Elasticsearch:[Notice] Network architecture adjustment

Changes and timeline

Changes

• In the new network architecture, Alibaba Cloud ES instances are deployed in a virtual private cloud (VPC) that belongs to an Alibaba Cloud service account. This prevents the ES instances from accessing resources in other network environments.

• In the old network architecture, Alibaba Cloud ES instances are deployed in your VPC, and their network access is not restricted.

Adjust time

In October 2020, Alibaba Cloud Elasticsearch adjusted its network architecture.

• Except for the China (Zhangjiakou) region and regions outside China, ES instances created before October 2020 use the old network architecture.

• Except for the China (Zhangjiakou) region and regions outside China, ES instances created in or after October 2020 use the new network architecture.

• The timeline for the network architecture adjustment in the China (Zhangjiakou) region and regions outside China is not yet determined.

  To check for network connectivity, contact Alibaba Cloud Elasticsearch technical support by .

Impact of adjustment

• Instances that use the new network architecture cannot communicate with instances that use the old network architecture. This affects operations such as cross-cluster reindexing, cross-cluster search, and cross-cluster replication (CCR).

• New network architecture

  • You can configure private connections for Elasticsearch clusters. This feature uses PrivateLink to connect the Elasticsearch service VPC to your VPC to resolve certain network connectivity issues. For more information, see Configure a private connection for an instance.

  • In the new network architecture, features such as X-Pack Watcher, reindex, Lightweight Directory Access Protocol (LDAP) authentication, and Active Directory (AD) authentication are limited. PrivateLink is the only solution. For more information, see the following topics:

    • Configure a DingTalk robot to receive X-Pack Watcher alerts

    • Reindex data across Alibaba Cloud ES clusters

    • Best practices for integrating X-Pack with LDAP authentication

    • Configure Active Directory identity authentication

  • The X-Pack Watcher feature of Alibaba Cloud Elasticsearch cannot communicate directly with the Internet. It must communicate through the private endpoint of the instance in a VPC environment. To enable Internet access, complete the following steps:

    • Configure a PrivateLink connection for the instance. For more information, see Configure a PrivateLink connection for an instance.

    • Associate an Elastic IP Address (EIP) with an Elastic Compute Service (ECS) instance or configure Source Network Address Translation (SNAT). For more information, see Associate an EIP or Configure SNAT.

• Old network architecture

  • The PrivateLink feature is not supported.

  • LDAP and AD authentication are supported only in single-zone deployments, not in multi-zone deployments.