Cross-cluster search (CCS) allows you to configure multiple remote clusters across different locations and to enable federated search queries across all of the configured remote clusters.
Cross-cluster replication (CCR) allows you to replicate indices across multiple remote clusters regardless of where they’re located. This provides tremendous benefit in scenarios of disaster recovery or data locality.
These remote clusters could be:
- Another Elasticsearch cluster of your Elastic Cloud organization across any region or cloud provider (AWS, GCP, Azure…)
- An Elasticsearch cluster of another organization
- An Elasticsearch cluster in an Elastic Cloud Enterprise installation
- Any other self-managed Elasticsearch cluster
To use CCS or CCR, your deployments must meet the following criteria:
- To use CCS, local and remote clusters must be version 6.7.x or higher.
- To use CCR, local and remote clusters must be at version 6.8.9 or higher (in the 6.x branch), or 7.7.1 or higher (in the 7.x branch).
- Local and remote clusters must be in compatible versions. Review the Elasticsearch version compatibility table.
Add remote clustersedit
To add remote clusters, you can choose between two security models:
- API key based security model
- [beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. For deployments on version 8.10 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model offers administrators of both the local and the remote deployment fine-grained access controls. Add remote clusters using API key authentication.
- Certificate based security model
- Uses mutual TLS authentication for cross-cluster operations. User authentication is performed on the local cluster and a user’s role names are passed to the remote cluster. In this model, a superuser on the local deployment gains total read access to the remote deployment, so it is only suitable for deployments that are in the same security domain. Add remote clusters using TLS certificate authentication.