Restrictions and known problemsedit
When using Elasticsearch Add-On for Heroku, there are some limitations you should be aware of:
For limitations related to logging and monitoring, check the Restrictions and limitations section of the logging and monitoring page.
Occasionally, we also publish information about Known problems with our Elasticsearch Add-On for Heroku or the Elastic Stack.
To learn more about the features that are supported by Elasticsearch Add-On for Heroku, check Elastic Cloud Subscriptions.
Elasticsearch Add-On for Herokuedit
Not all features of our Elasticsearch Service are available to Heroku users. Specifically, you cannot create additional deployments or use different deployment templates.
Generally, if a feature is shown as available in the Elasticsearch Add-On for Heroku console, you can use it.
Securityedit
- File and LDAP realms cannot be used. The Native realm is enabled, but the realm configuration itself is fixed in Elastic Cloud. Alternatively, authentication protocols such as SAML, OpenID Connect, or Kerberos can be used.
- Client certificates, such as PKI certificates, are not supported.
Transport clientedit
- The transport client is not considered thread safe in a cloud environment. We recommend that you use the Java REST client instead. This restriction relates to the fact that your deployments hosted on Elasticsearch Add-On for Heroku are behind proxies, which prevent the transport client from communicating directly with Elasticsearch clusters.
- The transport client is not supported over private link connections. Use the Java REST client instead, or connect over the public internet.
- The transport client does not work with Elasticsearch clusters at version 7.6 and later that are hosted on Cloud. Transport client continues to work with Elasticsearch clusters at version 7.5 and earlier. Note that the transport client was deprecated with version 7.0 and will be removed with 8.0.
Elasticsearch and Kibana pluginsedit
- Kibana plugins are not supported.
- Elasticsearch plugins, are not enabled by default for security purposes. Please reach out to support if you would like to enable Elasticsearch plugins support on your account.
- Some Elasticsearch plugins do not apply to Elasticsearch Add-On for Heroku. For example, you won’t ever need to change discovery, as Elasticsearch Add-On for Heroku handles how nodes discover one another.
- In Elasticsearch 5.0 and later, site plugins are no longer supported. This change does not affect the site plugins Elasticsearch Add-On for Heroku might provide out of the box, such as Kopf or Head, since these site plugins are serviced by our proxies and not Elasticsearch itself.
- In Elasticsearch 5.0 and later, site plugins such as Kopf and Paramedic are no longer provided. We recommend that you use our cluster performance metrics, X-Pack monitoring features and Kibana’s (6.3+) Index Management UI if you want more detailed information or perform index management actions.
Private Link and SSO to Kibana URLsedit
Currently you can’t use SSO to login directly from Elastic Cloud into Kibana endpoints that are protected by Private Link traffic filters. However, you can still SSO into Private Link protected Kibana endpoints individually using the SAML or OIDC protocol from your own identity provider, just not through the Elastic Cloud console. Stack level authentication using the Elasticsearch username and password should also work with {kibana-id}.{vpce|privatelink|psc}.domain URLs.
Traffic filters and Watcher Webhooks / PDF report generationedit
You can’t set the Watcher webhook target to a deployment protected by traffic filters. This restriction also applies to generating PDFs using Watcher. Public webhooks such as Slack, PagerDuty, and email are not affected by this limitation. You can use the xpack.notification.webhook.additional_token_enabled configuration setting available in Elastic Stack versions 8.7.1 and later to bypass traffic filters.
APM Agent central configuration with PrivateLink or traffic filtersedit
If you are using APM 7.9.0 or older:
- You cannot use APM Agent central configuration if your deployment is secured by traffic filters.
- If you access your APM deployment over PrivateLink, to use APM Agent central configuration you need to allow access to the APM deployment over public internet.
Fleet with PrivateLink or traffic filtersedit
If you are using Fleet 7.13.x:
- You cannot use Fleet 7.13.x, if your deployment is secured by traffic filters. Fleet 7.14.0 and later works with traffic filters (both Private Link and IP filters).
Enterprise Search in Kibanaedit
Enterprise Search’s management interface in Kibana does not work with traffic filters with 8.3.1 and older, it will return an Insufficient permissions (403 Forbidden) error. In Kibana 8.3.2, 8.4.0 and higher, the Enterprise Search management interface works with traffic filters.
Restoring a snapshot across deploymentsedit
Kibana and Enterprise Search do not currently support restoring a snapshot of their indices across Elastic Cloud deployments.
Kibana uses encryption keys in various places, ranging from encrypting data in some areas of reporting, alerts, actions, connector tokens, ingest outputs used in Fleet and Synthetics monitoring to user sessions.
Enterprise Search uses encryption keys when storing content source synchronization credentials, API tokens and other sensitive information.
Currently, there is not a way to retrieve the values of Kibana and Enterprise Search encryption keys, or set them in the target deployment before restoring a snapshot. As a result, once a snapshot is restored, Kibana and Enterprise Search will not be able to decrypt the data required for some Kibana and Enterprise Search features to function properly in the target deployment.
If you have already restored a snapshot across deployments and now have broken Kibana saved objects or Enterprise Search features in the target deployment, you will have to recreate all broken configurations and objects, or create a new setup in the target deployment instead of using snapshot restore.
Known problemsedit
- There is a known problem affecting clusters with versions 7.7.0 and 7.7.1 due to a bug in Elasticsearch. Although rare, this bug can prevent you from running plans. If this occurs we recommend that you retry the plan, and if that fails please contact support to get your plan through. Because of this bug we recommend you to upgrade to version 7.8 and higher, where the problem has already been addressed.
- A known issue can prevent direct rolling upgrades from Elasticsearch version 5.6.10 to version 6.3.0. As a workaround, we have removed version 6.3.0 from the Elasticsearch Add-On for Heroku console for new cluster deployments and for upgrading existing ones. If you are affected by this issue, check Rolling upgrades from 5.6.x to 6.3.0 fails with "java.lang.IllegalStateException: commit doesn’t contain history uuid" in our Elastic Support Portal. If these steps do not work or you do not have access to the Support Portal, you can contact support@elastic.co.
Repository Analysis API is unavailable in Elastic Cloudedit
- The Elasticsearch Repository analysis API is not available in Elastic Cloud due to deployments defaulting to having operator privileges enabled that prevent non-operator privileged users from using it along with a number of other APIs.
Kibanaedit
Audit logging for Kibana must be enabled using the flattened format of the key/setting: xpack.security.audit.enabled: true. Using a nested yaml format will not take effect.