I have installed elastic search (version 8.2.3) and Kibana on an AWS EC2 instance that runs ubuntu. So elastic search runs on port 9200 and Kibana runs on port 5601.
To secure my EC2 instance access, in its security group I added the below Inbound rules.
| Type | Protocol | Port Range | Source |
|---|---|---|---|
| Custom TCP | TCP | 5601 | my IP address cidr |
| SSH | TCP | 22 | my IP address cidr |
| Custom TCP | TCP | 9200 | my IP address cidr |
| Custom TCP | TCP | 9200 | security group for an ECS service |
Therefore, I am able to access the elastic search server and Kibana dashboard from the browser running on my machine.
Now I created a spring-boot application to interact with elastic search. When I start my application locally using Intellij, I am able to create an index or get documents from an index.
But after creating a docker image of my application and then starting this application as an ECS service on AWS, I am always getting an exception for connection timeout. To resolve this I tried testing it by opening the access rules, and by providing access to all the incoming traffic on the EC2 instance.
This means I added an entry in the Inbound Rules. |Type | Protocol | Port Range | Source | |----------|----------|------------|------------------| |All traffic|All|All|0.0.0.0/0|
And everything worked, my service running on ECS is able to communicate with elastic search. But this is highly not recommended and I definitely do not want to proceed in this manner.
Can someone guide me on which Inbound rules should I add to the EC2 security group so that I can remove the All traffic rule?
My goal is to make the spring boot application communicate with the elastic search running in an EC2 instance.
Just for your hint, the spring boot application runs using AWS ECS Service with Fargate. This service is running in a private subnet. That is the reason I added the ECS service security group to the EC2 instance security group so that the ECS service is allowed to communicate with elastic search. But it did not work.
Thanks
CodePudding user response:
Your application is trying to connect to Elasticsearch using the EC2 instance's public IP address or public DNS name. That means the network request from your ECS service is exiting the VPC, going out to the Internet, and then back into the VPC. When that happens it is disassociated with the ECS service's security group ID, so the security group rule you have allowing traffic from the ECS service's security group ID no longer applies.
To fix this, change your application to use the private IP or private DNS name of the ECS instance when connecting to Elasticsearch from ECS.