From 7b8d8b49396fe5ff7e9e9ada2faec37d7ccd262f Mon Sep 17 00:00:00 2001 From: David Raitzyk Date: Mon, 7 Jul 2025 17:11:57 -0400 Subject: [PATCH 1/3] remove line stating traffic filters cannot be used with API key (RCS 2.0) --- deploy-manage/remote-clusters/ec-enable-ccs.md | 2 -- deploy-manage/remote-clusters/ec-remote-cluster-ece.md | 1 - deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md | 3 +-- deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md | 1 - .../remote-clusters/ec-remote-cluster-self-managed.md | 3 +-- 5 files changed, 2 insertions(+), 8 deletions(-) diff --git a/deploy-manage/remote-clusters/ec-enable-ccs.md b/deploy-manage/remote-clusters/ec-enable-ccs.md index 5d0d5be6f1..9888fdb719 100644 --- a/deploy-manage/remote-clusters/ec-enable-ccs.md +++ b/deploy-manage/remote-clusters/ec-enable-ccs.md @@ -58,8 +58,6 @@ The steps, information, and authentication method required to configure CCS and Traffic filtering isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment. :::: -API key authentication for remote clusters cannot be used in combination with traffic filtering. - For remote clusters configured using TLS certificate authentication, [traffic filtering](../security/traffic-filtering.md) can be enabled to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication. Traffic filtering for remote clusters supports 2 methods: diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md index 0a8e981876..bcaeda22cd 100644 --- a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md +++ b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md @@ -39,7 +39,6 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear ### Prerequisites and limitations [ec_prerequisites_and_limitations_3] * The local and remote deployments must be on {{stack}} 8.14 or later. -* API key authentication can’t be used in combination with traffic filters. * Contrary to the certificate security model, the API key security model does not require that both local and remote clusters trust each other. diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md b/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md index 4a4ee95798..67969591e2 100644 --- a/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md +++ b/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md @@ -42,7 +42,6 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear ### Prerequisites and limitations [ec_prerequisites_and_limitations_2] * The local and remote deployments must be on {{stack}} 8.14 or later. -* API key authentication can’t be used in combination with traffic filters. * Contrary to the certificate security model, the API key security model does not require that both local and remote clusters trust each other. @@ -242,4 +241,4 @@ The response will include just the remote clusters from the same {{ecloud}} orga ## Configure roles and users [ec_configure_roles_and_users_2] -To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](../users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key). \ No newline at end of file +To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](../users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key). diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md b/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md index 9c99322932..3396727e52 100644 --- a/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md +++ b/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md @@ -42,7 +42,6 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear ### Prerequisites and limitations [ec_prerequisites_and_limitations] * The local and remote deployments must be on {{stack}} 8.14 or later. -* API key authentication can’t be used in combination with traffic filters. * Contrary to the certificate security model, the API key security model does not require that both local and remote clusters trust each other. diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-self-managed.md b/deploy-manage/remote-clusters/ec-remote-cluster-self-managed.md index a6172ca5f3..de6f336a8d 100644 --- a/deploy-manage/remote-clusters/ec-remote-cluster-self-managed.md +++ b/deploy-manage/remote-clusters/ec-remote-cluster-self-managed.md @@ -39,7 +39,6 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear ### Prerequisites and limitations [ec_prerequisites_and_limitations_4] * The local and remote deployments must be on {{stack}} 8.14 or later. -* API key authentication can’t be used in combination with traffic filters. * Contrary to the certificate security model, the API key security model does not require that both local and remote clusters trust each other. @@ -326,4 +325,4 @@ The response will include just the remote clusters from the same {{ecloud}} orga ## Configure roles and users [ec_configure_roles_and_users_4] -To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](../users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key). \ No newline at end of file +To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](../users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key). From a5a1b358ce6b02268eba68844aac787b4439baf3 Mon Sep 17 00:00:00 2001 From: David Raitzyk Date: Mon, 7 Jul 2025 17:38:42 -0400 Subject: [PATCH 2/3] add traffic filter region TLS cert clarificatio --- deploy-manage/remote-clusters/ec-enable-ccs.md | 2 +- deploy-manage/remote-clusters/ece-enable-ccs.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy-manage/remote-clusters/ec-enable-ccs.md b/deploy-manage/remote-clusters/ec-enable-ccs.md index 9888fdb719..e49e6603de 100644 --- a/deploy-manage/remote-clusters/ec-enable-ccs.md +++ b/deploy-manage/remote-clusters/ec-enable-ccs.md @@ -66,5 +66,5 @@ Traffic filtering for remote clusters supports 2 methods: * Filtering by Organization or {{es}} cluster ID with a Remote cluster type filter. You can configure this type of filter from the **Security** > **Traffic filters** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page. ::::{note} -When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. +When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. This is regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections. :::: diff --git a/deploy-manage/remote-clusters/ece-enable-ccs.md b/deploy-manage/remote-clusters/ece-enable-ccs.md index e966138d60..de556be9f1 100644 --- a/deploy-manage/remote-clusters/ece-enable-ccs.md +++ b/deploy-manage/remote-clusters/ece-enable-ccs.md @@ -73,5 +73,5 @@ Traffic filtering for remote clusters supports 2 methods: * Filtering by Organization or {{es}} cluster ID with a Remote cluster type filter. You can configure this type of filter from the **Platform** > **Security** page of your environment or using the [{{ece}} API](https://www.elastic.co/docs/api/doc/cloud-enterprise) and apply it from each deployment’s **Security** page. ::::{note} -When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. +When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. This is regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections. :::: From bf5eaacd42ec1dbad78288b95b350992c6c8872a Mon Sep 17 00:00:00 2001 From: David Raitzyk Date: Wed, 9 Jul 2025 13:18:45 -0400 Subject: [PATCH 3/3] Small modifications to wording based on PR feedback --- deploy-manage/remote-clusters/ec-enable-ccs.md | 2 +- deploy-manage/remote-clusters/ece-enable-ccs.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy-manage/remote-clusters/ec-enable-ccs.md b/deploy-manage/remote-clusters/ec-enable-ccs.md index e49e6603de..7802061d34 100644 --- a/deploy-manage/remote-clusters/ec-enable-ccs.md +++ b/deploy-manage/remote-clusters/ec-enable-ccs.md @@ -58,7 +58,7 @@ The steps, information, and authentication method required to configure CCS and Traffic filtering isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment. :::: -For remote clusters configured using TLS certificate authentication, [traffic filtering](../security/traffic-filtering.md) can be enabled to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication. +You can enable [traffic filtering](../security/traffic-filtering.md) to restrict access to deployments used as a local or remote cluster, without impacting cross-cluster search or cross-cluster replication. Traffic filtering for remote clusters supports 2 methods: diff --git a/deploy-manage/remote-clusters/ece-enable-ccs.md b/deploy-manage/remote-clusters/ece-enable-ccs.md index de556be9f1..b99615b9fa 100644 --- a/deploy-manage/remote-clusters/ece-enable-ccs.md +++ b/deploy-manage/remote-clusters/ece-enable-ccs.md @@ -73,5 +73,5 @@ Traffic filtering for remote clusters supports 2 methods: * Filtering by Organization or {{es}} cluster ID with a Remote cluster type filter. You can configure this type of filter from the **Platform** > **Security** page of your environment or using the [{{ece}} API](https://www.elastic.co/docs/api/doc/cloud-enterprise) and apply it from each deployment’s **Security** page. ::::{note} -When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. This is regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections. +When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. This is regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections. This applies regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections. ::::