Sky Cone


Welcome to my blog. The topics here include: public clouds (AWS, Alibaba Cloud, Azure, Tencent Cloud and Google Cloud), big data, Serverless, DevOps, and IaC. Any question try to contact me: leo@tianzhui.cloud.

Access OpenSearch (VPC) Dashboard via Private Connection

2024年08月17日


In this article, I will demonstrate how I access my Amazon OpenSearch dashboard via a private network connection. Specifically, both the OpenSearch VPC endpoint and the OpenSearch domain, including OpenSearch dashboard, are hosted in private subnets. An AWS access point is in a separate VPC owned by a separate account, while most of the rest AWS accounts running application workloads of this web site.

Prior to today, the OpenSearch domain was in the public access network due to depnedencies of other components of this site, which requires the ES cluster to be publicly available. For example, one dependency comes from AppSync, which is a public facing application, which as a result, requires its data source to be publicly accessible using a default setup. Another example is from my access requirement to ES or OpenSearch service's dashboard. Again, a publicly accessible dashboard would be easily to setup and use.

As the chief architect of tianzhui.cloud web site, I'm keeping evolving its architecture to be more and more mature, secure, modernized, cost-optimized, and etc.

Not until recently, I have migrated the OpenSearch domain from public access network to VPC network. Despite the change in network architecture, I would like to keep user experience either the same or not significantly changed leading to any negative impact. This means that the OpenSearch dashboard should still be accessible from my laptop. The only difference is, this time, I will access the OpenSearch dashboard by re-using the existing private connection to the access point environment, in order to reach the OpenSearch domain in the VPC network.

To do so, I will leverage OpenSearch VPC service-managed endpoint, connecting the access point environment with the environment that OpenSearch domain is in.

With OpenSearch VPC endpoint, I can access my OpenSearch domain via a private connection. OpenSearch VPC endpoint is powered by AWS PrivateLink. I can access OpenSearch VPC domain as if they were in a private network, without the use of an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection dedicated to bridge an access point VPC and the VPC that OpenSearch is in. Instances in the access point VPC don't need public IP addresses to access OpenSearch.


Introduction


Access Amazon OpenSearch Service using an OpenSearch Service-managed VPC endpoint (AWS PrivateLink)

You can configure OpenSearch Service domains to expose additional endpoints running on public or private subnets within the same VPC, different VPC, or different AWS accounts. This enables you to add an additional layer of security to access your domains regardless of where they run, with no infrastructure to manage.

You establish this private connection by creating an OpenSearch Service-managed interface VPC endpoint, powered by AWS PrivateLink. We create an endpoint network interface in each subnet that you enable for the interface VPC endpoint. These are service-managed network interfaces that serve as the entry point for traffic destined for OpenSearch Service. Standard AWS PrivateLink interface endpoint pricing applies for OpenSearch Service-managed VPC endpoints billed under AWS PrivateLink.

Considerations and limitations for OpenSearch Service

Before you set up an interface VPC endpoint for OpenSearch Service, review Considerations in the AWS PrivateLink Guide.

When using OpenSearch Service-managed VPC endpoints, consider the following: (cited a few from AWS documentation:)
  • You can only create interface VPC endpoints through the OpenSearch Service console or using the OpenSearch Service API. You can NOT create interface VPC endpoints for OpenSearch Service using the Amazon VPC console.
  • OpenSearch Service-managed VPC endpoints aren't accessible from the internet. An OpenSearch Service-managed VPC endpoint is accessible only within the VPC where the endpoint is provisioned or any VPCs peered with the VPC where the endpoint is provisioned, as permitted by the route tables and security groups.
  • VPC endpoint policies are not supported for OpenSearch Service. You can associate a security group with the endpoint network interfaces to control traffic to OpenSearch Service through the interface VPC endpoint.


Architecture

The following diagram depicts how the OpenSearch domain in the VPC network is connected from my laptop.


Pricing

For Oregon Region, the pricing per VPC endpoint per AZ is $0.01 per hour.
Data processing charges apply for the data volume processed through the VPC endpoint.


Deployment


Provide Access to an OpenSearch Domain

If the VPC that you want to access your domain is in another AWS account, you need to authorize it from the owner's account ([Leo:] the AWS account that owns the OpenSearch domain) before you can create an interface VPC endpoint.

To allow a VPC in another AWS account to access your domain
  1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/aos/home/.
  2. In the navigation pane, choose Domains and open the domain that you want to provide access to.
  3. Go to the VPC endpoints tab, which shows the accounts and corresponding VPCs that have access to your domain.
  4. Choose Authorize principal.
  5. Enter the AWS account ID of the account that will access your domain. This step authorizes the specified account to create VPC endpoints against the domain.
  6. Choose Authorize.




Create an interface VPC endpoint for a VPC domain

You can create an interface VPC endpoint for OpenSearch Service using either the OpenSearch Service console or the AWS Command Line Interface (AWS CLI).
To create an interface VPC endpoint for an OpenSearch Service domain
  1. Login to the AWS account that will own the interface VPC endpoint.
  2. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/aos/home/.
  3. In the left navigation pane, choose VPC endpoints.
  4. Choose Create endpoint.
  5. Select whether to connect a domain in the current AWS account or another AWS account.
  6. Select the domain that you connect to with this endpoint. If the domain is in the current AWS account, use the dropdown to choose the domain. If the domain is in a different account, enter the ARN of the domain to connect to. To choose a domain in a different account, the owner needs to provide you access to the domain.
  7. For VPC, select the VPC from which you'll access OpenSearch Service.
  8. For Subnets, select one or more subnets from which you'll access OpenSearch Service.
  9. For Security groups, select the security groups to associate with the endpoint network interfaces. This is a critical step in which you limit what ports, protocols, and sources for inbound traffic that you’re authorizing into your endpoint. The security group rules must allow the resources that will use the VPC endpoint to communicate with OpenSearch Service to communicate with the endpoint network interface.
  10. Choose Create endpoint. The endpoint should be active within 2-5 minutes.
  11. Copy the VPC endpoint FQDN, e.g., aos-<id>.<region>.es.amazonaws.com.

Configure Security Group Rules

In this scenario, security groups will be associated to both the OpenSearch VPC endpoint and the OpenSearch domain.

Security group for the OpenSearch VPC endpoint (inbound rules)
Source Protocol Port
IP range of client TCP 443
     

Security group for the OpenSearch cluster (inbound rules)
Source Protocol Port
OpenSearch IPs All All
     

Access Policy

Configure OpenSearch access policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:<region>:111122223333:domain/<domain-name>/*"
    }
  ]
}

Validation

After the aforemention steps are completed, we can validate the setup and try to access OpenSearch Dashboards using a URL in a format like such:
https://aos-<id>.<region>.es.amazonaws.com/_dashboards





References


Access AWS services through AWS PrivateLink

AWS PrivateLink Pricing


Archived

FQDN resolution:
$ nslookup
> vpc-test-vi***qa.us-west-2.es.amazonaws.com
Server:         10.0.0.2
Address:        10.0.0.2#53

Non-authoritative answer:
Name:   vpc-test-vi***qa.us-west-2.es.amazonaws.com
Address: 10.x.y.zzz


Category: data Tags: public

Upvote


Downvote