Restrictions and known problemsedit

When using Elasticsearch Service, there are some limitations you should be aware of:

Occasionally, we also publish information about Known problems with our Elasticsearch Service or the Elastic Stack.

To learn more about the features that are supported by Elasticsearch Service, see Elastic Cloud Subscriptions.

Elasticsearch Serviceedit

Not all features of our Elasticsearch Service are available to Heroku users. Specifically, you cannot create additional deployments or use different deployment templates.

Generally, if a feature is shown as available in the Elasticsearch Service Console, you can use it.


  • LDAP and Active Directory realms are not supported. Alternatively, authentication protocols such as SAML, OpenID Connect, or Kerberos can be used.
  • Client certificates, such as PKI certificates, are not supported.

Transport clientedit

  • The transport client is not considered thread safe in a cloud environment. We recommend that you use the Java REST client instead. This restriction relates to the fact that your deployments hosted on Elasticsearch Service are behind proxies, which prevent the transport client from communicating directly with Elasticsearch clusters.
  • The transport client is not supported over private link connections. Use the Java REST client instead, or connect over the public internet.
  • The transport client does not work with Elasticsearch clusters at version 7.6 and later that are hosted on Cloud. Transport client continues to work with Elasticsearch clusters at version 7.5 and earlier. Note that the transport client was deprecated with version 7.0 and will be removed with 8.0.

Elasticsearch and Kibana pluginsedit

  • Kibana plugins are not supported.
  • Elasticsearch plugins, are not enabled by default for security purposes. Please reach out to support if you would like to enable Elasticsearch plugins support on your account.
  • Some Elasticsearch plugins do not apply to Elasticsearch Service. For example, you won’t ever need to change discovery, as Elasticsearch Service handles how nodes discover one another.
  • In Elasticsearch 5.0 and later, site plugins are no longer supported. This change does not affect the site plugins Elasticsearch Service might provide out of the box, such as Kopf or Head, since these site plugins are serviced by our proxies and not Elasticsearch itself.
  • In Elasticsearch 5.0 and later, site plugins such as Kopf and Paramedic are no longer provided. We recommend that you use our cluster performance metrics, X-Pack monitoring features and Kibana’s (6.3+) Index Management UI if you want more detailed information or perform index management actions.


Changing the default throttle period is not possible. You can specify a throttle period per watch, however.

You cannot use your own SMTP server. All emails are sent through our servers, and the recipient must be whitelisted.

Private Link and SSO to Kibana URLsedit

Currently you cannot use SSO to login for Kibana endpoints that are protected by Private Link traffic filters. Authentication using the Elasticsearch username and password should work but only with {kibana-id}.{vpce|privatelink|psc}.domain URLs.

Traffic filters and Watcher Webhooksedit

You can’t set the Watcher webhook target to a deployment protected by traffic filters. Public webhooks such as Slack, PagerDuty, and email are not affected by this limitation.

APM Agent central configuration with PrivateLink or traffic filtersedit

If you are using APM 7.9.0 or older:

Fleet with PrivateLink or traffic filtersedit

If you are using Fleet 7.13.x:

  • You cannot use Fleet 7.13.x, if your deployment is secured by traffic filters. Fleet 7.14.0 and later works with traffic filters (both Private Link and IP filters).

Custom Endpoint URLs not compatible with PrivateLinkedit

  • If you are using the traffic filtering feature with PrivateLink, you must continue using the UUID to route to your applications. Custom endpoint URLs will not successfully route via PrivateLink.

Known problemsedit

  • There is a known problem affecting clusters with versions 7.7.0 and 7.7.1 due to a bug in Elasticsearch. Although rare, this bug can prevent you from running plans. If this occurs we recommend that you retry the plan, and if that fails please contact support to get your plan through. Because of this bug we recommend you to upgrade to version 7.8 and higher, where the problem has already been addressed.
  • A known issue can prevent direct rolling upgrades from Elasticsearch version 5.6.10 to version 6.3.0. As a workaround, we have removed version 6.3.0 from the Elasticsearch Service Console for new cluster deployments and for upgrading existing ones. If you are affected by this issue, see Rolling upgrades from 5.6.x to 6.3.0 fails with "java.lang.IllegalStateException: commit doesn’t contain history uuid" in our Elastic Support Portal. If these steps do not work or you do not have access to the Support Portal, you can contact