Skip to content

ECPTRAFFIC-1376: Update traffic filter docs to remove traffic filter inconsistency #2063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jul 10, 2025
Merged

ECPTRAFFIC-1376: Update traffic filter docs to remove traffic filter inconsistency #2063

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7b8d8b4
remove line stating traffic filters cannot be used with API key (RCS …
dnraitzyk Jul 7, 2025
a5a1b35
add traffic filter region TLS cert clarificatio
dnraitzyk Jul 7, 2025
bf5eaac
Small modifications to wording based on PR feedback
dnraitzyk Jul 9, 2025
cdd484f
Merge branch 'main' into ECPTRAFFIC-1376
dnraitzyk Jul 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 2 additions & 4 deletions deploy-manage/remote-clusters/ec-enable-ccs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,15 +58,13 @@ The steps, information, and authentication method required to configure CCS and
Traffic filtering isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
::::

API key authentication for remote clusters cannot be used in combination with traffic filtering.

For remote clusters configured using TLS certificate authentication, [traffic filtering](../security/traffic-filtering.md) can be enabled to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.
You can enable [traffic filtering](../security/traffic-filtering.md) to restrict access to deployments used as a local or remote cluster, without impacting cross-cluster search or cross-cluster replication.

Traffic filtering for remote clusters supports 2 methods:

* [Filtering by IP addresses and Classless Inter-Domain Routing (CIDR) masks](../security/ip-traffic-filtering.md)
* Filtering by Organization or {{es}} cluster ID with a Remote cluster type filter. You can configure this type of filter from the **Security** > **Traffic filters** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.

::::{note}
When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection.
When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. This is regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be helpful to mention which version of ECE deprecates the TLS certificate method (RCS 1.0) to provide better clarity for users.

Copy link
Contributor Author

@dnraitzyk dnraitzyk Jul 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was mostly just adding that to clarify it's the same as the deprecation on the auth page. I didn't want to be too redundant since the source of truth page for that deprecation exists elsewhere as shown. Do you think I should add it in multiple places?
Screenshot 2025-07-07 at 6 05 49 PM

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be helpful to mention the deprecated version here or include a link to the relevant document, but I’ll defer to @elastic/admin-docs for their recommendation.

::::
1 change: 0 additions & 1 deletion deploy-manage/remote-clusters/ec-remote-cluster-ece.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
### Prerequisites and limitations [ec_prerequisites_and_limitations_3]

* The local and remote deployments must be on {{stack}} 8.14 or later.
* API key authentication can’t be used in combination with traffic filters.
* Contrary to the certificate security model, the API key security model does not require that both local and remote clusters trust each other.


Expand Down
3 changes: 1 addition & 2 deletions deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
### Prerequisites and limitations [ec_prerequisites_and_limitations_2]

* The local and remote deployments must be on {{stack}} 8.14 or later.
* API key authentication can’t be used in combination with traffic filters.
* Contrary to the certificate security model, the API key security model does not require that both local and remote clusters trust each other.


Expand Down Expand Up @@ -239,4 +238,4 @@ The response will include just the remote clusters from the same {{ecloud}} orga

## Configure roles and users [ec_configure_roles_and_users_2]

To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](../users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key).
To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](../users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key).
1 change: 0 additions & 1 deletion deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
### Prerequisites and limitations [ec_prerequisites_and_limitations]

* The local and remote deployments must be on {{stack}} 8.14 or later.
* API key authentication can’t be used in combination with traffic filters.
* Contrary to the certificate security model, the API key security model does not require that both local and remote clusters trust each other.


Expand Down
3 changes: 1 addition & 2 deletions deploy-manage/remote-clusters/ec-remote-cluster-self-managed.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
### Prerequisites and limitations [ec_prerequisites_and_limitations_4]

* The local and remote deployments must be on {{stack}} 8.14 or later.
* API key authentication can’t be used in combination with traffic filters.
* Contrary to the certificate security model, the API key security model does not require that both local and remote clusters trust each other.


Expand Down Expand Up @@ -321,4 +320,4 @@ The response will include just the remote clusters from the same {{ecloud}} orga

## Configure roles and users [ec_configure_roles_and_users_4]

To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](../users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key).
To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](../users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key).
2 changes: 1 addition & 1 deletion deploy-manage/remote-clusters/ece-enable-ccs.md
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cannot change it as it's not part of this PR, but the following should also be updated, as it explicitly mentions TLS cert authentication:

For remote clusters configured using TLS certificate authentication, traffic filtering can be enabled to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.

I'd suggest something similar to my previous comment.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What did you mean here?

Copy link
Contributor

@eedugon eedugon Jul 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I'm late here @dnraitzyk . It wasn't important.
What I meant is that this PR removes the inconsistency of specifying that only TLS certificate authentication was supported for traffic filters + remote cluster, and we have left a paragraph that explicitly mentions TLS cert authentication:

For remote clusters configured using TLS certificate authentication, traffic filtering can be enabled....

The using TLS certificate authentication should probably be removed because API keys are also supported.

Anyway it's not a big deal and we can change it in another PR :)

Original file line number Diff line number Diff line change
Expand Up @@ -73,5 +73,5 @@ Traffic filtering for remote clusters supports 2 methods:
* Filtering by Organization or {{es}} cluster ID with a Remote cluster type filter. You can configure this type of filter from the **Platform** > **Security** page of your environment or using the [{{ece}} API](https://www.elastic.co/docs/api/doc/cloud-enterprise) and apply it from each deployment’s **Security** page.

::::{note}
When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection.
When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. This is regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections. This applies regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections.
::::
Loading