Set up Elasticsearch Service Privateedit

Elasticsearch Service Private gives you the ease of a hosted offering along with the benefits that come with having a dedicated environment to host your deployments. We provision a virtual private cloud (VPC) for you, that we manage for you, with an exclusive set of hosts. You can access your deployments from the public internet. Additionally, you can connect your VPC to the environment, ensuring that the traffic to the selected deployments stays within the same cloud provider and isn’t exposed to the public internet. All the deployments in the environment are available to you with consolidated billing, but you can still isolate teams or users and meter their usage separately.

Elasticsearch Service Private diagram

Elasticsearch Service Private entitles you to Platinum level support and features.

Looking for public Elasticsearch Service? Check it out with a 14-day free trial. You can also secure your deployment endpoints with AWS PrivateLink and Azure Private Link for public Elasticsearch Service.

To get started with Elasticsearch Service Private:

  1. Contact us to initiate the sign-up process.

    Our team will reach out to you to complete the registration process. You can help us help you by including these details:

    • Which region you would like us to use to provision your Elasticsearch Service Private environment. The region must be in the same region as your VPCs. This is due to an AWS limitation since Private Link is only supported within the same AWS region. If you need support for more than one region, make sure to specify all the regions that you need.
    • A general idea of how much capacity you expect to have in that environment. If you don’t have this information handy, we can work together to size your environment.
  2. When the environment is ready, we’ll send you the VPC Endpoint Service name for your Elasticsearch Service Private environment.
  3. You can restrict the access to your deployments to specific VPC endpoints, or IP address ranges from the Cloud UI with traffic filters.

See Traffic Filter article for the general concepts behind traffic filtering in Elasticsearch Service.

Creating a VPC endpointedit

  1. To access your dedicated environment, you’ll need to create a new VPC endpoint and associate it with your VPC, that must be in the same AWS regions as your Elasticsearch Service Private environment. This is due to an AWS limitation since AWS Private Link is only supported within the same region.

    1. From the AWS user console, select the relevant region and add a VPC endpoint to initiate a connection request. We auto-approve the connections requests, however you can restrict access to some or all your deployments to specific VPC endpoints with VPC endpoint traffic filters.
    2. When prompted to discover the service, choose Find service by name, enter the Elasticsearch Service Private Endpoint Service name provided by us, and enter the name and the click Verify.
  2. Select the VPC you want to use from the list of available VPCs in that region.
  3. You can select which availability zones you want to enable on the endpoint. For high availability, we recommend using 2 or more availability zones.
  4. Update the security group associated with the Private Link endpoint to permit outbound traffic to common Elasticsearch Service ports. For example, TCP on port 9243 and 9343, as well as any CIDR ranges for the servers that need access to Elasticsearch Service.
  5. Click Create endpoint.

You should now see that the new endpoint status is "Available." Save the DNS records as you will need them in the next step to configure a DNS record that resolves to those DNS names.

Configuring a DNS recordedit

  1. In the AWS user console, create a new Route 53 Hosted Zone.
  2. Use the as the domain name, select the type to be Private Hosted Zone for Amazon VPC, and associate with the the relevant VPC.
  3. Click on Create Record Set.
  4. Use * as the record name, choose CNAME - Canonical name as the type. This is where you will use the saved list of DNS records from the previous section. In the value field, enter the first DNS name that appears in the saved list of DNS names.
  5. Click Create.

Verifying Private Link connectionedit

Complete your setup by making sure you can access all the important parts of your environment.

  1. Log on to the Elasticsearch Service console with the URL and the credentials sent to you by Elastic. The URL looks like

    Access the API server at:

  2. You can create deployments as usual.

    Created deployments are accessible over the public internet by default until you associate traffic filters with the deployments.

    You can connect to the Elasticsearch cluster in your deployment with this endpoint format:

    The URL is also available on the deployment overview page, along with the endpoints for your other Elastic products.

From within your VPC, try to access the Elasticsearch endpoint, or any of the other components, and verify that you can successfully authenticate using the elastic user credentials for the deployment.