elasticsearchnetwork-programminggoogle-cloud-platformelastic-cloud

Mismatch IP address Private Service Connect with Google Could Platform and Elastic Cloud


I am setting up a GCP private service connect with Elastic Cloud and I have followed the instructions from this page:

  1. https://www.elastic.co/guide/en/cloud/current/ec-traffic-filtering-psc.html

So I have setup Private Service Connect at GCP, created a DNS with the same ip as A-Record as the one which was given at the Private Service Connect. I have created a traffic filter in Elastic Cloud with the same psc id which was generated at GCP and after that I have added this traffic filter to the security of one of the Elasticsearch deployments.

In the documentation which I have posted above Elastic mentions the follow part:

To access your Elasticsearch cluster over Private Link, use the following URL structure: https://{elasticsearch_cluster_ID}.{private_hosted_zone_domain_name}:9243

For example:

https://6b111580caaa4a9e84b18ec7c600155e.psc.asia-southeast1.gcp.cloud.es.io:9243

You can test the Google Cloud console part of the setup with the following command (substitute the region and Elasticsearch ID with your cluster):

$ curl -v https://6b111580caaa4a9e84b18ec7c600155e.psc.asia-southeast1.gcp.cloud.es.io:9243
..
*   Trying 192.168.100.2...
..
< HTTP/2 403
..
{"ok":false,"message":"Forbidden"}

Check the IP address 192.168.100.2. it should be the same as the IP address assigned to your Private Service Connect endpoint.

The connection is established, and a valid certificate is presented to the client. The 403 Forbidden is expected, you haven’t associated any deployment with the Private Service Connect endpoint yet.

I have done this part and I am getting a similar message as the above curl response. However the ip in the curl response in my terminal is different. So it is not the same as the ip address which is assigned to my private service connect endpoint.

I am not able to share screenshots of the configuration as it contains either the psc id or ip address which I am not allowed to share outside of the company. But the configuration is exactly the same as how it is described on the tutorial of the link which I posted above.

Any idea what could be the cause of this mismatch? Or does someone else had a similar issue?


Solution

  • Most probably the issue is with the DNS record. You can verify it with the cloud shell command:

    gcloud dns record-sets list --zone=<your-dns-zone-name>
    

    Confirm that you have a record pointing to your Private Connect Service endpoint ip address:

    NAME: *.psc.us-east1.gcp.elastic-cloud.com.
    TYPE: A
    TTL: 300
    DATA: <endpoint-ip-address>
    

    Make sure you have the correct Private Zone DNS name for your region.