Separating node-to-node and client traffic

edit

Elasticsearch has the feature of so called TCP transport profiles that allows it to bind to several ports and addresses. The Elasticsearch security features extend on this functionality to enhance the security of the cluster by enabling the separation of node-to-node transport traffic from client transport traffic. This is important if the client transport traffic is not trusted and could potentially be malicious. To separate the node-to-node traffic from the client traffic, add the following to elasticsearch.yml:

transport.profiles.client: 
  port: 9500-9600 
  xpack.security:
    type: client 

client is the name of this example profile

The port range that will be used by transport clients to communicate with this cluster

Categorizes the profile as a client. This accounts for additional security filters by denying request attempts on for internal cluster operations (e.g shard level actions and ping requests) from this profile.

If supported by your environment, an internal network can be used for node-to-node traffic and public network can be used for client traffic by adding the following to elasticsearch.yml:

transport.profiles.default.bind_host: 10.0.0.1 
transport.profiles.client.bind_host: 1.1.1.1 

The bind address for the network that will be used for node-to-node communication

The bind address for the network used for client communication

If separate networks are not available, then IP Filtering can be enabled to limit access to the profiles.

When using SSL for transport, a different set of certificates can also be used for the client traffic by adding the following to elasticsearch.yml:

transport.profiles.client.xpack.security.ssl.truststore:
  path: /path/to/another/truststore
  password: x-pack-test-password

transport.profiles.client.xpack.security.ssl.keystore:
  path: /path/to/another/keystore
  password: x-pack-test-password

To change the default behavior that requires certificates for transport clients, set the following value in the elasticsearch.yml file:

transport.profiles.client.xpack.security.ssl.client_authentication: none

This setting keeps certificate authentication active for node-to-node traffic, but removes the requirement to distribute a signed certificate to transport clients. For more information, see Configuring the Transport Client to work with a Secured Cluster.