Restricting connections with IP filtering

You can apply IP filtering to application clients, node clients, or transport clients, in addition to other nodes that are attempting to join the cluster.

If a node’s IP address is on the blacklist, the Elasticsearch security features allow the connection to Elasticsearch but it is be dropped immediately and no requests are processed.

The Elasticsearch security features contain an access control feature that allows or rejects hosts, domains, or subnets. If the operator privileges feature is enabled, only operator users can update these settings.

You configure IP filtering by specifying the xpack.security.transport.filter.allow and xpack.security.transport.filter.deny settings in elasticsearch.yml. Allow rules take precedence over the deny rules.

xpack.security.transport.filter.allow: "192.168.0.1"
xpack.security.transport.filter.deny: "192.168.0.0/24"

The _all keyword can be used to deny all connections that are not explicitly allowed.

xpack.security.transport.filter.allow: [ "192.168.0.1", "192.168.0.2", "192.168.0.3", "192.168.0.4" ]
xpack.security.transport.filter.deny: _all

IP filtering configuration also support IPv6 addresses.

xpack.security.transport.filter.allow: "2001:0db8:1234::/48"
xpack.security.transport.filter.deny: "1234:0db8:85a3:0000:0000:8a2e:0370:7334"

You can also filter by hostnames when DNS lookups are available.

xpack.security.transport.filter.allow: localhost
xpack.security.transport.filter.deny: '*.google.com'

Disabling IP filtering can slightly improve performance under some conditions. To disable IP filtering entirely, set the value of the xpack.security.transport.filter.enabled setting in the elasticsearch.yml configuration file to false.

xpack.security.transport.filter.enabled: false

You can also disable IP filtering for the transport protocol but enable it for HTTP only.

xpack.security.transport.filter.enabled: false
xpack.security.http.filter.enabled: true

TCP transport profiles enable Elasticsearch to bind on multiple hosts. The Elasticsearch security features enable you to apply different IP filtering on different profiles.

xpack.security.transport.filter.allow: 172.16.0.0/24
xpack.security.transport.filter.deny: _all
transport.profiles.client.xpack.security.filter.allow: 192.168.0.0/24
transport.profiles.client.xpack.security.filter.deny: _all

You may want to have different IP filtering for the transport and HTTP protocols.

xpack.security.transport.filter.allow: localhost
xpack.security.transport.filter.deny: '*.google.com'
xpack.security.http.filter.allow: 172.16.0.0/16
xpack.security.http.filter.deny: _all

In case of running in an environment with highly dynamic IP addresses like cloud based hosting, it is very hard to know the IP addresses upfront when provisioning a machine. Instead of changing the configuration file and restarting the node, you can use the Cluster Update Settings API. For example:

response = client.cluster.put_settings(
  body: {
    persistent: {
      "xpack.security.transport.filter.allow": '172.16.0.0/24'
    }
  }
)
puts response

PUT /_cluster/settings
{
  "persistent" : {
    "xpack.security.transport.filter.allow" : "172.16.0.0/24"
  }
}

You can also dynamically disable filtering completely:

response = client.cluster.put_settings(
  body: {
    persistent: {
      "xpack.security.transport.filter.enabled": false
    }
  }
)
puts response

PUT /_cluster/settings
{
  "persistent" : {
    "xpack.security.transport.filter.enabled" : false
  }
}