I mean this question as a discussion. I'm looking for some rationale to pick the approach to use to authenticate access and encrypt traffic to and from our elasticsearch cluster on aws.
I've come across 3 methods:
- NGINX on every node - to manage SSL and provide auth
- Shield + SSL encryption set up on every node according to Elastic.co recommendations.
- Auth on every node (Shield or third-party) + SSL encryption using an Elastic Load Balancer (ELB). So, all client requests to the ES cluster go through the ELB.
The third method is interesting coz it means there's one node to set up SSL encryption and the certificate on. Methods 1 and 2 require separate set up on every new node.
However, from my experience, it is hard to connect the Java Client API (which works off custom TCP) to the ES Instance through an ELB.
What is the precedent here? Also, what considerations could I be missing?
On the basis of google search results, Method 3 seems to be rarest. Method 1 seems to be somewhat popular.