment on {{ecloud}} can be in a different region than the Private Link endpoints or the clients that consume the deployment endpoints.
-:::{include} _snippets/edit-ruleset.md
+:::{image} /deploy-manage/images/cloud-ce-azure-inter-region-pl.png
+:alt: Inter-region Private Link
+:screenshot:
:::
-### Delete a Private Link rule set [ec-azure-delete-traffic-filter-private-link-rule-set]
+1. Set up Private Link Endpoint in region 1 for a deployment hosted in region 2.
-:::{include} _snippets/delete-ruleset.md
-:::
+ 1. Create your Private Link Endpoint using the service alias for region 2 in the region 1 VNET (let’s call this VNET1).
+ 2. Create a Private Hosted Zone for region 2, and associate it with VNET1 similar to the step [Create a Private Link endpoint and DNS](#ec-private-link-azure-dns). Note that you are creating these resources in region 1, VNET1.
+
+2. [Create a private connection policy](#ec-azure-create-traffic-filter-private-link-rule-set) and [associate it](#ec-associate-traffic-filter-private-link-rule-set) with your deployment.
+
+ % what region should the policy be in?
+3. [Test the connection](#ec-azure-access-the-deployment-over-private-link) from a VM or client in region 1 to your Private Link endpoint, and it should be able to connect to your {{es}} cluster hosted in region 2.
+## Manage policies
-### Remove a Private Link rule set association from your deployment [remove-filter-deployment]
+After you create your private connection policy, you can edit it, remove it from your deployment, or delete it.
-:::{include} _snippets/remove-filter.md
+### Edit a policy [ec-azure-edit-traffic-filter-private-link-rule-set]
+
+You can edit a policy's name, description, VPC endpoint ID, and more.
+
+:::{include} _snippets/network-security-page.md
:::
+1. Find the policy you want to edit, then click the **Edit** icon.
+2. Click **Update** to save your changes.
+:::{tip}
+You can also edit network security policies from your deployment's **Security** page or your project's **Network security** page.
+:::
-## Setting up an inter-region Private Link connection [ec-azure-inter-region-private-link]
+### Remove a policy from your deployment [remove-filter-deployment]
-Azure supports inter-region Private Link as described in the [Azure documentation](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview). "The Private Link resource can be deployed in a different region than the virtual network and private endpoint."
+If you want to a specific policy from a deployment, or delete the policy, then you need to disconnect it from any associated deployments first. You can do this from the policy's settings, or from your deployment's settings. To remove an association through the UI:
-This means your deployment on {{ecloud}} can be in a different region than the Private Link endpoints or the clients that consume the deployment endpoints.
+#### From your deployment
-:::{image} /deploy-manage/images/cloud-ce-azure-inter-region-pl.png
-:alt: Inter-region Private Link
-:screenshot:
+1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+
+ On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Security** page, under **Network security**, find the IP filter policy that you want to disconnect.
+3. Under **Actions**, click the **Delete** icon.
+
+#### From the IP filter policy settings
+
+:::{include} _snippets/network-security-page.md
:::
+5. Find the policy you want to edit, then click the **Edit** icon.
+6. Under **Apply to resources**, click the `x` beside the resource that you want to disconnect.
+7. Click **Update** to save your changes.
-1. Set up Private Link Endpoint in region 1 for a deployment hosted in region 2.
+### Delete a policy [ec-azure-delete-traffic-filter-private-link-rule-set]
- 1. Create your Private Endpoint using the service alias for region 2 in the region 1 VNET (let’s call this VNET1).
- 2. Create a Private Hosted Zone for region 2, and associate it with VNET1 similar to the step [Create a Private Link endpoint and DNS](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-private-link-azure-dns). Note that you are creating these resources in region 1, VNET1.
+If you need to remove a policy, you must first remove any associations with deployments.
-2. [Create a traffic filter rule set](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-create-traffic-filter-private-link-rule-set) and [Associate the rule set](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) through the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body), just as you would for any deployment.
-3. [Test the connection](/deploy-manage/security/azure-private-link-traffic-filters.md#ec-azure-access-the-deployment-over-private-link) from a VM or client in region 1 to your Private Link endpoint, and it should be able to connect to your {{es}} cluster hosted in region 2.
+To delete a policy:
+
+:::{include} _snippets/network-security-page.md
+:::
+4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments associated with the policy.
\ No newline at end of file
diff --git a/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md b/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
index bad82da343..178decb78f 100644
--- a/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
+++ b/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
@@ -8,18 +8,18 @@ products:
- id: cloud-hosted
---
-# Claim traffic filter link ID ownership through the API [ec-claim-traffic-filter-link-id-through-the-api]
+# Claim VCPE ID ownership [ec-claim-traffic-filter-link-id-through-the-api]
This example demonstrates how to use the {{ecloud}} RESTful API to claim different types of private link ID (AWS PrivateLink, Azure Private Link, and GCP Private Service Connect). We cover the following examples:
-* [Claim a traffic filter link id](#ec-claim-a-traffic-filter-link-id)
+* [Claim a VCP ID](#ec-claim-a-traffic-filter-link-id)
* [AWS PrivateLink](#ec-claim-aws-privatelink)
* [Azure Private Link](#ec-claim-azure-private-link)
* [GCP Private Service Connect](#ec-claim-gcp-private-service-connect)
-* [List claimed traffic filter link id](#ec-list-claimed-traffic-filter-link-id)
-* [Unclaim a traffic filter link id](#ec-unclaim-a-traffic-filter-link-id)
+* [List claimed VCP IDs](#ec-list-claimed-traffic-filter-link-id)
+* [Unclaim a VCP ID](#ec-unclaim-a-traffic-filter-link-id)
* [AWS PrivateLink](#ec-unclaim-aws-privatelink)
* [Azure Private Link](#ec-unclaim-azure-private-link)
@@ -27,7 +27,7 @@ This example demonstrates how to use the {{ecloud}} RESTful API to claim differe
-## Claim a traffic filter link id [ec-claim-a-traffic-filter-link-id]
+## Claim a VCP ID [ec-claim-a-traffic-filter-link-id]
### AWS PrivateLink [ec-claim-aws-privatelink]
@@ -79,7 +79,7 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/link-ids/_claim
```
-## List claimed traffic filter link id [ec-list-claimed-traffic-filter-link-id]
+## List claimed VCP IDs [ec-list-claimed-traffic-filter-link-id]
```sh
curl \
@@ -89,7 +89,7 @@ https://api.elastic-cloud.com/api/v1/deployments/traffic-filter/link-ids \
```
-## Unclaim a traffic filter link id [ec-unclaim-a-traffic-filter-link-id]
+## Unclaim a VCP ID [ec-unclaim-a-traffic-filter-link-id]
### AWS PrivateLink [ec-unclaim-aws-privatelink]
diff --git a/deploy-manage/security/ec-traffic-filtering-through-the-api.md b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
index 27f5a69700..b6c900b8c7 100644
--- a/deploy-manage/security/ec-traffic-filtering-through-the-api.md
+++ b/deploy-manage/security/ec-traffic-filtering-through-the-api.md
@@ -9,11 +9,12 @@ applies_to:
products:
- id: cloud-hosted
- id: cloud-enterprise
+navigation_title: Through the API
---
-# Manage traffic filters through the API [ec-traffic-filtering-through-the-api]
+# Manage network security through the API [ec-traffic-filtering-through-the-api]
-This example demonstrates how to use the {{ecloud}} RESTful API or {{ece}} RESTful API or to manage different types of traffic filters. We cover the following examples:
+This example demonstrates how to use the {{ecloud}} RESTful API or {{ece}} RESTful API or to manage different types of network security rules and policies. We cover the following examples:
* [Create a traffic filter rule set](ec-traffic-filtering-through-the-api.md#ec-create-a-traffic-filter-rule-set)
diff --git a/deploy-manage/security/ece-filter-rules.md b/deploy-manage/security/ece-filter-rules.md
new file mode 100644
index 0000000000..a2cd4607fa
--- /dev/null
+++ b/deploy-manage/security/ece-filter-rules.md
@@ -0,0 +1,70 @@
+---
+navigation_title: How rules work in ECE
+applies_to:
+ deployment:
+ ece: ga
+---
+
+# Traffic filter rules in {{ece}}
+
+By default, in {{ece}}, all your deployments are accessible over the public internet. This assumes that your orchestrator's proxies are accessible.
+
+Filtering rules are created at the orchestrator level. Rules are grouped into rule sets, and then are associated with one or more deployments to take effect. After you associate at least one traffic filter with a deployment, traffic that does not match any filtering rules for the deployment is denied.
+
+Traffic filters apply to external traffic only. Internal traffic is managed by ECE. For example, {{kib}} can connect to {{es}}, as well as internal services which manage the deployment. Other deployments can’t connect to deployments protected by traffic filters.
+
+Traffic filters operate on the proxy. Requests rejected by the traffic filters are not forwarded to the deployment. The proxy responds to the client with `403 Forbidden`.
+
+## Logic
+
+Rule sets work as follows:
+
+- You can assign multiple rule sets to a single deployment. The rule sets can be of different types. In case of multiple rule sets, traffic can match ANY of them. If none of the rule sets match, the request is rejected with `403 Forbidden`.
+
+- Traffic filter rule sets, when associated with a deployment, will apply to all deployment endpoints, such as {{es}}, {{kib}}, APM Server, and others.
+
+- Any traffic filter rule set assigned to a deployment overrides the default behavior of *allow all access over the public internet endpoint*. The implication is that if you make a mistake putting in the traffic source (for example, specified the wrong IP address) the deployment will be effectively locked down to any of your traffic. You can use the UI to adjust or remove the rule sets.
+
+- You can mark a rule set as *default*. It is automatically attached to all new deployments that you create in its region. You can detach default rule sets from deployments after they are created. Note that a *default* rule set is not automatically attached to existing deployments.
+
+## Restrictions
+
+- You can have a maximum of 512 rule sets per organization and 128 rules in each rule set.
+
+- Traffic filter rule sets are bound to a single region. The rule sets can be assigned only to deployments in the same region. If you want to associate a rule set with deployments in multiple regions, then you have to create the same rule set in all the regions you want to apply it to.
+
+- Domain-based filtering rules are not allowed for Cloud traffic filtering, because the original IP is hidden behind the proxy. Only IP-based filtering rules are allowed.
+
+## Review the rule sets associated with a deployment
+
+1. Log in to the [Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. On the **Deployments** page, select your deployment.
+3. Select the **Security** tab on the left-hand side menu bar.
+
+Traffic filter rule sets are listed under **Traffic filters**.
+
+On this page, you can view and remove existing filters and attach new filters.
+
+## Identify default rule sets
+
+To identify which rule sets are automatically applied to new deployments in your account:
+
+1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+
+2. From the **Platform** menu, select **Security**.
+
+3. Select each of the rule sets — **Include by default** is checked when this rule set is automatically applied to all new deployments in its region.
+
+## View rejected requests
+
+Requests rejected by traffic filter have status code `403 Forbidden` and one of the following in the response body:
+
+```json
+{"ok":false,"message":"Forbidden"}
+```
+
+```json
+{"ok":false,"message":"Forbidden due to traffic filtering. Please see the Elastic documentation on Traffic Filtering for more information."}
+```
+
+Additionally, traffic filter rejections are logged in ECE proxy logs as `status_reason: BLOCKED_BY_IP_FILTER`. Proxy logs also provide client IP in `client_ip` field.
\ No newline at end of file
diff --git a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
index f4c9a29903..495576dfa9 100644
--- a/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
+++ b/deploy-manage/security/gcp-private-service-connect-traffic-filters.md
@@ -5,37 +5,45 @@ mapped_pages:
applies_to:
deployment:
ess: ga
+ serverless: ga
products:
- id: cloud-hosted
+navigation_title: GCP Private Service Connect
+sub:
+ policy-type: "Private connection"
+ service-name: "Private Service Connect"
+ example-phz-dn: "psc.asia-southeast1.gcp.elastic-cloud.com"
+ example-default-dn: "us-central1.gcp.cloud.es.io"
---
-# GCP Private Service Connect traffic filters
+# GCP Private Service Connect private connections
-Traffic filtering to allow only Private Service Connect connections is one of the security layers available in {{ecloud}}. It allows you to limit how your deployments can be accessed.
+You can use GCP Private Service Connect to establish a secure connection for your {{ecloud}} deployments to communicate with other GCP services. GCP routes the Private Link traffic within the GCP data center and never exposes it to the public internet.
-Refer to [](/deploy-manage/security/traffic-filtering.md) to learn more about traffic filtering in {{ech}}, and how traffic filter rules work.
+GCP Private Service Connect connects your Virtual Private Cloud (VPC) to the GCP-hosted services that you use, treating them as if they were in your VPC. You can create and use VPC endpoints to securely access GCP-hosted services.
-::::{note}
-Private Service Connect filtering is supported only for Google Cloud regions.
-::::
+You can also optionally filter traffic to your deployments by creating virtual private connection endpoint (VCPE) filters as part of your private connection policy in {{ecloud}}. This limits traffic to your deployment to the VCPE specified in the policy, as well as any other policies applied to the deployment.
+Private Link is a connection between a Private Service Connect Endpoint and a Service Attachment. [Learn more about using Private Service Connect on Google Cloud](https://cloud.google.com/vpc/docs/private-service-connect#benefits-services).
-Private Service Connect establishes a secure connection between two Google Cloud VPCs. The VPCs can belong to separate accounts, for example a service provider and their service consumers. Google Cloud routes the Private Service Connect traffic within the Google Cloud data centers and never exposes it to the public internet. In such a configuration, {{ecloud}} is the third-party service provider and the customers are service consumers.
+To learn how private connection policies impact your deployment, refer to [](/deploy-manage/security/network-security-policies.md).
-Private Link is a connection between a Private Service Connect Endpoint and a Service Attachment. [Learn more about using Private Service Connect on Google Cloud](https://cloud.google.com/vpc/docs/private-service-connect#benefits-services).
+:::{tip}
+{{ech}} also supports [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
+:::
-::::{tip}
-Private Service Connect connections are regional, your Private Service Connect Endpoint needs to live in the same region as your deployment. The Endpoint can be accessed from any region once you enable its [*Global Access*](https://cloud.google.com/vpc/docs/about-accessing-vpc-hosted-services-endpoints#global-access) feature.
-::::
+## Considerations
+* Private Service Connect filtering is supported only for Google Cloud regions.
+* Private Service Connect connections are regional. As a result, your Private Service Connect endpoint needs to be created in the same region as your deployment. The endpoint can be accessed from any region after you enable its [Global Access](https://cloud.google.com/vpc/docs/about-accessing-vpc-hosted-services-endpoints#global-access) feature.
## Private Service Connect URIs [ec-private-service-connect-uris]
Service Attachments are set up by Elastic in all supported GCP regions under the following URIs:
::::{dropdown} GCP public regions
-| **Region** | **Service Attachment URI** | **Private zone DNS name** |
+| Region | Service attachment URI | Private zone DNS name |
| --- | --- | --- |
| `asia-east1` | `projects/cloud-production-168820/regions/asia-east1/serviceAttachments/proxy-psc-production-asia-east1-v1-attachment` | `psc.asia-east1.gcp.elastic-cloud.com` |
| `asia-northeast1` | `projects/cloud-production-168820/regions/asia-northeast1/serviceAttachments/proxy-psc-production-asia-northeast1-v1-attachment` | `psc.asia-northeast1.gcp.cloud.es.io` |
@@ -60,25 +68,36 @@ Service Attachments are set up by Elastic in all supported GCP regions under the
::::
+## Set up a private connection
-The process of setting up the Private link connection to your clusters is split between Google Cloud (e.g. by using Google Cloud console), and {{ecloud}} UI. These are the high-level steps:
+The process of setting up the Private link connection to your deployments is split between Google Cloud and the {{ecloud}} UI. These are the high-level steps:
-| Google Cloud console | {{ecloud}} UI |
+| Google Cloud console | {{ecloud}} |
| --- | --- |
-| 1. Create a Private Service Connect endpoint using {{ecloud}} Service Attachment URI. | |
-| 2. Create a DNS record pointing to the Private Service Connect endpoint. | |
-| | 3. Create a Private Service Connect rule set with the **PSC Connection ID**. |
-| | 4. Associate the Private Service Connect rule set with your deployments. |
-| | 5. Interact with your deployments over Private Service Connect. |
+| [1. Create a Private Service Connect endpoint using {{ecloud}} Service Attachment URI.](#ec-private-service-connect-enpoint-dns) | |
+| [2. Create a DNS record pointing to the Private Service Connect endpoint.](#ec-private-service-connect-enpoint-dns) | |
+| | [3. Optional: Create a private connection policy with the PSC Connection ID.](#ec-psc-create-traffic-filter-psc-rule-set) |
+| | [4. Optional: Associate the private connection policy with your deployments.](#ec-psc-associate-traffic-filter-psc-rule-set) |
+| | [5. Interact with your deployments over Private Service Connect.](#ec-psc-access-the-deployment-over-psc) |
+
+After you create your private connection policy, you can [edit](#ec-edit-traffic-filter-psc-rule-set), [disconnect](#remove-filter-deployment), or [delete](#ec-delete-traffic-filter-psc-rule-set) it.
+:::{admonition} Private connection policies are optional
+Private connection policies are optional for GCP Private Service Connect. After the Private Service Connect endpoint and DNS record are created, private connectivity is established.
-## Create your Private Service Connect endpoint and DNS entries in Google Cloud [ec-private-service-connect-enpoint-dns]
+Creating a private connection policy and associating it with your deployments allows you to do the following:
+
+* Record that you've established private connectivity between GCP and Elastic in the applicable region.
+* Filter traffic to your deployment using VCPE filters.
+:::
+
+### Create your Private Service Connect endpoint and DNS entries in Google Cloud [ec-private-service-connect-enpoint-dns]
1. Create a Private Service Connect endpoint in your VPC using the Service Attachment URI for your region.
Follow the [Google Cloud instructions](https://cloud.google.com/vpc/docs/configure-private-service-connect-services#create-endpoint) for details on creating a Private Service Connect endpoint to access Private Service Connect services.
- Use [the Service Attachment URI for your region](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md#ec-private-service-connect-uris). Select the **Published service** option and enter the selected *Service Attachment URI* as the **Target service**. For example for the region `asia-southeast1` the Service Attachment URI is `projects/cloud-production-168820/regions/asia-southeast1/serviceAttachments/proxy-psc-production-asia-southeast1-v1-attachment`
+ Use [the Service Attachment URI for your region](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md#ec-private-service-connect-uris). Select the **Published service** option and enter the selected Service Attachment URI as the **Target service**. For example, for the region `asia-southeast1` the Service Attachment URI is `projects/cloud-production-168820/regions/asia-southeast1/serviceAttachments/proxy-psc-production-asia-southeast1-v1-attachment`
::::{note}
you need to [reserve a static internal IP address](https://cloud.google.com/compute/docs/ip-addresses/reserve-static-internal-ip-address) in your VPC. The address is used by Private Service Connect endpoint.
@@ -89,55 +108,38 @@ The process of setting up the Private link connection to your clusters is split
2. Create a DNS record.
- 1. Create a *DNS Zone* of type **Private**. Set the **DNS name** to *Private zone DNS name* for your region. For example, in *asia-southeast1* use `psc.asia-southeast1.gcp.elastic-cloud.com` as the zone domain name. Make sure the zone is associated with your VPC.
- 2. Then create a DNS record set with an A record pointing to the Private Service Connect endpoint IP. Use `*` as the **DNS name**, `A` as the **Resource Record Type**, and put the Private Service Connect endpoint IP address as the record value.
+ 1. Create a DNS Zone of type **Private**.
+
+ Refer to the **Private zone DNS name** column in the [Private Service Connect URIs](#ec-private-service-connect-uris) table for the name of the zone. For example, in `asia-southeast1`, use `psc.asia-southeast1.gcp.elastic-cloud.com` as the zone domain name. Make sure the zone is associated with your VPC.
+ 2. Create a DNS record set with an A record pointing to the Private Service Connect endpoint IP. Use `*` as the **DNS name**, `A` as the **Resource record type**, and put the Private Service Connect endpoint IP address as the record value.
Follow the [Google Cloud instructions](https://cloud.google.com/dns/docs/records#adding_a_record) for details on creating an A record which points to your Private Service Connect endpoint IP address.
-3. Test the connection.
-
- Find out the {{es}} cluster ID of your deployment. You can do that by selecting **Copy cluster id** in the Cloud UI. It looks something like `9c794b7c08fa494b9990fa3f6f74c2f8`.
-
- ::::{tip}
- The {{es}} cluster ID is **different** from the deployment ID, custom alias endpoint, and Cloud ID values that feature prominently in the user console.
- ::::
-
+### Test the connection
- To access your {{es}} cluster over Private Link:
+After you create your Private Service Connect endpoint and DNS entries, verify that you are able to reach your cluster over Private Link.
- * If you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
-
- ```
- https://{{alias}}.{product}.{{private_hosted_zone_domain_name}}
- ```
-
- For example:
-
- ```text
- https://my-deployment-d53192.es.psc.asia-southeast1.gcp.elastic-cloud.com
- ```
+ :::{include} _snippets/find-endpoint.md
+ :::
- * Alternatively, use the following URL structure:
+To test the connection:
- ```
- https://{{elasticsearch_cluster_ID}}.{private_hosted_zone_domain_name}:9243
- ```
+1. If needed, find the endpoint of an application in your deployment:
+
+ :::{include} _snippets/find-endpoint.md
+ :::
- For example:
+ 1. Access your cluster over Private Link:
- ```text
- https://6b111580caaa4a9e84b18ec7c600155e.psc.asia-southeast1.gcp.elastic-cloud.com:9243
- ```
-
-
- You can test the Google Cloud console part of the setup with the following command (substitute the region and {{es}} ID with your cluster):
+ * If you have a [custom endpoint alias](/deploy-manage/deploy/elastic-cloud/custom-endpoint-aliases.md) configured, you can use the custom endpoint URL to connect.
+ * Test the setup using the following cURL command. Make sure to replace the URL with your deployment's endpoint information and the private hosted zone domain name that you registered.
- Request:
+ **Request**
```sh
- $ curl -v https://6b111580caaa4a9e84b18ec7c600155e.psc.asia-southeast1.gcp.elastic-cloud.com:9243
+ $ curl -v https://my-deployment-d53192.es.psc.asia-southeast1.gcp.elastic-cloud.com:9243
```
- Response:
+ **Response**
```sh
..
* Trying 192.168.100.2...
@@ -147,108 +149,182 @@ The process of setting up the Private link connection to your clusters is split
{"ok":false,"message":"Forbidden"}
```
- Check the IP address `192.168.100.2`. it should be the same as the IP address assigned to your Private Service Connect endpoint.
+Check the IP address. it should be the same as the IP address assigned to your Private Service Connect endpoint.
- The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, you haven’t associated any deployment with the Private Service Connect endpoint yet.
+The connection is established, and a valid certificate is presented to the client. The `403 Forbidden` is expected, you haven’t associated any deployment with the Private Service Connect endpoint yet.
+% needs to be edited
+## Optional: Create a private connection policy [ec-private-service-connect-allow-from-psc-connection-id]
-## Add the Private Service Connect rules to your deployments [ec-private-service-connect-allow-from-psc-connection-id]
+After you test your Private Link connection, you can create a private connection policy in {{ecloud}}.
-Follow these high-level steps to add private link rules to your deployments.
+Private connection policies are optional for GCP Private Service Connect. After the Private Service Connect endpoint and DNS record are created, private connectivity is established.
-1. [Find your Private Service Connect connection ID](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md#ec-find-your-psc-connection-id).
-2. [Create rules using the Private Service Connect endpoint connection ID](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md#ec-psc-create-traffic-filter-psc-rule-set).
-3. [Associate the Private Service Connect endpoint with your deployment](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md#ec-psc-associate-traffic-filter-psc-rule-set).
-4. [Access the deployment over the Private Service Connect](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md#ec-psc-access-the-deployment-over-psc).
+Creating a private connection policy and associating it with your deployments allows you to do the following:
+* Record that you've established private connectivity between GCP and Elastic in the applicable region.
+* Filter traffic to your deployment using VCPE filters.
-### Find your Private Service Connect connection ID [ec-find-your-psc-connection-id]
+Follow these high-level steps to add a private connection policy that can be associated with your deployments.
+
+1. Optional: [Find your Private Service Connect connection ID](#ec-find-your-psc-connection-id).
+2. [Create policies using the Private Service Connect endpoint connection ID](#ec-psc-create-traffic-filter-psc-rule-set).
+3. [Associate the Private Service Connect endpoint with your deployment](#ec-psc-associate-traffic-filter-psc-rule-set).
+
+### Optional: Find your Private Service Connect connection ID [ec-find-your-psc-connection-id]
+
+The PSC connection ID is only required if you want to filter traffic to your deployment using VCPE filters.
1. Go to your Private Service Connect endpoint in the Google Cloud console.
2. Copy the value of **PSC Connection ID**.
+### Create a new private connection policy [ec-psc-create-traffic-filter-psc-rule-set]
-### Create rules using the Private Service Connect endpoint connection ID [ec-psc-create-traffic-filter-psc-rule-set]
+Create a new private connection policy.
-When you have your Private Service Connect endpoint connection ID, you can create a traffic filter rule set.
-
-:::{include} _snippets/create-filter.md
+:::{include} _snippets/network-security-page.md
:::
-1. Select **Private Service Connect endpoint**.
-2. Create your rule set, providing a meaningful name and description.
-3. Select the region for the rule set.
-4. Enter your **PSC Connection ID**.
-5. Select if this rule set should be automatically attached to new deployments.
+4. Select **Private connection**.
+3. Select the resource type that the private connection will be applied to. Currently, only hosted deployments are supported.
+10. Select the cloud provider and region for the private connection.
+
+ :::{tip}
+ Network security policies are bound to a single region, and can be assigned only to deployments in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
+ :::
+11. Under **Connectivity**, select **Privatelink**.
+12. Optional: Under **VPCE filter**, enter your Private Service Connect endpoint connection ID. You should only specify a Private Service Connect endpoint connection ID if you want to filter traffic to your deployment.
+
+ If you don't specify a VPCE filter, then the private connection policy acts only as a record that you've established private connectivity between AWS and Elastic in the applicable region.
+
+ :::{tip}
+ You can assign multiple policies to a single deployment. The policies can be of different types. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
- ::::{note}
- Each rule set is bound to a particular region and can be only assigned to deployments in the same region.
- ::::
+ [Learn more about how network security policies affect your deployment](network-security-policies.md).
+ :::
-6. (Optional) You can [claim your PSC Connection ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a traffic filter ruleset.
+13. Optional: Under **Apply to resources**, associate the new private connection policy with one or more deployments. If you specified a VPCE filter, then after you associate the filter with a deployment, it starts filtering traffic.
+14. To automatically attach this private connection policy to new deployments, select **Apply by default**.
+15. Click **Create**.
+16. (Optional) You can [claim your Private Service Connect endpoint connection ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md), so that no other organization is able to use it in a private connection policy.
-The next step is to [associate the rule set](/deploy-manage/security/aws-privatelink-traffic-filters.md#ec-associate-traffic-filter-private-link-rule-set) with your deployments.
+The next step is to [associate the policy](#ec-psc-associate-traffic-filter-psc-rule-set) with your deployment.
+### Optional: Associate a policy with a deployment [ec-psc-associate-traffic-filter-psc-rule-set]
-### Associate the Private Service Connect endpoint with your deployment [ec-psc-associate-traffic-filter-psc-rule-set]
+You can associate a network security policy with your deployment from the policy's settings, or from your deployment's settings.
-To associate a private link rule set with your deployment:
+If the policy contains a VCPE filter, then after you associate the policy with a deployment, it starts filtering traffic.
+
+If the policy doesn't contain a VCPE filter, then the association can serve as a reminder that a Private Service Connect endpoint exists for the deployment's region.
+
+#### From a deployment
:::{include} _snippets/associate-filter.md
:::
-### Access the deployment over the Private Service Connect [ec-psc-access-the-deployment-over-psc]
+#### From the policy settings
+
+:::{include} _snippets/network-security-page.md
+:::
+5. Find the policy you want to edit.
+6. Under **Apply to resources**, associate the policy with one or more deployments.
+7. Click **Update** to save your changes.
-For traffic to connect with the deployment over Private Service Connect, the client making the request needs to be located within the VPC where you’ve created the Private Service Connect endpoint. You can also setup network traffic to flow through the originating VPC from somewhere else, such as another VPC or a VPN from your corporate network. This assumes that the Private Service Connect endpoint and the DNS record are also available within that context. Check your cloud service provider documentation for setup instructions.
+## Access the deployment over the Private Service Connect [ec-psc-access-the-deployment-over-psc]
+
+For traffic to connect with the deployment over Private Service Connect, the client making the request needs to be located within the VPC where you’ve created the Private Service Connect endpoint. You can also set up network traffic to flow through the originating VPC from somewhere else, such as another VPC or a VPN from your corporate network. This assumes that the Private Service Connect endpoint and the DNS record are also available within that context. Check your cloud service provider documentation for setup instructions.
::::{important}
Use the alias you’ve set up as CNAME A record to access your deployment.
::::
+:::{include} _snippets/private-url-struct.md
+:::
-For example, if your {{es}} ID is `6b111580caaa4a9e84b18ec7c600155e` and it is located in `asia-southeast1` region you can access it at the following URL:
+To access the deployment:
-```
-https://6b111580caaa4a9e84b18ec7c600155e.psc.asia-southeast1.gcp.elastic-cloud.com:9243
-```
+1. If needed, find the endpoint of an application in your deployment:
+
+ :::{include} _snippets/find-endpoint.md
+ :::
-Request:
-```sh
-$ curl -u 'username:password' -v https://6b111580caaa4a9e84b18ec7c600155e.psc.asia-southeast1.gcp.elastic-cloud.com:9243
-```
+2. Send a request:
-Response:
-```
-< HTTP/1.1 200 OK
-..
-```
+ **Request**
+ ```sh
+ $ curl -u 'username:password' -v https://my-deployment-d53192.es.psc.asia-southeast1.gcp.elastic-cloud.com:9243
+ ```
-::::{note}
-If you are using Private Service Connect together with Fleet, and enrolling the Elastic Agent with a Private Service Connect URL, you need to configure Fleet Server to use and propagate the Private Service Connect URL by updating the **Fleet Server hosts** field in the **Fleet settings** section of {{kib}}. Otherwise, Elastic Agent will reset to use a default address instead of the Private Service Connect URL. The URL needs to follow this pattern: `https://.fleet.:443`.
+ **Response**
+ ```
+ < HTTP/1.1 200 OK
+ ..
+ ```
-Similarly, the {{es}} host needs to be updated to propagate the Private Service Connect URL. The {{es}} URL needs to follow this pattern: `https://.es.:443`.
+### GCP Private Service Connect and Fleet
-The settings `xpack.fleet.agents.fleet_server.hosts` and `xpack.fleet.outputs` that are needed to enable this configuration in {{kib}} are currently available on-prem only, and not in the [{{kib}} settings in {{ecloud}}](/deploy-manage/deploy/elastic-cloud/edit-stack-settings.md).
+:::{include} _snippets/private-connection-fleet.md
+:::
-::::
+## Manage policies
+After you create your private connection policy, you can edit it, remove it from your deployment, or delete it.
+### Edit a policy [ec-edit-traffic-filter-psc-rule-set]
-## Edit a Private Service Connect rule set [ec-psc-edit-traffic-filter-psc-rule-set]
+You can edit a policy's name, description, VPC endpoint ID, and more.
-You can edit a rule set name or to change the PSC connection ID.
+:::{include} _snippets/network-security-page.md
+:::
+1. Find the policy you want to edit, then click the **Edit** icon.
+2. Click **Update** to save your changes.
+
+:::{tip}
+You can also edit network security policies from your deployment's **Security** page or your project's **Network security** page.
+:::
+
+
+### Remove a policy from your deployment [remove-filter-deployment]
+
+If you want to a specific policy from a deployment, or delete the policy, then you need to disconnect it from any associated deployments first. You can do this from the policy's settings, or from your deployment's settings. To remove an association through the UI:
-:::{include} _snippets/edit-ruleset.md
+#### From your deployment
+
+::::{tab-set}
+:group: hosted-serverless
+:::{tab-item} Serverless project
+:sync: serverless
+1. Find your project on the home page or on the **Serverless projects** page, then select **Manage** to access its settings menus.
+
+ On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Network security** page, find the IP filter policy that you want to disconnect.
+3. Under **Actions**, click the **Delete** icon.
:::
+:::{tab-item} Hosted deployment
+:sync: hosted
+1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+ On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Security** page, under **Network security**, find the IP filter policy that you want to disconnect.
+3. Under **Actions**, click the **Delete** icon.
+:::
+::::
-### Delete a Private Service Connect rule set [ec-psc-delete-psc-rule-set]
+#### From the IP filter policy settings
-:::{include} _snippets/delete-ruleset.md
+:::{include} _snippets/network-security-page.md
:::
+5. Find the policy you want to edit, then click the **Edit** icon.
+6. Under **Apply to resources**, click the `x` beside the resource that you want to disconnect.
+7. Click **Update** to save your changes.
+
+### Delete a policy [ec-delete-traffic-filter-psc-rule-set]
+If you need to remove a policy, you must first remove any associations with deployments.
-### Remove a Private Service Connect rule set association from your deployment [remove-filter-deployment]
+To delete a policy:
-:::{include} _snippets/remove-filter.md
-:::
\ No newline at end of file
+:::{include} _snippets/network-security-page.md
+:::
+4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments associated with the policy.
\ No newline at end of file
diff --git a/deploy-manage/security/ip-filtering-cloud.md b/deploy-manage/security/ip-filtering-cloud.md
index 58c95240b6..efd20827bf 100644
--- a/deploy-manage/security/ip-filtering-cloud.md
+++ b/deploy-manage/security/ip-filtering-cloud.md
@@ -1,5 +1,5 @@
---
-navigation_title: In ECH or ECE
+navigation_title: In ECH or Serverless
mapped_pages:
- https://www.elastic.co/guide/en/cloud-enterprise/current/ece-traffic-filtering-ip.html
- https://www.elastic.co/guide/en/cloud/current/ec-traffic-filtering-ip.html
@@ -8,151 +8,135 @@ applies_to:
deployment:
ess: ga
ece: ga
+ serverless: ga
products:
- - id: cloud-enterprise
- id: cloud-hosted
+ - id: cloud-serverless
+sub:
+ policy-type: "IP filter"
---
-# Manage IP traffic filters in ECH or ECE
+# Manage IP traffic filters in ECH or Serverless
Traffic filtering, by IP address or CIDR block, is one of the security layers available in {{ece}} and {{ech}}. It allows you to limit how your deployments can be accessed.
There are types of filters are available for filtering by IP address or CIDR block:
* **Ingress or inbound IP filters**: These restrict access to your deployments from a set of IP addresses or CIDR blocks. These filters are available through the UI.
-* **Egress or outbound IP filters** (ECH only): These restrict the set of IP addresses or CIDR blocks accessible from your deployment. These might be used to restrict access to a certain region or service. This feature is in beta and is currently only available through the [Traffic Filtering API](/deploy-manage/security/ec-traffic-filtering-through-the-api.md).
+* **Egress or outbound IP filters**: These restrict the set of IP addresses or CIDR blocks accessible from your deployment. These might be used to restrict access to a certain region or service. This feature is in beta and is currently only available through the [Traffic Filtering API](/deploy-manage/security/ec-traffic-filtering-through-the-api.md).
-Follow the step described here to set up ingress or inbound IP filters through the {{ecloud}} Console or Cloud UI.
+Follow the step described here to set up ingress or inbound IP filters through the {{ecloud}} Console.
-To learn how traffic filter rules work together, refer to [traffic filter rules](/deploy-manage/security/traffic-filtering.md#traffic-filter-rules).
+To learn how IP filter policies work together, and alongside [private connection policies](private-link-traffic-filters.md), refer to [](/deploy-manage/security/network-security-policies.md).
To learn how to manage IP traffic filters using the Traffic Filtering API, refer to [](/deploy-manage/security/ec-traffic-filtering-through-the-api.md).
:::{note}
-To learn how to create IP traffic filters for self-managed clusters or {{eck}} deployments, refer to [](ip-filtering-basic.md).
-:::
-
-## Prerequisites
-```{applies_to}
-deployment:
- ece:
-```
-
-On {{ece}}, make sure your [load balancer](/deploy-manage/deploy/cloud-enterprise/ece-load-balancers.md) handles the `X-Forwarded-For` header appropriately for HTTP requests to prevent IP address spoofing. Make sure the proxy protocol v2 is enabled for HTTP and transport protocols (9243 and 9343).
-
-This step is not required in {{ech}}.
+To learn how to create IP filters for {{ece}} deployments, refer to [](ip-filtering-ece.md).
-## Apply an IP filter to a deployment
-
-To apply an IP filter to a deployment, you must first create a rule set at the organization or platform level, and then apply the rule set to your deployment.
+To learn how to create IP filters for self-managed clusters or {{eck}} deployments, refer to [](ip-filtering-basic.md).
+:::
-### Step 1: Create an IP filter rule set
+## Apply an IP filter to a deployment or project
-You can combine any rules into a set, so we recommend that you group rules according to what they allow, and make sure to label them accordingly. Since multiple sets can be applied to a deployment, you can be as granular in your sets as you feel is necessary.
+To apply an IP filter to a deployment or project, you must first create a rule set at the organization or platform level, and then apply the rule set to your deployment.
-To create a rule set:
+### Step 1: Create an IP filter policy
-1. Navigate to the traffic filters list:
+You can combine multiple IP address and CIDR block traffic sources into a single IP filter policy, so we recommend that you group sources according to what they allow, and make sure to label them accordingly. Because multiple sets can be applied to a deployment, you can be as granular in your policies as you feel is necessary.
- ::::{tab-set}
- :group: ech-ece
+To create an IP filter policy:
- :::{tab-item} {{ech}}
- :sync: ech
- 1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
- 2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
- 3. Under the **Features** tab, open the **Traffic filters** page.
- :::
- :::{tab-item} {{ece}}
- :sync: ece
- 1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
- 2. From the **Platform** menu, select **Security**.
+:::{include} _snippets/network-security-page.md
+:::
+4. Select **Create** > **IP filter**.
+3. Select the resource type that the IP filter will be applied to: either hosted deployments or serverless projects.
+4. Select the cloud provider and region for the filter.
+
+ :::{tip}
+ Network security policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
:::
- ::::
-
-2. Select **Create filter**.
-3. Select **IP filtering rule set**.
-4. Create your rule set, providing a meaningful name and description.
-5. Select the region for the rule set.
-6. Select if this rule set should be automatically attached to new deployments.
+5. Add a meaningful name and description for the filter.
+6. Under **Access control**, select whether the filter should be applied to ingress or egress traffic. Currently, only ingress traffic filters are supported.
+7. Add one or more allowed sources using IPv4, or a range of addresses with CIDR.
::::{note}
- Each rule set is bound to a particular region and can be only assigned to deployments in the same region.
+ DNS names are not supported in network security policies.
::::
+8. Optional: Under **Apply to resources**, associate the new filter with one or more deployments or projects. After you associate the filter with a deployment or project, it starts filtering traffic.
+9. To automatically attach this IP filter policy to new deployments or projects, select **Apply by default**.
+10. Click **Create**.
-7. Add one or more rules using IPv4, or a range of addresses with CIDR.
-
- ::::{note}
- DNS names are not supported in rules.
- ::::
+### Step 2: Associate a policy with a deployment or project
-### Step 2: Associate an IP filter rule set with your deployment
+You can associate a network security policy with your deployment or project from the policy's settings, or from your deployment or project's settings. After you associate the policy with a deployment or project, it starts filtering traffic.
-After you’ve created the rule set, you’ll need to associate IP filter rules with your deployment:
+#### From a deployment or project
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters**, select **Apply filter**.
-3. Choose the filter you want to apply and select **Apply filter**.
+:::{include} _snippets/associate-filter.md
+:::
-At this point, the traffic filter is active. You can remove or edit it at any time.
+#### From the policy settings
-## Remove an IP filter rule set association from your deployment [remove-filter-deployment]
+:::{include} _snippets/network-security-page.md
+:::
+5. Find the policy you want to edit.
+6. Under **Apply to resources**, associate the policy with one or more deployments or projects.
+7. Click **Update** to save your changes.
-If you want to remove any traffic restrictions from a deployment or delete a rule set, you’ll need to remove any rule set associations first. To remove an association through the UI:
+## Remove an IP filter policy from your deployment or project [remove-filter-deployment]
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters** select **Remove**.
+If you want to a specific IP filter policy from a deployment or project, or delete the policy, you’ll need to disconnect it from any associated deployments or projects first. You can do this from the policy's settings, or from your deployment or project's settings. To remove an association through the UI:
-## Edit an IP filter rule set
+#### From your deployment or project
-You can edit a rule set name or change the allowed traffic sources using IPv4, or a range of addresses with CIDR.
+::::{tab-set}
+:group: hosted-serverless
+:::{tab-item} Serverless project
+:sync: serverless
+1. Find your project on the home page or on the **Serverless projects** page, then select **Manage** to access its settings menus.
-1. Navigate to the traffic filters list:
+ On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Network security** page, find the IP filter policy that you want to disconnect.
+3. Under **Actions**, click the **Delete** icon.
+:::
+:::{tab-item} Hosted deployment
+:sync: hosted
+1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
- ::::{tab-set}
- :group: ech-ece
+ On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Security** page, under **Network security**, find the IP filter policy that you want to disconnect.
+3. Under **Actions**, click the **Delete** icon.
+:::
+::::
- :::{tab-item} {{ech}}
- :sync: ech
- 1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
- 2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
- 3. Under the **Features** tab, open the **Traffic filters** page.
- :::
- :::{tab-item} {{ece}}
- :sync: ece
- 1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
- 2. From the **Platform** menu, select **Security**.
- :::
- ::::
+#### From the IP filter policy settings
-2. Find the rule set you want to edit.
-5. Select the **Edit** icon.
+:::{include} _snippets/network-security-page.md
+:::
+5. Find the policy you want to edit, then click the **Edit** icon.
+6. Under **Apply to resources**, click the `x` beside the resource that you want to disconnect.
+7. Click **Update** to save your changes.
+## Edit an IP filter policy
-## Delete an IP filter rule set
+You can edit an IP filter policy's name or description, change the allowed traffic sources, and change the associated resources, and more.
-If you need to remove a rule set, you must first remove any associations with deployments.
+:::{include} _snippets/network-security-page.md
+:::
+4. Find the policy you want to edit, then click the **Edit** icon.
+5. Click **Update** to save your changes.
-To delete a rule set with all its rules:
+:::{tip}
+You can also edit network security policies from your deployment's **Security** page or your project's **Network security** page.
+:::
-1. [Remove any deployment associations](#remove-filter-deployment).
-1. Navigate to the traffic filters list:
+## Delete an IP filter policy
- ::::{tab-set}
- :group: ech-ece
+If you need to remove a policy, you must first remove any associations with deployments.
- :::{tab-item} {{ech}}
- :sync: ech
- 1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
- 2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
- 3. Under the **Features** tab, open the **Traffic filters** page.
- :::
- :::{tab-item} {{ece}}
- :sync: ece
- 1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
- 2. From the **Platform** menu, select **Security**.
- :::
- ::::
+To delete a policy:
-3. Find the rule set you want to edit.
-4. Select the **Delete** icon. The icon is inactive if there are deployments assigned to the rule set.
\ No newline at end of file
+:::{include} _snippets/network-security-page.md
+:::
+4. Find the policy you want to edit, then click the **Delete** icon. The icon is inactive if there are deployments or projects associated with the policy.
\ No newline at end of file
diff --git a/deploy-manage/security/ip-filtering-ece.md b/deploy-manage/security/ip-filtering-ece.md
new file mode 100644
index 0000000000..223b8a7099
--- /dev/null
+++ b/deploy-manage/security/ip-filtering-ece.md
@@ -0,0 +1,99 @@
+---
+navigation_title: In ECE
+mapped_pages:
+ - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-traffic-filtering-ip.html
+applies_to:
+ deployment:
+ ece: ga
+products:
+ - id: cloud-enterprise
+---
+
+# Manage IP filters in ECE
+
+Filtering by IP address or CIDR block is one of the security layers available in {{ece}}. It allows you to limit how your deployments can be accessed.
+
+You can only configure ingress or inbound IP filters**. These restrict access to your deployments from a set of IP addresses or CIDR blocks.
+
+Follow the step described here to set up ingress or inbound IP filters through the Cloud UI.
+
+To learn how traffic filter rules work together, refer to [](ece-filter-rules.md).
+
+To learn how to manage IP traffic filters using the Traffic Filtering API, refer to [](/deploy-manage/security/ec-traffic-filtering-through-the-api.md).
+
+:::{note}
+To learn how to create IP filters for {{ech}} deployments or {{serverless-full}} projects, refer to [](ip-filtering-cloud.md).
+
+To learn how to create IP filters for self-managed clusters or {{eck}} deployments, refer to [](ip-filtering-basic.md).
+:::
+
+## Prerequisites
+
+Make sure your [load balancer](/deploy-manage/deploy/cloud-enterprise/ece-load-balancers.md) handles the `X-Forwarded-For` header appropriately for HTTP requests to prevent IP address spoofing. Make sure the proxy protocol v2 is enabled for HTTP and transport protocols (9243 and 9343).
+
+## Apply an IP filter to a deployment
+
+To apply an IP filter to a deployment, you must first create a rule set at the organization or platform level, and then apply the rule set to your deployment.
+
+### Step 1: Create an IP filter rule set
+
+You can combine any rules into a set, so we recommend that you group rules according to what they allow, and make sure to label them accordingly. Since multiple sets can be applied to a deployment, you can be as granular in your sets as you feel is necessary.
+
+To create a rule set:
+
+1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. From the **Platform** menu, select **Security**.
+3. Select **Create filter**.
+4. Select **IP filtering rule set**.
+5. Create your rule set, providing a meaningful name and description.
+6. Select the region for the rule set.
+7. Select if this rule set should be automatically attached to new deployments.
+
+ ::::{note}
+ Each rule set is bound to a particular region and can be only assigned to deployments in the same region.
+ ::::
+
+8. Add one or more rules using IPv4, or a range of addresses with CIDR.
+
+ ::::{note}
+ DNS names are not supported in rules.
+ ::::
+
+### Step 2: Associate an IP filter rule set with your deployment
+
+After you’ve created the rule set, you’ll need to associate IP filter rules with your deployment:
+
+1. Go to the deployment.
+2. On the **Security** page, under **Traffic filters**, select **Apply filter**.
+3. Choose the filter you want to apply and select **Apply filter**.
+
+At this point, the traffic filter is active. You can remove or edit it at any time.
+
+## Remove an IP filter rule set association from your deployment [remove-filter-deployment]
+
+If you want to remove any traffic restrictions from a deployment or delete a rule set, you’ll need to remove any rule set associations first. To remove an association through the UI:
+
+1. Go to the deployment.
+2. On the **Security** page, under **Traffic filters** select **Remove**.
+
+## Edit an IP filter rule set
+
+You can edit a rule set name or change the allowed traffic sources using IPv4, or a range of addresses with CIDR.
+
+1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. From the **Platform** menu, select **Security**.
+2. Find the rule set you want to edit.
+3. Select the **Edit** icon.
+
+
+## Delete an IP filter rule set
+
+If you need to remove a rule set, you must first remove any associations with deployments.
+
+To delete a rule set with all its rules:
+
+1. [Remove any deployment associations](#remove-filter-deployment).
+2. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+3. From the **Platform** menu, select **Security**.
+4. Find the rule set you want to edit.
+5. Select the **Delete** icon. The icon is inactive if there are deployments assigned to the rule set.
\ No newline at end of file
diff --git a/deploy-manage/security/ip-traffic-filtering.md b/deploy-manage/security/ip-traffic-filtering.md
index 1c6c3bff69..90409e03cf 100644
--- a/deploy-manage/security/ip-traffic-filtering.md
+++ b/deploy-manage/security/ip-traffic-filtering.md
@@ -5,19 +5,38 @@ applies_to:
ece: ga
eck: ga
self: ga
- serverless: unavailable
+ serverless: ga
+navigation_title: "Add IP filters"
---
-# IP traffic filtering
+# IP filtering
This section covers traffic filtering by IP address or CIDR block.
-The way that you configure IP traffic filters depends on your deployment type:
+The way that you configure IP filters depends on your deployment type.
-* **In {{ece}} and {{ech}}**, traffic filter rules are created at the organization or platform level, and then applied at the deployment level. [Learn how to create, apply and manage these rules](/deploy-manage/security/ip-filtering-cloud.md).
+:::{tip}
+If you use {{ech}} or {{eck}}, then other [network security](/deploy-manage/security/traffic-filtering.md) methods are also available.
+:::
+
+## Serverless and ECH
+
+In {{serverless-full}} and {{ech}}, network security policies are created at the organization level, and then applied at the deployment level. Follow these guides to learn how to create, apply, and manage these policies using your preferred method:
+
+ * [In the {{ecloud}} console](/deploy-manage/security/ip-filtering-cloud.md)
+ * [Using the {{ecloud}} API](/deploy-manage/security/ec-traffic-filtering-through-the-api.md)
+
+To learn how multiple IP filter policies are processed, and how IP filters and [private connections](/deploy-manage/security/private-link-traffic-filters.md) work together in ECH, refer to [](/deploy-manage/security/network-security-policies.md).
+
+## ECE
+
+In {{ece}}, filter rules are created at the platform level, and then applied at the deployment level. Follow these guides to learn how to create, apply, and manage these policies using your preferred method:
+
+ * [In the Cloud UI](/deploy-manage/security/ip-filtering-ece.md)
+ * [Using the {{ecloud}} API](/deploy-manage/security/ec-traffic-filtering-through-the-api.md)
- To learn how multiple rules are processed, and how IP traffic filters and [private link traffic filters](/deploy-manage/security/private-link-traffic-filters.md) work together in ECH, refer to [Traffic filter rules](/deploy-manage/security/traffic-filtering.md#traffic-filter-rules).
+To learn how multiple rules are processed, refer to [](/deploy-manage/security/ece-filter-rules.md).
-* **In {{eck}} and self-managed clusters**, traffic filters are applied at the cluster level using `elasticsearch.yml`. [Learn how to configure traffic filtering at the cluster level](/deploy-manage/security/ip-filtering-basic.md).
+## ECK and self managed
-If you use {{ech}} or {{eck}}, then other [traffic filtering](/deploy-manage/security/traffic-filtering.md) methods are also available.
\ No newline at end of file
+In {{eck}} and self-managed clusters, traffic filters are applied at the cluster level using `elasticsearch.yml`. [Learn how to configure traffic filtering at the cluster level](/deploy-manage/security/ip-filtering-basic.md).
\ No newline at end of file
diff --git a/deploy-manage/security/network-security-policies.md b/deploy-manage/security/network-security-policies.md
new file mode 100644
index 0000000000..da27fbd34a
--- /dev/null
+++ b/deploy-manage/security/network-security-policies.md
@@ -0,0 +1,93 @@
+---
+navigation_title: How policies work in Cloud
+applies_to:
+ deployment:
+ ess: ga
+ serverless: ga
+---
+
+# Network security policies in {{ecloud}}
+
+By default, in {{ech}} and {{serverless-full}}, all your deployments are accessible over the public internet.
+
+Network security policies are created at the organization level, and then are associated with one or more resources, such as a deployment or project, to take effect. After you associate at least one policy with a resource, traffic that does not match the policy or any other policy associated with the resource is denied.
+
+Policies apply to external traffic only. Internal traffic is managed by the deployment or project. For example, in {{ech}}, {{kib}} can connect to {{es}}, as well as internal services which manage the deployment, Other deployments can’t connect to deployments protected by network security policies.
+
+Policies operate on the proxy. Requests rejected by the policies are not forwarded to the resource. The proxy responds to the client with `403 Forbidden`.
+
+## Logic
+
+- You can assign multiple policies to a single deployment or project. The policies can be of different types if applicable. In case of multiple policies, traffic can match any associated policy to be forwarded to the resource. If none of the policies match, the request is rejected with `403 Forbidden`.
+- Policies, when associated with a deployment or project, will apply to all endpoints, such as {{es}}, {{kib}}, APM Server, and others.
+- Any policy assigned to a deployment overrides the default behavior of *allow all access over the public internet endpoint*. The implication is that if you make a mistake putting in the traffic source (for example, if you specified the wrong IP address) the deployment will be effectively locked down to any of your traffic. You can use the UI to adjust or remove the policies.
+- You can [mark a policy as default](#default-network-security-policies). Default policies are automatically attached to all new resources of the matching resource type that you create in its region.
+
+## Restrictions
+
+- You can have a maximum of 1024 policies per organization and 128 sources in each policy.
+- Policies must be created for a specific resource type. If you want to associate a policy to both hosted deployments and Serverless projects, then you have to create the same policy for each resource types.
+- Policies are bound to a single region, and can be assigned only to deployments or projects in the same region. If you want to associate a policy with resources in multiple regions, then you have to create the same policy in all the regions you want to apply it to.
+- Domain-based filtering rules are not allowed for network security policies, because the original IP is hidden behind the proxy. Only IP-based filtering rules are allowed.
+
+## Default network security policies
+
+You can mark a policy as default. Default policies are automatically attached to all new resources of the matching resource type that you create in its region.
+
+You can detach default policies from resources after they are created. Default policies are not automatically attached to existing resources.
+
+### Apply policies to new resources by default
+
+To automatically apply a network security policy to new resources by default new deployments or projects in your organization:
+
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. From any deployment or project on the home page, select **Manage**.
+3. Under the **Features** tab, open the **Network security** page.
+4. Select **Create** to create a new policy, or select **Edit** to open an existing policy.
+5. Under **Apply to future resources by default**, select **Include by default**.
+
+### Identify default policies
+
+To identify which network security policies are automatically applied to new deployments or projects in your organization:
+
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. From any deployment or project on the home page, select **Manage**.
+3. Under the **Features** tab, open the **Network security** page.
+4. Select each of the policies. **Include by default** is checked when a policy is automatically applied to all new deployments or projects in its region.
+
+## Review the policies associated with a resource
+
+To identify the network security policies that are applied to your deployment or project:
+
+::::{tab-set}
+:::{tab-item} Serverless
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. On the **Serverless projects** page, select your project.
+3. Select the **Network security** tab on the left-hand side menu bar.
+
+Network security policies are listed on the page. From this page, you can view and remove existing policies and attach new policies.
+
+:::
+:::{tab-item} Hosted
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. On the **Hosted deployments** page, select your deployment.
+3. Select the **Network security** tab on the left-hand side menu bar.
+4. Select the **Security** tab on the left-hand side menu bar.
+
+Network security policies are listed under **Network security**. From this section, you can view and remove existing policies and attach new policies.
+:::
+::::
+
+## View rejected requests
+
+Requests rejected by a network security policy have the status code `403 Forbidden` and one of the following in the response body:
+
+```json
+{"ok":false,"message":"Forbidden"}
+```
+
+```json
+{"ok":false,"message":"Forbidden due to traffic filtering. Please see the Elastic documentation on Traffic Filtering for more information."}
+```
+
+Additionally, network security policy rejections are logged in ECE proxy logs as `status_reason: BLOCKED_BY_IP_FILTER`. Proxy logs also provide client IP in `client_ip` field.
\ No newline at end of file
diff --git a/deploy-manage/security/private-link-traffic-filters.md b/deploy-manage/security/private-link-traffic-filters.md
index 3dd010e189..fde876685f 100644
--- a/deploy-manage/security/private-link-traffic-filters.md
+++ b/deploy-manage/security/private-link-traffic-filters.md
@@ -2,11 +2,16 @@
applies_to:
deployment:
ess: ga
+ serverless: ga
+navigation_title: "Add private connections"
+products:
+ - id: cloud-hosted
+ - id: cloud-serverless
---
-# Private link traffic filters
+# Private connections
-In {{ech}}, you can allow traffic between {{es}} and other resources hosted by the same cloud provider using private link services.
+A private connection is a secure way for your {{ecloud}} deployments and projects to communicate with other cloud provider services over your cloud provider's private network. You can create a virtual private connection endpoint (VCPE) using your provider's private link service. You can also optionally filter traffic to your deployments and projects by creating ingress filters for your VCPE in {{ecloud}}.
Choose the relevant option for your cloud service provider:
@@ -16,8 +21,14 @@ Choose the relevant option for your cloud service provider:
| Azure | [Azure Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md) |
| GCP | [GCP Private Service Connect](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md) |
-After you set up your private link, you can [claim ownership of your filter link ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md) to prevent other organizations from using it in a traffic filter ruleset.
+After you set up your private connection, you can [claim ownership of your VCPE ID](/deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md) to prevent other organizations from using it.
+
+To learn how private connection policies work, how they affect your deployment, and how they interact with [IP filter policies](ip-filtering-cloud.md), refer to [](/deploy-manage/security/network-security-policies.md).
:::{tip}
-{{ech}} also supports [IP traffic filters](/deploy-manage/security/ip-filtering-cloud.md).
+{{ech}} and {{serverless-full}} also support [IP filters](/deploy-manage/security/ip-filtering-cloud.md). You can apply both IP filters and private connections to a single {{ecloud}} resource.
:::
+
+:::{note}
+Private connections were formerly referred to as PrivateLink filters.
+:::
\ No newline at end of file
diff --git a/deploy-manage/security/secure-your-cluster-deployment.md b/deploy-manage/security/secure-your-cluster-deployment.md
index 39fd4d9382..f971825fb2 100644
--- a/deploy-manage/security/secure-your-cluster-deployment.md
+++ b/deploy-manage/security/secure-your-cluster-deployment.md
@@ -5,9 +5,10 @@ applies_to:
eck: all
ece: all
ess: all
+ serverless: all
---
-# Secure your cluster or deployment
+# Secure your cluster, deployment, or project
It's important to protect your {{es}} cluster and the data it contains. Implementing an in-depth defense strategy provides multiple layers of security to help safeguard your system.
@@ -23,7 +24,7 @@ It's important to protect your {{es}} cluster and the data it contains. Implemen
You must secure [other {{stack}} components](/deploy-manage/security/secure-clients-integrations.md), as well as [client and integration communications](/deploy-manage/security/httprest-clients-security.md), separately.
:::
-You can configure the following aspects of your Elastic cluster or deployment to maintain and enhance security:
+You can configure the following aspects of your Elastic cluster, deployment, or project to maintain and enhance security:
## Initial security setup [manually-configure-security]
diff --git a/deploy-manage/security/traffic-filtering.md b/deploy-manage/security/traffic-filtering.md
index 56b3b33782..3de83c72e7 100644
--- a/deploy-manage/security/traffic-filtering.md
+++ b/deploy-manage/security/traffic-filtering.md
@@ -1,5 +1,5 @@
---
-navigation_title: Traffic filtering
+navigation_title: Network security
mapped_pages:
- https://www.elastic.co/guide/en/cloud-enterprise/current/ece-traffic-filtering-deployment-configuration.html
- https://www.elastic.co/guide/en/cloud/current/ec-traffic-filtering-deployment-configuration.html
@@ -10,116 +10,56 @@ applies_to:
ece: ga
eck: ga
self: ga
- serverless: unavailable
+ serverless: ga
products:
- id: cloud-enterprise
- id: cloud-hosted
+ - id: cloud-kubernetes
+ - id: elasticsearch
+ - id: cloud-serverless
---
-# Traffic filtering
+# Network security
-Traffic filtering allows you to limit how your deployments and clusters can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust.
+Network security allows you to control how your deployments and clusters can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust.
-## Traffic filtering methods
+:::{note}
+The network security feature was formerly referred to as traffic filtering.
-Depending on your deployment type you can use different mechanisms to restrict traffic.
+Network security policies were formerly referred to as traffic filtering rules.
+:::
+
+## Network security methods
+
+Depending on your deployment type you can use different mechanisms to control access.
::::{note}
-This section covers traffic filtering at the deployment level. If you need the IP addresses used by {{ech}} to configure them in your network firewalls, refer to [](./elastic-cloud-static-ips.md).
+This section covers network security at the deployment level. If you need the IP addresses used by {{ech}} to configure them in your network firewalls, refer to [](./elastic-cloud-static-ips.md).
You can also allow traffic to or from a [remote cluster](/deploy-manage/remote-clusters.md) for use with cross-cluster replication or search.
::::
| Filter type | Description | Applicable deployment types |
| --- | --- | --- |
-| [IP traffic filters](ip-traffic-filtering.md) | Filter traffic using IP addresses and Classless Inter-Domain Routing (CIDR) masks.
• [In ECH or ECE](/deploy-manage/security/ip-filtering-cloud.md)
• [In ECK or self-managed](/deploy-manage/security/ip-filtering-basic.md) | ECH, ECE, ECK, and self-managed clusters |
-| [Private link filters](/deploy-manage/security/private-link-traffic-filters.md) | Allow traffic between {{es}} and other resources hosted by the same cloud provider using private link services. Choose the relevant option for your region:
• AWS regions: [AWS PrivateLink](/deploy-manage/security/aws-privatelink-traffic-filters.md)
• Azure regions: [Azure Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md)
• GCP regions: [GCP Private Service Connect](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md) | {{ech}} only |
+| [IP filters](ip-traffic-filtering.md) | Filter traffic from the public internet by allowlisting specific IP addresses and Classless Inter-Domain Routing (CIDR) masks.
• [In {{serverless-short}} or ECH](/deploy-manage/security/ip-filtering-cloud.md)
• [In ECE](/deploy-manage/security/ip-filtering-ece.md)
• [In ECK or self-managed](/deploy-manage/security/ip-filtering-basic.md) | {{serverless-short}}, ECH, ECE, ECK, and self-managed clusters |
+| [Private connections and VCPE filtering](/deploy-manage/security/private-link-traffic-filters.md) | Establish private connections between {{es}} and other resources hosted by the same cloud provider using private link services, and further secure these connections using VPCE filtering. Choose the relevant option for your region:
• AWS regions: [AWS PrivateLink](/deploy-manage/security/aws-privatelink-traffic-filters.md)
• Azure regions: [Azure Private Link](/deploy-manage/security/azure-private-link-traffic-filters.md)
• GCP regions: [GCP Private Service Connect](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md) | {{ech}} only |
| [Kubernetes network policies](/deploy-manage/security/k8s-network-policies.md) | Isolate pods by restricting incoming and outgoing network connections to a trusted set of sources and destinations. | {{eck}} only |
:::{include} _snippets/eck-traffic-filtering.md
:::
+## How security rules and policies work
-## Traffic filter rules in ECE and ECH [traffic-filter-rules]
-```{applies_to}
- deployment:
- ess:
- ece:
-```
-
-% could be refined further
-
-By default, in {{ece}} and {{ech}}, all your deployments are accessible over the public internet. In {{ece}}, this assumes that your orchestrator's proxies are accessible.
-
-Filtering *rules* are grouped into *rule sets*, which in turn are *associated* with one or more deployments to take effect. After you associate at least one traffic filter with a deployment, traffic that does not match any filtering rules for the deployment is denied.
-
-Traffic filters apply to external traffic only. Internal traffic is managed by ECE or ECH. For example, {{kib}} can connect to {{es}}, as well as internal services which manage the deployment. Other deployments can’t connect to deployments protected by traffic filters.
-
-Traffic filters operate on the proxy. Requests rejected by the traffic filters are not forwarded to the deployment. The proxy responds to the client with `403 Forbidden`.
-
-Domain-based filtering rules are not allowed for Cloud traffic filtering, because the original IP is hidden behind the proxy. Only IP-based filtering rules are allowed.
-
-Rule sets work as follows:
-
-- You can assign multiple rule sets to a single deployment. The rule sets can be of different types. In case of multiple rule sets, traffic can match ANY of them. If none of the rule sets match, the request is rejected with `403 Forbidden`.
-- Traffic filter rule sets are bound to a single region. The rule sets can be assigned only to deployments in the same region. If you want to associate a rule set with deployments in multiple regions, then you have to create the same rule set in all the regions you want to apply it to.
-- You can mark a rule set as *default*. It is automatically attached to all new deployments that you create in its region. You can detach default rule sets from deployments after they are created. Note that a *default* rule set is not automatically attached to existing deployments.
-- Traffic filter rule sets, when associated with a deployment, will apply to all deployment endpoints, such as {{es}}, {{kib}}, APM Server, and others.
-- Any traffic filter rule set assigned to a deployment overrides the default behavior of *allow all access over the public internet endpoint; deny all access over Private Link*. The implication is that if you make a mistake putting in the traffic source (for example, specified the wrong IP address) the deployment will be effectively locked down to any of your traffic. You can use the UI to adjust or remove the rule sets.
-
-:::{admonition} Rule limits
-In {{ech}}, you can have a maximum of 1024 rule sets per organization and 128 rules in each rule set.
-
-In {{ece}}, you can have a maximum of 512 rule sets per organization and 128 rules in each rule set.
-:::
-
-### Tips
-
-This section offers suggestions on how to manage and analyze the impact of your traffic filters in ECH and ECE.
-
-#### Review the rule sets associated with a deployment
-
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body) or [Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
-2. On the **Deployments** page, select your deployment.
-3. Select the **Security** tab on the left-hand side menu bar.
-
-Traffic filter rule sets are listed under **Traffic filters**.
-
-On this page, you can view and remove existing filters and attach new filters.
-
-#### Identify default rule sets
-To identify which rule sets are automatically applied to new deployments in your account:
-
-1. Navigate to the traffic filters list:
-
- ::::{tab-set}
- :group: ech-ece
-
- :::{tab-item} {{ech}}
- :sync: ech
- 1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
- 2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
- 3. Under the **Features** tab, open the **Traffic filters** page.
- :::
- :::{tab-item} {{ece}}
- :sync: ece
- 4. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
- 5. From the **Platform** menu, select **Security**.
- :::
- ::::
-
-2. Select each of the rule sets — **Include by default** is checked when this rule set is automatically applied to all new deployments in its region.
-
-#### View rejected requests
+By default, in {{serverless-full}}, {{ech}}, and {{ece}}, all your deployments are accessible over the public internet. After you associate at least one IP filtering rule with an {{ece}} deployment, or one network security policy with an {{ecloud}} deployment or project, traffic that does not match any rules or policies for the deployment or project is denied.
-Requests rejected by traffic filter have status code `403 Forbidden` and one of the following in the response body:
+For details about how these rules and policies interact with your deployment or project, other rules or policies, and the internet, refer to the topic for your deployment type:
-```json
-{"ok":false,"message":"Forbidden"}
-```
+* [](network-security-policies.md)
+* [](ece-filter-rules.md)
-```json
-{"ok":false,"message":"Forbidden due to traffic filtering. Please see the Elastic documentation on Traffic Filtering for more information."}
-```
+:::{note}
+For details about how basic IP filters and Kubernetes network policies impact your cluster, refer to the guide for the feature:
-Additionally, traffic filter rejections are logged in ECE proxy logs as `status_reason: BLOCKED_BY_IP_FILTER`. Proxy logs also provide client IP in `client_ip` field.
\ No newline at end of file
+* [](/deploy-manage/security/ip-filtering-basic.md)
+* [](/deploy-manage/security/k8s-network-policies.md)
+:::
\ No newline at end of file
diff --git a/deploy-manage/toc.yml b/deploy-manage/toc.yml
index b83bf1c72c..a178f4e6f1 100644
--- a/deploy-manage/toc.yml
+++ b/deploy-manage/toc.yml
@@ -485,11 +485,12 @@ toc:
- file: security/k8s-transport-settings.md
- file: security/traffic-filtering.md
children:
+ - file: security/network-security-policies.md
+ - file: security/ece-filter-rules.md
- file: security/ip-traffic-filtering.md
children:
- file: security/ip-filtering-cloud.md
- children:
- - file: security/ec-traffic-filtering-through-the-api.md
+ - file: security/ip-filtering-ece.md
- file: security/ip-filtering-basic.md
- file: security/private-link-traffic-filters.md
children:
@@ -497,6 +498,7 @@ toc:
- file: security/azure-private-link-traffic-filters.md
- file: security/gcp-private-service-connect-traffic-filters.md
- file: security/claim-traffic-filter-link-id-ownership-through-api.md
+ - file: security/ec-traffic-filtering-through-the-api.md
- file: security/k8s-network-policies.md
- file: security/elastic-cloud-static-ips.md
- file: security/kibana-session-management.md
diff --git a/deploy-manage/users-roles.md b/deploy-manage/users-roles.md
index 8cafcd3ecb..6e77b00ba5 100644
--- a/deploy-manage/users-roles.md
+++ b/deploy-manage/users-roles.md
@@ -22,7 +22,7 @@ The methods that you use to authenticate users and control access depends on the
::::{note}
Preventing unauthorized access is only one element of a complete security strategy. To secure your Elastic environment, you can also do the following:
-* Restrict the nodes and clients that can connect to the cluster using [traffic filters](/deploy-manage/security/traffic-filtering.md).
+* Restrict the nodes and clients that can connect to the cluster using [network security](/deploy-manage/security/traffic-filtering.md) controls.
* Take steps to maintain your data integrity and confidentiality by [encrypting HTTP and inter-node communications](/deploy-manage/security/secure-cluster-communications.md), as well as [encrypting your data at rest](/deploy-manage/security/data-security.md).
* Maintain an [audit trail](/deploy-manage/security/logging-configuration/security-event-audit-logging.md) for security-related events.
* Control access to dashboards and other saved objects in your UI using [{{kib}} spaces](/deploy-manage/manage-spaces.md).
diff --git a/solutions/observability/synthetics/traffic-filters.md b/solutions/observability/synthetics/traffic-filters.md
index 9be6d774ff..1a7f258891 100644
--- a/solutions/observability/synthetics/traffic-filters.md
+++ b/solutions/observability/synthetics/traffic-filters.md
@@ -3,19 +3,20 @@ mapped_pages:
- https://www.elastic.co/guide/en/observability/current/synthetics-traffic-filters.html
applies_to:
stack:
+ serverless:
products:
- id: observability
---
-# Use Synthetics with traffic filters [synthetics-traffic-filters]
+# Use Synthetics with network security [synthetics-traffic-filters]
-If you are setting up Synthetics for a deployment configured with [traffic filters](/deploy-manage/security/traffic-filtering.md), none of your results will be visible in the {{synthetics-app}} until permission to write the results to {{es}} is explicitly granted.
+If you are setting up Synthetics for a deployment configured with [network security](/deploy-manage/security/traffic-filtering.md), specifically IP filters or VCPE filters, none of your results will be visible in the {{synthetics-app}} until permission to write the results to {{es}} is explicitly granted.
-If you don’t configure the traffic filters, the tests will run, but in the UI it will appear like they are not running because the results cannot be written back to {{es}}.
+If you don’t configure additional IP filter policies, the tests will run, but in the UI it will appear like they are not running because the results cannot be written back to {{es}}.
## Obtain the IP address [_obtain_the_ip_address]
-The IP address or CIDR block of the hosts running the tests need to be configured in your [Traffic filters](/deploy-manage/security/ip-traffic-filtering.md) to allow inbound connection into your {{es}} instance to store the results.
+The IP address or CIDR block of the hosts running the tests need to be configured in your [IP filtering rules or policies](/deploy-manage/security/ip-traffic-filtering.md) to allow inbound connection into your {{es}} instance to store the results.
The IP addresses to be used depend on where the monitors are running, either on Elastic’s global managed testing infrastructure or {{private-location}}s.
@@ -43,16 +44,14 @@ Note that as regions are added, this list will change. Similarly existing region
If you’re running tests from [{{private-location}}s](/solutions/observability/synthetics/monitor-resources-on-private-networks.md), you will have the {{agent}} installed on host machines that run the tests. You need to obtain the address ranges for these machines. This needs to be the IP address that the host is making the connection from into the {{es}} cluster. This *might not* be the IP address bound to the network interface of the host machine, but the proxy or other address based on your network configuration.
-## Add the traffic filter [_add_the_traffic_filter]
+## Add the IP filter [_add_the_traffic_filter]
-Once you know the CIDR blocks for your testing sources, add them to your {{es}} deployment. Find detailed instructions in the [IP traffic filters](/deploy-manage/security/ip-traffic-filtering.md) docs.
+Once you know the CIDR blocks for your testing sources, add them to your {{es}} deployment. Find detailed instructions in the [](/deploy-manage/security/ip-traffic-filtering.md) docs.
-For example, if you had a {{private-location}} running with a public CIDR block of `1.2.3.4/32` and were running tests from the `Europe - United Kingdom` region, you would first create a traffic filter with the following:
+For example, if you had a {{private-location}} running with a public CIDR block of `1.2.3.4/32` and were running tests from the `Europe - United Kingdom` region, you would first create an IP filter with the following sources:
-:::{image} /solutions/images/observability-synthetics-traffic-filters-create-filter.png
-:alt: Create a traffic filter in {{ecloud}}
-:screenshot:
-:::
+* `1.2.3.4/32`
+* `34.89.99.187/32`
-Once the traffic filter has been created, it needs to be assigned to the deployment from which you’re managing monitors from (the deployment containing the {{es}} cluster where your results need to go).
+In ECH, ECE, and Serverless, after the IP filter has been created, it needs to be associated with the deployment from which you’re managing monitors from (the deployment containing the {{es}} cluster where your results need to go).
diff --git a/solutions/security/cloud/get-started-with-cspm-for-aws.md b/solutions/security/cloud/get-started-with-cspm-for-aws.md
index d85ed73000..dc7d9ede89 100644
--- a/solutions/security/cloud/get-started-with-cspm-for-aws.md
+++ b/solutions/security/cloud/get-started-with-cspm-for-aws.md
@@ -54,7 +54,7 @@ You can set up CSPM for AWS either by enrolling a single cloud account, or by en
8. Once you’ve selected an authentication method and provided all necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes.
::::{admonition} Important
-Agentless deployment does not work if you are using [Traffic filtering](/deploy-manage/security/traffic-filtering.md).
+Agentless deployment does not work if you are using [network security policies](/deploy-manage/security/traffic-filtering.md).
::::
## Agent-based deployment [cspm-aws-agent-based]
diff --git a/solutions/security/cloud/get-started-with-cspm-for-azure.md b/solutions/security/cloud/get-started-with-cspm-for-azure.md
index 0bcb230c88..b7a7a083e2 100644
--- a/solutions/security/cloud/get-started-with-cspm-for-azure.md
+++ b/solutions/security/cloud/get-started-with-cspm-for-azure.md
@@ -45,7 +45,7 @@ You can set up CSPM for Azure by by enrolling an Azure organization (management
8. Once you’ve provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes.
::::{admonition} Important
-Agentless deployment does not work if you are using [Traffic filtering](/deploy-manage/security/traffic-filtering.md).
+Agentless deployment does not work if you are using [network security policies](/deploy-manage/security/traffic-filtering.md).
::::
## Agent-based deployment [cspm-azure-agent-based]
diff --git a/solutions/security/cloud/get-started-with-cspm-for-gcp.md b/solutions/security/cloud/get-started-with-cspm-for-gcp.md
index 6f1194d5f3..22e498b979 100644
--- a/solutions/security/cloud/get-started-with-cspm-for-gcp.md
+++ b/solutions/security/cloud/get-started-with-cspm-for-gcp.md
@@ -45,7 +45,7 @@ You can set up CSPM for GCP either by enrolling a single project, or by enrollin
8. Once you’ve provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes.
::::{admonition} Important
-Agentless deployment does not work if you are using [Traffic filtering](/deploy-manage/security/traffic-filtering.md).
+Agentless deployment does not work if you are using [network security policies](/deploy-manage/security/traffic-filtering.md).
::::
## Agent-based deployment [cspm-gcp-agent-based]