HAQM Elasticsearch Service now supports VPC

September 8, 2021: HAQM Elasticsearch Service has been renamed to HAQM OpenSearch Service. See details.

Starting today, you can connect to your HAQM Elasticsearch Service domains from within an HAQM VPC without the need for NAT instances or Internet gateways. VPC support for HAQM ES is easy to configure, reliable, and offers an extra layer of security. With VPC support, traffic between other services and HAQM ES stays entirely within the AWS network, isolated from the public Internet. You can manage network access using existing VPC security groups, and you can use AWS Identity and Access Management (IAM) policies for additional protection. VPC support for HAQM ES domains is available at no additional charge.

Getting Started

Creating an HAQM Elasticsearch Service domain in your VPC is easy. Follow all the steps you would normally follow to create your cluster and then select “VPC access”.

That’s it. There are no additional steps. You can now access your domain from within your VPC!

Things To Know

To support VPCs, HAQM ES places an endpoint into at least one subnet of your VPC. HAQM ES places an Elastic Network Interface (ENI) into the VPC for each data node in the cluster. Each ENI uses a private IP address from the IPv4 range of your subnet and receives a public DNS hostname. If you enable zone awareness, HAQM ES creates endpoints in two subnets in different availability zones, which provides greater data durability.

You need to set aside three times the number of IP addresses as the number of nodes in your cluster. You can divide that number by two if Zone Awareness is enabled. Ideally, you would create separate subnets just for HAQM ES.

A few notes:

• Currently, you cannot move existing domains to a VPC or vice-versa. To take advantage of VPC support, you must create a new domain and migrate your data.
• Currently, HAQM ES does not support HAQM Kinesis Firehose integration for domains inside a VPC.

To learn more, see the HAQM ES documentation.

– Randall