Skip to content

Serverless AWS PrivateLink support #5075

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
shainaraskas wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Serverless AWS PrivateLink support #5075

shainaraskas wants to merge 9 commits into from

Conversation

@shainaraskas
Copy link
Collaborator

@shainaraskas shainaraskas commented Feb 9, 2026
edited
Loading

Summary

Core changes

The rest are updating compatibility updates / wayfinding from the security > network security pages (see files changed)

Generative AI disclosure

  1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?
  • Yes (ensuring consistent "deployments and projects" / mentions of private connectivity support across docset)
  • No
  1. If you answered "Yes" to the previous question, please specify the tool(s) and model(s) used (e.g., Google Gemini, OpenAI ChatGPT-4, etc.).

Tool(s) and model(s) used: cursor auto

Open questions

@github-actions
Copy link
Contributor

github-actions bot commented Feb 9, 2026
edited
Loading

✅ Vale Linting Results

No issues found on modified lines!

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 9, 2026
edited
Loading

🔍 Preview links for changed docs

shainaraskas
shainaraskas commented Feb 9, 2026
View reviewed changes
deploy-manage/security/private-connectivity-aws.md
Comment on lines 165 to +167
The security group for the endpoint should, at minimum, allow for inbound connectivity from your instances' CIDR range on ports 443 and 9243. Security groups for the instances should allow for outbound connectivity to the endpoint on ports 443 and 9243.

<!--need to verify this for serverless-->
Copy link
Collaborator Author

@shainaraskas shainaraskas Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alxchalkias can anyone help to clarify what the requirement for the endpoint security group (inbound/outbound connectivity on the endpoint)?

Copy link
Contributor

@alxchalkias alxchalkias Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bobbybho or @igor-kupczynski can you confirm please?

@shainaraskas shainaraskas marked this pull request as ready for review February 9, 2026 21:48
@shainaraskas shainaraskas requested a review from a team as a code owner February 9, 2026 21:48
@alxchalkias
Copy link
Contributor

alxchalkias commented Feb 10, 2026

@shainaraskas to be confirmed with @bobbybho, but I think we need to add the "Serverless" badge to the claim ownership API doc page if this is supported to work with projects.

bobbybho
bobbybho reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

@bobbybho bobbybho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we also need to update the section "Create a DNS record" in https://www.elastic.co/docs/deploy-manage/security/private-connectivity-aws#ec-aws-vpc-dns. The sample screen capture is used for ECH, we should have a different screen capture (or a note) to show that the Host zone for serverless should be "private.us-east-1.aws.elastic.com"

deploy-manage/security/private-connectivity-aws.md Outdated
**Request**
```sh
$ curl -v https://my-deployment-d53192.es.vpce.us-east-1.aws.elastic-cloud.com -u {username}:{password}
$ curl -v https://my-resource-d53192.es.vpce.us-east-1.aws.elastic-cloud.com -u {username}:{password}
Copy link
Contributor

@bobbybho bobbybho Feb 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for serverless projects, the URL is

my-resource-d53192.es.private.us-east-1.aws.elastic.cloud

replace "vpce" with "private"

Copy link
Collaborator Author

@shainaraskas shainaraskas Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will those be updated in the product? that's data that I got from the QA environment

assuming yes, just double-checking

image

@shainaraskas
Copy link
Collaborator Author

shainaraskas commented Feb 10, 2026
edited
Loading

@bobbybho

The sample screen capture is used for ECH, we should have a different screen capture (or a note) to show that the Host zone for serverless should be "private.us-east-1.aws.elastic.com"

I think the screenshot is ok here because we're telling them to enter the PHZ domain name for their region. I've added a quick tip to warn people away from just assuming the name in the screenshot (and a couple of other places) applies to them:

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alxchalkias alxchalkias alxchalkias left review comments

@bobbybho bobbybho bobbybho left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shainaraskas @alxchalkias @bobbybho