Monitor resources on private networksedit
To monitor resources on private networks you can either:
- Allow Elastic’s global managed infrastructure to access your private endpoints.
- Use Elastic Agent to create a Private Location.
Private Locations via Elastic Agent require only outbound connections from your network, while allowing Elastic’s global managed infrastructure to access a private endpoint requires inbound access, thus posing an additional risk that users must assess.
Allow access to your private networkedit
To give Elastic’s global managed infrastructure access to a private endpoint, use IP address filtering, HTTP authentication, or both.
To grant access via IP, use this list of egress IPs. The addresses and locations on this list may change, so automating updates to filtering rules is recommended. IP filtering alone will allow all users of Elastic’s global managed infrastructure access to your endpoints, if this is a concern consider adding additional protection via user/password authentication via a proxy like nginx.
Monitor via a private agentedit
This is only relevant to monitors created using the Uptime app or project monitors.
This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
Private locations allow you to run monitors from your own premises. Before running a monitor on a private location, you’ll need to:
- Set up Fleet Server and Elastic Agent.
- Connect Fleet to the Elastic Stack and enroll an Elastic Agent in Fleet.
- Add a private location in the Uptime app UI.
Private locations running through Elastic Agent must have a direct connection to Elasticsearch. Do not configure any ingest pipelines, or output via Logstash as this will prevent Synthetics from working properly and is not supported.
Set up Fleet Server and Elastic Agentedit
Start by setting up Fleet Server and Elastic Agent:
- Set up Fleet Server: If you are using Elastic Cloud, Fleet Server will already be provided and you can skip this step. To learn more, refer to Fleet.
- Create an agent policy: For more information on agent policies and creating them, refer to Elastic Agent policy.
A private location should be set up against an agent policy that runs on a single Elastic Agent. Do not run the same agent policy on multiple agents being used for private locations, as you may end up with duplicate or missing tests. Private locations do not currently load balance tests across multiple Elastic Agents.
Any private location can only run two tests simultaneously. As a result, if more than two tests are assigned to a particular private location, there may be a small delay to run them.
Connect to the Elastic Stackedit
After setting up Fleet, you’ll connect Fleet to the Elastic Stack and enroll an Elastic Agent in Fleet.
Elastic provides Docker images that you can use to run Fleet and an Elastic Agent more easily.
For monitors running on private locations, you must use the elastic-agent-complete
Docker image to create a self-hosted Elastic Agent node. The standard Elastic Cloud or self-hosted
Elastic Agent will not work.
To pull the Docker image run:
docker pull docker.elastic.co/beats/elastic-agent-complete:8.6.2
Then enroll and run an Elastic Agent. You’ll need an enrollment token and the URL of the Fleet Server. You can use the default enrollment token for your policy or create new policies and enrollment tokens as needed.
For more information on running Elastic Agent with Docker, refer to Run Elastic Agent in a container.
docker run \
--env FLEET_ENROLL=1 \
--env FLEET_URL={fleet-server-host-url} \
--env FLEET_ENROLLMENT_TOKEN={enrollment-token} \
--cap-add=NET_RAW \
--cap-add=SETUID \
--rm docker.elastic.co/beats/elastic-agent-complete:8.6.2
The elastic-agent-complete Docker image requires additional capabilities to operate correctly. Ensure
NET_RAW and SETUID are enabled on the container.
You may need to set other environment variables. Learn how in Elastic Agent environment variables guide.
Add a private locationedit
When the Elastic Agent is running you can add a new private location in Kibana:
- Go to Observability → Uptime.
- Click Monitor Management.
- Click Private locations.
- Click Add location.
- Give your new location a unique Location name and select the Agent policy you created above.
- Click Save.
Next stepsedit
Now you can add monitors to your private location in the Uptime app or using the Elastic Synthetics library’s push method.
You can run the same monitor both from Elastic’s global managed infrastructure and your private locations to compare results.