WARNING: Version 5.5 of the Elastic Stack has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Elasticsearch has the feature of so called TCP transport profiles
that allows it to bind to several ports and addresses. X-Pack security extends on this
functionality to enhance the security of the cluster by enabling the separation
of node-to-node transport traffic from client transport traffic. This is important
if the client transport traffic is not trusted and could potentially be malicious.
To separate the node-to-node traffic from the client traffic, add the following
The port range that will be used by transport clients to communicate with this cluster
Categorizes the profile as a
If supported by your environment, an internal network can be used for node-to-node
traffic and public network can be used for client traffic by adding the following
The bind address for the network that will be used for node-to-node communication
The bind address for the network used for client communication
If separate networks are not available, then IP Filtering can be enabled to limit access to the profiles.
The TCP transport profiles also allow for enabling SSL on a per profile basis.
This is useful if you have a secured network for the node-to-node communication,
but the client is on an unsecured network. To enable SSL on a client profile when
SSL is disabled for node-to-node communication, add the following to
This enables SSL on the client profile. The default value for this setting
is the value of
When using SSL for transport, a different set of certificates can also be used
for the client traffic by adding the following to
transport.profiles.client.xpack.security.ssl.truststore: path: /path/to/another/truststore password: changeme transport.profiles.client.xpack.security.ssl.keystore: path: /path/to/another/keystore password: changeme
To change the default behavior that requires certificates for transport clients,
set the following value in the
This setting keeps certificate authentication active for node-to-node traffic, but removes the requirement to distribute a signed certificate to transport clients. Please see the Transport Client section.