OpenSearch/docs/en/security/securing-communications/separating-node-client-traf...

[[separating-node-client-traffic]]
=== Separating node-to-node and client traffic

Elasticsearch has the feature of so called {ref}/modules-transport.html#_tcp_transport_profiles[TCP transport profiles]
that allows it to bind to several ports and addresses. {security} extends on this
functionality to enhance the security of the cluster by enabling the separation
of node-to-node transport traffic from client transport traffic. This is important
if the client transport traffic is not trusted and could potentially be malicious.
To separate the node-to-node traffic from the client traffic, add the following
to `elasticsearch.yml`:

[source, yaml]
--------------------------------------------------
transport.profiles.client: <1>
  port: 9500-9600 <2>
  shield:
    type: client <3>
--------------------------------------------------
<1> `client` is the name of this example profile
<2> The port range that will be used by transport clients to communicate with
    this cluster
<3> Categorizes the profile as a `client`. This accounts for additional security
    filters by denying request attempts on for internal cluster operations
    (e.g shard level actions and ping requests) from this profile.

If supported by your environment, an internal network can be used for node-to-node
traffic and public network can be used for client traffic by adding the following
to `elasticsearch.yml`:

[source, yaml]
--------------------------------------------------
transport.profiles.default.bind_host: 10.0.0.1 <1>
transport.profiles.client.bind_host: 1.1.1.1 <2>
--------------------------------------------------
<1> The bind address for the network that will be used for node-to-node communication
<2> The bind address for the network used for client communication

If separate networks are not available, then <<ip-filtering, IP Filtering>> can
be enabled to limit access to the profiles.

The TCP transport profiles also allow for enabling SSL on a per profile basis.
This is useful if you have a secured network for the node-to-node communication,
but the client is on an unsecured network. To enable SSL on a client profile when
SSL is disabled for node-to-node communication, add the following to
`elasticsearch.yml`:

[source, yaml]
--------------------------------------------------
transport.profiles.client.xpack.security.ssl.enabled: true <1>
--------------------------------------------------
<1> This enables SSL on the client profile. The default value for this setting
    is the value of `xpack.security.transport.ssl.enabled`.

When using SSL for transport, a different set of certificates can also be used
for the client traffic by adding the following to `elasticsearch.yml`:

[source, yaml]
--------------------------------------------------
transport.profiles.client.xpack.security.ssl.truststore:
  path: /path/to/another/truststore
  password: changeme

transport.profiles.client.xpack.security.ssl.keystore:
  path: /path/to/another/keystore
  password: changeme
--------------------------------------------------

To change the default behavior that requires certificates for transport clients,
set the following value in the `elasticsearch.yml` file:

[source, yaml]
--------------------------------------------------
transport.profiles.client.xpack.security.ssl.client_authentication: no
--------------------------------------------------

This setting keeps certificate authentication active for node-to-node traffic,
but removes the requirement to distribute a signed certificate to transport
clients. Please see the <<transport-client, Transport Client>> section.
[DOCS] Migrated security topics from x-pack repo to x-pack-elasticsearch. Original commit: elastic/x-pack-elasticsearch@e54aa1fd0a2f0e60013d7e427329e4408fa578fe 2017-04-06 21:29:29 -04:00			`[[separating-node-client-traffic]]`
			`=== Separating node-to-node and client traffic`

			`Elasticsearch has the feature of so called {ref}/modules-transport.html#_tcp_transport_profiles[TCP transport profiles]`
			`that allows it to bind to several ports and addresses. {security} extends on this`
			`functionality to enhance the security of the cluster by enabling the separation`
			`of node-to-node transport traffic from client transport traffic. This is important`
			`if the client transport traffic is not trusted and could potentially be malicious.`
			`To separate the node-to-node traffic from the client traffic, add the following`
			to `elasticsearch.yml`:

			`[source, yaml]`
			`--------------------------------------------------`
			`transport.profiles.client: <1>`
			`port: 9500-9600 <2>`
			`shield:`
			`type: client <3>`
			`--------------------------------------------------`
			<1> `client` is the name of this example profile
			`<2> The port range that will be used by transport clients to communicate with`
			`this cluster`
			<3> Categorizes the profile as a `client`. This accounts for additional security
			`filters by denying request attempts on for internal cluster operations`
			`(e.g shard level actions and ping requests) from this profile.`

			`If supported by your environment, an internal network can be used for node-to-node`
			`traffic and public network can be used for client traffic by adding the following`
			to `elasticsearch.yml`:

			`[source, yaml]`
			`--------------------------------------------------`
			`transport.profiles.default.bind_host: 10.0.0.1 <1>`
			`transport.profiles.client.bind_host: 1.1.1.1 <2>`
			`--------------------------------------------------`
			`<1> The bind address for the network that will be used for node-to-node communication`
			`<2> The bind address for the network used for client communication`

			`If separate networks are not available, then <<ip-filtering, IP Filtering>> can`
			`be enabled to limit access to the profiles.`

			`The TCP transport profiles also allow for enabling SSL on a per profile basis.`
			`This is useful if you have a secured network for the node-to-node communication,`
			`but the client is on an unsecured network. To enable SSL on a client profile when`
			`SSL is disabled for node-to-node communication, add the following to`
			`elasticsearch.yml`:

			`[source, yaml]`
			`--------------------------------------------------`
			`transport.profiles.client.xpack.security.ssl.enabled: true <1>`
			`--------------------------------------------------`
			`<1> This enables SSL on the client profile. The default value for this setting`
			is the value of `xpack.security.transport.ssl.enabled`.

			`When using SSL for transport, a different set of certificates can also be used`
			for the client traffic by adding the following to `elasticsearch.yml`:

			`[source, yaml]`
			`--------------------------------------------------`
			`transport.profiles.client.xpack.security.ssl.truststore:`
			`path: /path/to/another/truststore`
			`password: changeme`

			`transport.profiles.client.xpack.security.ssl.keystore:`
			`path: /path/to/another/keystore`
			`password: changeme`
			`--------------------------------------------------`

			`To change the default behavior that requires certificates for transport clients,`
			set the following value in the `elasticsearch.yml` file:

			`[source, yaml]`
			`--------------------------------------------------`
			`transport.profiles.client.xpack.security.ssl.client_authentication: no`
			`--------------------------------------------------`

			`This setting keeps certificate authentication active for node-to-node traffic,`
			`but removes the requirement to distribute a signed certificate to transport`
			`clients. Please see the <<transport-client, Transport Client>> section.`