A Cluster Is Unavailable Due to Improper Security Group Rules

Symptom

The cluster status is Unavailable.

Click the cluster name to go to the cluster details page. Choose Logs > Log Search. The following error message is displayed: "master not discovered or elected yet, an election requires at least 2 nodes with ids [xxx, xxx, xxx, ...], have discovered [xxx...] which is not a quorum".

Figure 1 Node error logs
Click to enlarge

Possible Causes

In the preceding error log, nodes in the cluster cannot communicate with each other and the cluster cannot select the active node. A possible cause is that the security group selected for the cluster does not enable the port 9300.

If the Elasticsearch cluster version is 7.6.2 or later, port 9300 is enabled on the subnet of user VPC by default. The security group selected for the cluster must enable the port 9300 in the subnet to ensure communication between nodes.

Procedure

On the Clusters page, click the name of the unavailable cluster. The cluster information page is displayed.
Click the Overview tab.
In the Network Information area, click the security group name. The security group details page is displayed.
On the Inbound Rules and Outbound Rules tabs, check whether there is a security group rule whose Action is Allow, Protocol & Port is TCP:9300, and Type is IPv4.
- If yes, contact technical support to locate the problem.
- If no, go to the next step.
Modify the cluster's security group to allow port 9300.
1. Click the Inbound Rules tab.
2. Click Add Rule. In the Add Inbound Rule dialog box, set Priority to 100, Action to Allow, Protocol & Port to Protocols/TCP (Custom) and 9300, Type to IPv4, and Source to the name of the current security group.
  Figure 2 Adding a security group rule
3. Click OK to enable port 9300.
4. Repeat the preceding steps to enable the port 9300 on the Outbound Rules tab page.
After the port 9300 is enabled for the security group, wait until the cluster becomes available.