Connecting to brokered Elasticsearch service instances
For compliance purposes, brokered Elasticsearch service instances may only be accessed from within the cloud.gov environment. Additionally in order to connect to these instances, AWS requires the use of signed HTTP headers. If you plan to connect to your Elasticsearch instance from your local environment frequently, this can present challenges.
Some things to consider:
- The brokered Elasticsearch instances are not well suited for running your own logging stack (if that’s what you are trying to do), and are designed to be used for data storage in conjunction with an application running on cloud.gov.
- If you need to capture or analyze log data from your application, some better options include using the cloud.gov logging dashboard, or setting up a log drain to offload platform logs to an external logging tool or platform.
If you do need to directly interact with your cloud.gov Elasticsearch instance you can configure and deploy a basic proxy application similar to the example that can found here: https://github.com/cloud-gov/aws-elasticsearch-auth-proxy (please note the documented security considerations).