Remote clusters with Elastic Cloud Enterprise

ECE

You can configure an Elastic Cloud Enterprise deployment to remotely access or (be accessed by) a cluster from:

Another deployment of your ECE installation
A deployment running on a different ECE installation
An Elastic Cloud Hosted deployment
A deployment running on an Elastic Cloud on Kubernetes installation
A self-managed installation

Prerequisites

To use CCS or CCR, your environment must meet the following criteria:

The local and remote clusters must run on compatible versions of Elasticsearch. Review the version compatibility table.

Any node can communicate with another node on the same major version. For example, 9.0 can talk to any 9.x node.
Version compatibility is symmetric, meaning that if 7.16 can communicate with 8.0, 8.0 can also communicate with 7.16. The following table depicts version compatibility between local and remote nodes.


	Local cluster
Remote cluster	5.0–5.5	5.6	6.0–6.6	6.7	6.8	7.0	7.1–7.16	7.17	8.0–9.0
5.0–5.5
5.6
6.0–6.6
6.7
6.8
7.0
7.1–7.16
7.17
8.0–9.0

Important

Elastic only supports cross-cluster search on a subset of these configurations. See Supported cross-cluster search configurations.

Proxies must answer TCP requests on the port 9400. Check the prerequisites for the ports that must permit outbound or inbound traffic.
Load balancers must pass-through TCP requests on port 9400. Check the configuration details.
If your deployment was created before ECE version 2.9.0, the Remote clusters page in Kibana must be enabled manually from the Security page of your deployment, by selecting Enable CCR under Trust management.

Note

System deployments cannot be used as remote clusters or have remote clusters.

Set up remote clusters with Elastic Cloud Enterprise

The steps, information, and authentication method required to configure CCS and CCR can vary depending on where the clusters you want to use as remote are hosted.

Connect remotely to other clusters from your Elastic Cloud Enterprise deployments
Use clusters from your Elastic Cloud Enterprise deployments as remote

Remote clusters and traffic filtering

Note

Traffic filtering isn’t supported for cross-cluster operations initiated from an Elastic Cloud Enterprise environment to a remote Elastic Cloud Hosted deployment.

For remote clusters configured using TLS certificate authentication, traffic filtering can be enabled to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.

Traffic filtering for remote clusters supports 2 methods:

Filtering by IP addresses and Classless Inter-Domain Routing (CIDR) masks
Filtering by Organization or Elasticsearch cluster ID with a Remote cluster type filter. You can configure this type of filter from the Platform > Security page of your environment or using the Elastic Cloud Enterprise API and apply it from each deployment’s Security page.

Note

When setting up traffic filters for a remote connection to an Elastic Cloud Enterprise environment, you also need to upload the region’s TLS certificate of the local cluster to the Elastic Cloud Enterprise environment’s proxy. You can find that region’s TLS certificate in the Security page of any deployment of the environment initiating the remote connection.