How Do I Use a NAT Gateway to Enable Public Network Access for an Elasticsearch/OpenSearch Cluster?
Perform the following operations:
1. Obtaining Cluster Information
3. Modifying Security Group Rules for the Cluster
4. Accessing a Cluster over the Public Network

If your CSS clusters do not have the security mode enabled, do not allow public network access to them via the NAT gateway. Otherwise, your data will be exposed to the Internet.
Obtaining Cluster Information
- Log in to the CSS management console.
- In the navigation pane, choose Clusters > Elasticsearch or Clusters > OpenSearch.
- In the cluster list, click the name of the target cluster. The cluster information page is displayed.
- Click the Overview tab.
- In the Configuration area, obtain the cluster's Region, VPC, Current Subnet, and Private IPv4 Address.
Configuring a NAT Gateway
- Create a public NAT gateway to enable public network access for the current cluster.
For details, see Buying a Public NAT Gateway. Table 1 describes the key parameters. Set other parameters based on service requirements.
- After a public NAT gateway is created, add DNAT rules to allow the cluster in your VPC to provide services accessible from the Internet.
For details, see Adding a DNAT Rule. Table 2 describes the key parameters. Set other parameters based on service requirements.
Table 2 Adding a DNAT rule Parameter
Description
Public IP Address Type
Select EIP.
Remember the configured IP address, which will be needed for accessing the cluster from the public network.
Public Port
A custom port can be configured.
Remember the configured port, which will be needed for accessing the cluster from the public network.
Private IP Address
Enter the cluster's private IPv4 address obtained Obtaining Cluster Information.
Private Port
Enter 9200.
If the cluster has multiple private IPv4 addresses, add multiple DNAT rules.
Modifying Security Group Rules for the Cluster
- Log in to the CSS management console.
- In the navigation pane, choose Clusters > Elasticsearch or Clusters > OpenSearch.
- In the cluster list, click the name of the target cluster. The cluster information page is displayed.
- Click the Overview tab.
- In the Configuration area, find Security Group, and click the security group name to go to the details page.
- Click the Inbound Rules tab.
- Click Add Rule to add an inbound rule to allow port 9200.
- Click OK.
Accessing a Cluster over the Public Network
- IP and port are the EIP and port you set when you added DNAT rules.
- If you have enabled Security Mode for the cluster, enter https://{IP}:{port} and then enter the username and password for the cluster.
- If you have not enabled Security Mode for the cluster, enter http://{IP}:{port}.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot