Connect to Elasticsearch clusters in a different Elastic Cloud on Kubernetes environment

These steps describe how to configure a remote cluster connection between Elasticsearch clusters handled by different Elastic Cloud on Kubernetes (ECK) operators.

After the connection is established, you’ll be able to run CCS queries from Elasticsearch or set up CCR.

Note about terminology

In the case of remote clusters, the Elasticsearch cluster or deployment initiating the connection and requests is often referred to as the local cluster, while the Elasticsearch cluster or deployment receiving the requests is referred to as the remote cluster.

In this scenario, most of the configuration must be performed manually, as Elastic Cloud on Kubernetes cannot orchestrate the setup across both clusters. For fully automated configuration between ECK-managed clusters, refer to Connect to Elasticsearch clusters in the same ECK environment.

For other remote cluster scenarios with ECK, refer to Remote clusters on ECK.

Allow the remote connection

Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.

API key: For deployments based on Elastic Stack 8.14 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model uses a dedicated service endpoint, on port 9443 by default, and gives administrators fine-grained control over remote access. The API key is created on the remote cluster and defines the permissions available to all cross-cluster requests, while local user roles can further restrict, but not extend, those permissions.
TLS certificate (deprecated in Elastic Stack 9.0.0): This model uses mutual TLS authentication over the Elasticsearch transport interface for cross-cluster operations. User authentication is performed on the local cluster and a user's role names are passed to the remote cluster for authorization. Because a superuser on the local cluster automatically gains full read access to the remote cluster, this model is only suitable for clusters within the same security domain.

API key

Follow these steps to configure the API key security model for remote clusters. If you run into any issues, refer to Troubleshooting.

Prerequisites and limitations

The local and remote deployments must be on Elastic Stack 8.14 or later.
Unlike the certificate-based security model, the API key model does not require mutual trust between clusters; only the local cluster is required to trust the remote cluster's certificate.

Enable the remote cluster server interface on the remote ECK cluster

By default, the remote cluster server interface is not enabled on ECK-managed clusters. To use the API key–based security model for cross-cluster connections, you must first enable it on the remote Elasticsearch cluster by setting spec.remoteClusterServer.enabled: true:

		apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: <cluster-name>
  namespace: <namespace>
spec:
  version: 9.2.4
  remoteClusterServer:
    enabled: true
  nodeSets:
    - name: default
      count: 3
      ...
      ...
		
	

Note

Enabling the remote cluster server triggers a restart of the Elasticsearch cluster.

Configure external access to the remote cluster server interface

When the remote cluster server is enabled, ECK automatically creates a Kubernetes service named <cluster-name>-es-remote-cluster that exposes the server internally on port 9443.

To allow clusters running outside your Kubernetes environment to connect to this Elasticsearch cluster, you must expose this service externally. The way to expose this service depends on your ECK version.

You can customize how the remote cluster service is exposed by overriding its service specification directly under spec.remoteClusterServer.service in the Elasticsearch resource. By default, this service listens on port 9443.

		apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: <cluster-name>
  namespace: <namespace>
spec:
  version: 9.2.1
  remoteClusterServer:
    enabled: true
    service:
      spec:
        type: LoadBalancer
  nodeSets:
    - name: default
      count: 3
      ...
      ...
		
	

On cloud providers that support external load balancers, setting the type to LoadBalancer provisions a load balancer for your service. Alternatively, expose the service <cluster-name>-es-remote-cluster through one of the Kubernetes Ingress controllers that support TCP services.

You can't customize the service that ECK generates for the remote cluster interface, but you can create your own LoadBalancer service, Ingress object, or use another method available in your environment.

For example, for a cluster named quickstart, the following command creates a separate LoadBalancer service named quickstart-es-remote-cluster-lb, pointing to the ECK-managed service quickstart-es-remote-cluster:

		kubectl expose service quickstart-es-remote-cluster \
  --name=quickstart-es-remote-cluster-lb \
  --type=LoadBalancer \
  --port=9443 --target-port=9443
		
	

On cloud providers that support external load balancers, setting the type to LoadBalancer provisions a load balancer for your service. Alternatively, expose the service <cluster-name>-es-remote-cluster through one of the Kubernetes Ingress controllers that support TCP services.

Warning

If you change the service’s port to expose a different port externally, set targetPort explicitly to 9443, which is the default remote cluster server listening port. Otherwise, Kubernetes uses the same value for both fields, resulting in failed connections.

Retrieve the ECK-managed CA certificate of the remote cluster server

The certificate authority (CA) used by ECK to issue certificates for the remote cluster server interface is stored in the ca.crt key of the secret named <cluster_name>-es-transport-certs-public.

If the external connections reach the Elasticsearch Pods on port 9443 without any intermediate TLS termination, you need to retrieve this CA because it is required in the local cluster configuration to establish trust.

If TLS is terminated by any intermediate component and the certificate presented is not the ECK-managed one, use the CA associated with that component, or omit the CA entirely if it uses a publicly trusted certificate.

To save the transport CA certificate of a cluster named quickstart into a local file, run the following command:

		kubectl get secret quickstart-es-transport-certs-public \
-o go-template='{{index .data "ca.crt" | base64decode}}' > eck_transport_ca.crt

Important

ECK-managed CA certificates are automatically rotated after one year by default, but you can configure a different validity period. When the CA certificate is rotated, ensure that this CA is updated in all environments where it's used to preserve trust.

Create a cross-cluster API key on the remote cluster

On the remote cluster, use the Elasticsearch API or Kibana to create a cross-cluster API key. Configure it to include access to the indices you want to use for cross-cluster search or cross-cluster replication.
Copy the encoded key (encoded in the response) to a safe location. It is required for the local cluster configuration.

Configure the local deployment

The API key created previously is needed by the local cluster to authenticate with the corresponding set of permissions to the remote deployment or cluster. To enable this, add the API key to the local cluster's keystore.

The steps to follow depend on whether the certificate authority (CA) presented by the remote cluster server, proxy, or load-balancing infrastructure is publicly trusted or private.

Store the API key encoded value in a Secret

The following command creates a secret containing the encoded API key obtained earlier:
```
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: remote-api-keys
type: Opaque
stringData:
  cluster.remote.<remote-cluster-name>.credentials: <encoded value>
EOF
		
```
1. For the <remote-cluster-name>, enter the alias of your choice. This alias is used when connecting to the remote cluster. It must be lowercase and only contain letters, numbers, dashes, and underscores.

Configure the Elasticsearch resource

Update the Elasticsearch manifest to:

Load the API key from the previously created secret using secureSettings
Enable the remote cluster SSL client in the config section of each nodeSet

		apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: <local-cluster-name>
spec:
  version: 9.2.4
  secureSettings:
    - secretName: remote-api-keys
  nodeSets:
    - name: default
      count: 3
      config:
        xpack:
          security:
            remote_cluster_client:
              ssl:
                enabled: true
		
	

The secret name must match the secret created in the previous step.
Repeat this configuration for all nodeSets.

Store the API key encoded value in a Secret

The following command creates a secret containing the encoded API key obtained earlier:
```
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: remote-api-keys
type: Opaque
stringData:
  cluster.remote.<remote-cluster-name>.credentials: <encoded value>
EOF
		
```
1. For the <remote-cluster-name>, enter the alias of your choice. This alias is used when connecting to the remote cluster. It must be lowercase and only contain letters, numbers, dashes, and underscores.
Store the CA certificate in a ConfigMap or Secret

Store the CA certificate retrieved earlier in a ConfigMap or Secret. The following example creates a ConfigMap named remote-ca that stores the content of a local file (my-ca.crt) under the remote-cluster-ca.crt key:
```
kubectl create configmap remote-ca -n <namespace> --from-file=remote-cluster-ca.crt=my-ca.crt
		
```

Configure the Elasticsearch resource

Update the Elasticsearch manifest to:

Load the API key from the previously created secret using secureSettings
Mount the CA certificate from the previously created ConfigMap as a custom file in the Elasticsearch Pods
Enable and configure the remote cluster SSL client in the config section of each nodeSet

		apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: <local-cluster-name>
spec:
  version: 9.2.4
  secureSettings:
    - secretName: remote-api-keys
  nodeSets:
    - name: default
      count: 3
      config:
        xpack:
          security:
            remote_cluster_client:
              ssl:
                enabled: true
                certificate_authorities: [ "remote-certs/remote-cluster-ca.crt" ]
      podTemplate:
        spec:
          containers:
          - name: elasticsearch
            volumeMounts:
            - name: remote-ca
              mountPath: /usr/share/elasticsearch/config/remote-certs
          volumes:
          - name: remote-ca
            configMap:
              name: remote-ca
		
	

Repeat this configuration for all nodeSets.
The file name must match the key of the ConfigMap that contains the CA certificate.
Must match the name of the ConfigMap created previously.

TLS certificate (deprecated)

Follow these steps to configure the TLS certificate security model for remote clusters. If you run into any issues, refer to Troubleshooting.

Make sure both clusters trust each other's certificate authority

When using TLS certificate–based authentication, the first step is to establish mutual trust between the clusters at the transport layer. This requires exchanging and trusting each cluster's transport certificate authority (CA):

The transport CA of the remote cluster must be added as a trusted CA in the local cluster.
The local cluster’s transport CA must be added as a trusted CA in the remote cluster.

The following steps assume that the local and remote clusters are handled by different ECK installations.

Extract and save the transport CAs of both clusters:

ECK stores the CA used to issue certificates for the Elasticsearch transport layer in a secret named <cluster_name>-es-transport-certs-public.

For example, to save the transport CA certificate of a cluster named quickstart into a local file, run the following command:
```
kubectl get secret quickstart-es-transport-certs-public \
-o go-template='{{index .data "ca.crt" | base64decode}}' > quickstart_transport_ca.crt
		
```
Note

Beware of copying the source secret as-is into a different namespace. Refer to Copying secrets with Owner References for more information.

Note

CA certificates are automatically rotated after one year by default. You can configure this period. Make sure to keep the copy of the certificates secret up-to-date.
Configure the local cluster to trust the transport CA of the remote cluster:
1. In the Kubernetes cluster and namespace where the local cluster is running, create a config map with the CA certificate of the remote cluster you extracted previously:
```
kubectl create configmap remote-certs --from-file=ca.crt=<quickstart_transport_ca.crt>
		
```
  1. Substitute <quickstart_transport_ca.crt> with the name of the file you saved in the previous step.
2. Configure the Elasticsearch resource manifest to trust the previous config map through the spec.transport.tls.certificate_authorities setting:
```
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: <local-cluster-name>
spec:
  version: 9.2.4
  transport:
    tls:
      certificateAuthorities:
        configMapName: remote-certs
  nodeSets:
  - count: 3
    name: default
		
```
Repeat the previous step for the remote cluster to trust the CA of the local cluster.

Configure external access to the transport interface of the remote cluster

Expose the transport service (defaults to port 9300) of your ECK cluster to allow external Elasticsearch clusters to connect:

		apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: <remote-cluster-name>
spec:
  transport:
    service:
      spec:
        type: LoadBalancer
		
	

On cloud providers which support external load balancers, setting the type field to LoadBalancer provisions a load balancer for your service. Alternatively, expose the service <cluster-name>-es-transport through one of the Kubernetes Ingress controllers that support TCP services.

Note

If you change the service’s port to expose a different port externally, set targetPort explicitly to 9300, which is the default transport service listening port. Otherwise, Kubernetes uses the same value for both fields, resulting in failed connections.

Connect to the remote cluster

On the local cluster, use Kibana or the Elasticsearch API to add the remote ECK cluster with the following connection settings:

Remote address: Use the FQDN or IP address of the LoadBalancer service or alternative resource that you created to expose the remote cluster.
- For API key-based authentication, use the server interface address and port.
- For TLS certificate-based authentication, use the transport interface address and port.
If you haven't changed the external listening port of the kubernetes service, the port should be 9443 for API key-based authentication, or 9300 for TLS certificate-based authentication.
TLS server name: You can try leaving this field empty first. If the connection fails, and your environment is presenting the ECK-managed certificates during the TLS handshake, use <cluster-name>-es-remote-cluster.<namespace>.svc as the server name. For example, for a cluster named quickstart in the default namespace, use quickstart-es-remote-cluster.default.svc.

About connection modes

This guide uses the proxy connection mode, connecting to the remote cluster through the Kubernetes service abstraction.

If the remote cluster resides in the same Kubernetes cluster as the local cluster, and if the local cluster can reach the remote nodes’ publish addresses directly, you can use sniff mode instead. Refer to connection modes documentation for details on each mode and their connectivity requirements.

Using Kibana

To add a remote cluster in Kibana:

Go to the Remote Clusters management page in the navigation menu or use the global search field.
Select Add a remote cluster.
In Select connection type, choose the authentication mechanism you prepared earlier (API keys or Certificates), and click Next.
Set the Remote cluster name: This cluster alias is a unique identifier that represents the connection to the remote cluster and is used to distinguish local and remote indices.

When using API key authentication, this alias must match the Remote cluster name you configured when adding the API key.
In Connection mode, select Manually enter proxy address and server name to enable the proxy mode and fill in the following fields:
- Proxy address: Enter the endpoint of the remote cluster, including the hostname, FQDN, or IP address, and the port:
  
  Make sure you use the correct port for your authentication method:
  - API keys: Use the port configured in the remote cluster interface of the remote cluster (defaults to 9443).
  - TLS certificates: Use the Elasticsearch transport port (defaults to 9300).
  Starting with Kibana 9.2, this field also supports IPv6 addresses. When using an IPv6 address, enclose it in square brackets followed by the port number. For example: [2001:db8::1]:9443.
- Server name (optional): Specify a value if the TLS certificate presented by the remote cluster is signed for a different name than the remote address.
Click Next.
In Confirm setup, click Add remote cluster (you have already established trust in a previous step).

Using the Elasticsearch API

To add a remote cluster, use the cluster update settings API. Configure the following fields:

Remote cluster alias: When using API key authentication, the cluster alias must match the one you configured when adding the API key.
mode: proxy
proxy_address: Enter the endpoint of the remote cluster, including the hostname, FQDN, or IP address, and the port. Both IPv4 and IPv6 addresses are supported.

Make sure you use the correct port for your authentication method:
- API keys: Use the port configured in the remote cluster interface of the remote cluster (defaults to 9443).
- TLS Certificates: Use the Elasticsearch transport port (defaults to 9300).
When using an IPv6 address, enclose it in square brackets followed by the port number. For example: [2001:db8::1]:9443.
server_name: Specify a value if the certificate presented by the remote cluster is signed for a different name than the proxy_address.

This is an example of the API call to add or update a remote cluster:

		PUT /_cluster/settings
{
  "persistent": {
    "cluster": {
      "remote": {
        "alias-for-my-remote-cluster": {
          "mode":"proxy",
          "proxy_address": "<REMOTE_CLUSTER_ADDRESS>:9443",
          "server_name": "<REMOTE_CLUSTER_SERVER_NAME>"
        }
      }
    }
  }
}
		
	

Align the alias with the remote cluster name used when adding the API key.

For a full list of available client connection settings in proxy mode, refer to the remote cluster settings reference.

Verify remote cluster connection

From the local cluster, check the status of the connection to the remote cluster. If you encounter issues, refer to the Troubleshooting guide.

				GET _remote/info

In the response, verify that connected is true:

		{
  "<remote-alias>": {
    "connected": true,
    "mode": "proxy",
    "proxy_address": "<REMOTE_CLUSTER_ADDRESS>:9443",
    "server_name": "<REMOTE_CLUSTER_SERVER_NAME>",
    "num_proxy_sockets_connected": 18,
    "max_proxy_socket_connections": 18,
    "initial_connect_timeout": "30s",
    "skip_unavailable": true,
    "cluster_credentials": "::es_redacted::"
  }
}
		
	

Configure roles and users

If you're using the API key–based security model for cross-cluster replication or cross-cluster search, you can define user roles with remote indices privileges on the local cluster to further restrict the permissions granted by the API key. For more details, refer to Configure roles and users.