Help Center/ Cloud Search Service/ FAQs/ Accessing CSS Clusters/ How Do I Use a NAT Gateway to Enable Public Network Access for an Elasticsearch/OpenSearch Cluster?
Updated on 2025-09-04 GMT+08:00

How Do I Use a NAT Gateway to Enable Public Network Access for an Elasticsearch/OpenSearch Cluster?

Perform the following operations:

1. Obtaining Cluster Information

2. Configuring a NAT Gateway

3. Modifying Security Group Rules for the Cluster

4. Accessing a Cluster over the Public Network

If your CSS clusters do not have the security mode enabled, do not allow public network access to them via the NAT gateway. Otherwise, your data will be exposed to the Internet.

Obtaining Cluster Information

  1. Log in to the CSS management console.
  2. In the navigation pane, choose Clusters > Elasticsearch or Clusters > OpenSearch.
  3. In the cluster list, click the name of the target cluster. The cluster information page is displayed.
  4. Click the Overview tab.
  5. In the Configuration area, obtain the cluster's Region, VPC, Current Subnet, and Private IPv4 Address.

Configuring a NAT Gateway

  1. Create a public NAT gateway to enable public network access for the current cluster.

    For details, see Buying a Public NAT Gateway. Table 1 describes the key parameters. Set other parameters based on service requirements.
    Table 1 Configuring a public NAT gateway

    Parameter

    Description

    Region

    Use the region of the Elasticsearch/OpenSearch cluster.

    VPC

    Use the VPC of the Elasticsearch/OpenSearch cluster.

    Subnet

    Use the subnet of the Elasticsearch/OpenSearch cluster.

  2. After a public NAT gateway is created, add DNAT rules to allow the cluster in your VPC to provide services accessible from the Internet.

    For details, see Adding a DNAT Rule. Table 2 describes the key parameters. Set other parameters based on service requirements.

    Table 2 Adding a DNAT rule

    Parameter

    Description

    Public IP Address Type

    Select EIP.

    Remember the configured IP address, which will be needed for accessing the cluster from the public network.

    Public Port

    A custom port can be configured.

    Remember the configured port, which will be needed for accessing the cluster from the public network.

    Private IP Address

    Enter the cluster's private IPv4 address obtained Obtaining Cluster Information.

    Private Port

    Enter 9200.

    If the cluster has multiple private IPv4 addresses, add multiple DNAT rules.

Modifying Security Group Rules for the Cluster

  1. Log in to the CSS management console.
  2. In the navigation pane, choose Clusters > Elasticsearch or Clusters > OpenSearch.
  3. In the cluster list, click the name of the target cluster. The cluster information page is displayed.
  4. Click the Overview tab.
  5. In the Configuration area, find Security Group, and click the security group name to go to the details page.
  6. Click the Inbound Rules tab.
  7. Click Add Rule to add an inbound rule to allow port 9200.
  8. Click OK.

Accessing a Cluster over the Public Network

Enter https://{IP}:{port} or http://{IP}:{port} in the browser address box to access the Elasticsearch or OpenSearch cluster.
  • IP and port are the EIP and port you set when you added DNAT rules.
  • If you have enabled Security Mode for the cluster, enter https://{IP}:{port} and then enter the username and password for the cluster.
  • If you have not enabled Security Mode for the cluster, enter http://{IP}:{port}.