Access Amazon OpenSearch Service using an OpenSearch Service-managed VPC endpoint (Amazon PrivateLink) - Amazon OpenSearch Service
ConsiderationsProvide access to a domainCreate an interface VPC endpointManaging using OpenSearch Service API operations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Access Amazon OpenSearch Service using an OpenSearch Service-managed VPC endpoint (Amazon PrivateLink)

You can access an Amazon OpenSearch Service domain by setting up an OpenSearch Service-managed VPC endpoint (powered by Amazon PrivateLink). These endpoints create a private connection between your VPC and Amazon OpenSearch Service. You can access OpenSearch Service VPC domains as if they were in your VPC, without the use of an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to access OpenSearch Service.

You can configure OpenSearch Service domains to expose additional endpoints running on public or private subnets within the same VPC, different VPC, or different Amazon Web Services accounts. This enables you to add an additional layer of security to access your domains regardless of where they run, with no infrastructure to manage. The following diagram illustrates OpenSearch Service-managed VPC endpoints within the same VPC:

You establish this private connection by creating an OpenSearch Service-managed interface VPC endpoint, powered by Amazon PrivateLink. We create an endpoint network interface in each subnet that you enable for the interface VPC endpoint. These are service-managed network interfaces that serve as the entry point for traffic destined for OpenSearch Service. Standard Amazon PrivateLink interface endpoint pricing applies for OpenSearch Service-managed VPC endpoints billed under Amazon PrivateLink.

You can create VPC endpoints for domains running all versions of OpenSearch and legacy Elasticsearch. For more information, see Access Amazon Web Services through Amazon PrivateLink in the Amazon PrivateLink Guide.

Considerations and limitations for OpenSearch Service

Before you set up an interface VPC endpoint for OpenSearch Service, review Considerations in the Amazon PrivateLink Guide.

When using OpenSearch Service-managed VPC endpoints, consider the following:

  • You can only use interface VPC endpoints to connect to VPC domains. Public domains aren't supported.

  • VPC endpoints can only connect to domains within the same Amazon Web Services Region.

  • HTTPS is the only supported protocol for VPC endpoints. HTTP is not allowed.

  • OpenSearch Service supports making calls to all of the supported OpenSearch API operations through an interface VPC endpoint.

  • You can configure a maximum of 50 endpoints per account, and a maximum of 10 endpoints per domain. A single domain can have a maximum of 10 authorized principals.

  • You currently can't use Amazon CloudFormation to create interface VPC endpoints.

  • You can only create interface VPC endpoints through the OpenSearch Service console or using the OpenSearch Service API. You can't create interface VPC endpoints for OpenSearch Service using the Amazon VPC console.

  • OpenSearch Service-managed VPC endpoints aren't accessible from the internet. An OpenSearch Service-managed VPC endpoint is accessible only within the VPC where the endpoint is provisioned or any VPCs peered with the VPC where the endpoint is provisioned, as permitted by the route tables and security groups.

  • VPC endpoint policies are not supported for OpenSearch Service. You can associate a security group with the endpoint network interfaces to control traffic to OpenSearch Service through the interface VPC endpoint.

  • Your service-linked role must be in the same Amazon account that you use to create the VPC endpoint.

  • To create, update, and delete the OpenSearch Service VPC endpoint, you must have the following Amazon EC2 permissions in addition to your Amazon OpenSearch Service permissions:

    • ec2:CreateVpcEndpoint

    • ec2:DescribeVpcEndpoints

    • ec2:ModifyVpcEndpoint

    • ec2:DeleteVpcEndpoints

    • ec2:CreateTags

    • ec2:DescribeTags

    • ec2:DescribeSubnets

    • ec2:DescribeSecurityGroups

    • ec2:DescribeVpcs

Note

Currently, you can't limit VPC endpoint creation to OpenSearch Service. We're working to make this possible in a future update.

Provide access to a domain

If the VPC that you want to access your domain is in another Amazon Web Services account, you need to authorize it from the owner's account before you can create an interface VPC endpoint.

To allow a VPC in another Amazon Web Services account to access your domain

  1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/aos/home/.

  2. In the navigation pane, choose Domains and open the domain that you want to provide access to.

  3. Go to the VPC endpoints tab, which shows the accounts and corresponding VPCs that have access to your domain.

  4. Choose Authorize principal.

  5. Enter the Amazon Web Services account ID of the account that will access your domain. This step authorizes the specified account to create VPC endpoints against the domain.

  6. Choose Authorize.

Create an interface VPC endpoint for a VPC domain

You can create an interface VPC endpoint for OpenSearch Service using either the OpenSearch Service console or the Amazon Command Line Interface (Amazon CLI).

To create an interface VPC endpoint for an OpenSearch Service domain

  1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/aos/home/.

  2. In the left navigation pane, choose VPC endpoints.

  3. Choose Create endpoint.

  4. Select whether to connect a domain in the current Amazon Web Services account or another Amazon Web Services account.

  5. Select the domain that you connect to with this endpoint. If the domain is in the current Amazon Web Services account, use the dropdown to choose the domain. If the domain is in a different account, enter the Amazon Resource Name (ARN) of the domain to connect to. To choose a domain in a different account, the owner needs to provide you access to the domain.

  6. For VPC, select the VPC from which you'll access OpenSearch Service.

  7. For Subnets, select one or more subnets from which you'll access OpenSearch Service.

  8. For Security groups, select the security groups to associate with the endpoint network interfaces. This is a critical step in which you limit what ports, protocols, and sources for inbound traffic that you’re authorizing into your endpoint. The security group rules must allow the resources that will use the VPC endpoint to communicate with OpenSearch Service to communicate with the endpoint network interface.

  9. Choose Create endpoint. The endpoint should be active within 2-5 minutes.

Working with OpenSearch Service-managed VPC endpoints using the configuration API

Use the following API operations to create and manage OpenSearch Service-managed VPC endpoints.

Use the following API operations to manage endpoint access to VPC domains: