Access proxy
By default, an Amazon OpenSearch Service domain within VPC cannot
be accessed from the internet. Centralized Logging with OpenSearch
creates a highly available
NGINX cluster
This section covers the following:
Create a proxy
You can create the NGINX-based proxy using the Centralized Logging with OpenSearch console or by deploying a standalone CloudFormation stack.
Prerequisites
-
Make sure an Amazon OpenSearch Service domain within VPC is available.
-
The domain associated SSL certificate is created or uploaded in AWS Certificate Manager (ACM)
. -
Make sure you have the EC2 private key (.pem) file.
(Option 1)Using the Centralized Logging with OpenSearch console
-
Log in to the Centralized Logging with OpenSearch console.
-
In the navigation pane, under Domains, choose OpenSearch domains.
-
Select the domain from the table.
-
Under General configuration, choose Enable at the Access Proxy label.
Note
Once the access proxy is enabled, a link to the access proxy will be available.
-
On the Create access proxy page, choose the Proxy Instance Type and Proxy Instance Number.
-
Under Public access proxy, select at least 2 subnets for Public Subnets. You can choose 2 public subnets named
CLVPC/DefaultVPC/publicSubnetX
, which are created by Centralized Logging with OpenSearch by default. -
Choose a Security Group of the Application Load Balancer in Public Security Group. You can choose a security group named
ProxySecurityGroup
, which is created by Centralized Logging with OpenSearch default. -
Choose the NGINX Instance Key Name.
-
Enter the Domain Name.
-
Choose Load Balancer SSL Certificate associated with the domain name.
-
Choose Create.
(Option 2) Using the CloudFormation stack
This automated AWS CloudFormation template deploys the Centralized Logging with OpenSearch - NGINX access proxy solution in the AWS Cloud.
-
Log in to the AWS Management Console and select the button to launch the AWS CloudFormation template.
You can also download the template
as a starting point for your own implementation. -
To launch the stack in a different AWS Region, use the Region selector in the console navigation bar.
-
On the Create stack page, verify that the correct template URL shows in the Amazon S3 URL text box and choose Next.
-
On the Specify stack details page, assign a name to your stack.
-
Under Parameters, review the parameters for the template and modify them as necessary. This solution uses the following parameters.
Parameter Default Description VPCId <Requires input>
The VPC to deploy the NGINX proxy resources, for example, vpc-bef13dc7
.PublicSubnetIds <Requires input>
The public subnets where Elastic Load Balancing is deployed. You must select at least two public subnets, for example, subnet-12345abc
,subnet-54321cba
.ELBSecurityGroupId <Requires input>
The security group being associated with the Elastic Load Balancing, for example, sg-123456
.ELBDomain <Requires input>
The custom domain name of the Elastic Load Balancing, for example, dashboard.example.com
.ELBDomainCertificateArn <Requires input>
The SSL certificate ARN associated with the ELBDomain. The certificate must be created from ACM. PrivateSubnetIds <Requires input>
The private subnets where NGINX instances are deployed. You must select at least two private subnets, for example, subnet-12345abc
,subnet-54321cba
.NginxSecurityGroupId <Requires input>
The security group associated with the NGINX instances. The security group must allow access from Elastic Load Balancing security group. KeyName <Requires input>
The PEM key name of the NGINX instances. EngineType OpenSearch
The engine type of the OpenSearch. Select OpenSearch. Endpoint <Requires input>
The OpenSearch endpoint, for example, vpc-your_opensearch_domain_name-xcvgw6uu2o6zafsiefxubwuohe.us-east-1.es.amazonaws.com
.CognitoEndpoint Optional input The Amazon Cognito User Pool endpoint URL of the OpenSearch domain, for example, mydomain.auth.us-east-1.amazoncognito.com. Leave empty if your OpenSearch domain is not authenticated through Amazon Cognito User Pool. -
Choose Next.
-
On the Configure stack options page, choose Next.
-
On the Review and create page, review and confirm the settings. Check the box acknowledging that the template creates IAM resources.
-
Choose Submit to deploy the stack.
You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 15 minutes.
Recommended Proxy Configuration
The following table provides a list of recommended proxy configuration examples for different number of concurrent users. You can create a proxy according to your own use cases.
Number of Concurrent Users | Proxy Instance Type | Number of Proxy Instances |
---|---|---|
4 | t3.nano | 1 |
6 | t3.micro | 1 |
8 | t3.nano | 2 |
10 | t3.small | 1 |
12 | t3.micro | 2 |
20 | t3.small | 2 |
25 | t3.large | 1 |
50+ | t3.large | 2 |
Create an associated DNS record
After provisioning the proxy infrastructure, you must create an associated DNS record in your DNS resolver. The following introduces how to find the Application Load Balancer domain, and then create a CNAME record pointing to this domain.
-
Log in to the Centralized Logging with OpenSearch console.
-
In the navigation pane, under Domains, choose OpenSearch domains.
-
Select the domain from the table.
-
Choose the Access Proxy tab. You can see the Load Balancer Domain, which is the Application Load Balancer domain.
-
Go to the DNS resolver, create a CNAME record pointing to this domain. If your domain is managed by Amazon Route 53
, refer to Creating records by using the Amazon Route 53 console.
Access Amazon OpenSearch Service via proxy
After the DNS record takes effect, you can access the Amazon OpenSearch Service built-in dashboard from anywhere via proxy. You can enter the domain of the proxy in your browser, or choose the Link button under Access Proxy in the General Configuration section.
Delete a Proxy
-
Log in to the Centralized Logging with OpenSearch console.
-
In the navigation pane, under Domains, choose OpenSearch domains.
-
Select the domain from the table.
-
Choose the Access Proxy tab.
-
Choose the Delete.
-
On the confirmation prompt, choose Delete.