VPC Endpoint Service

The VPC endpoint service allows you to access the cluster through a private domain name. When the VPC endpoint service is enabled, the system creates a VPC endpoint for you by default. To create a VPC endpoint, you must have the required permissions. For details, see .


The public IP address access and VPC endpoint service share a load balancer. If you have configured a public access whitelist, public and private IP addresses that access the cluster through VPCEP are restricted because the public IP address access shares the load balancer with the VPC endpoint service. In this case, you need to add IP address to the public access whitelist to allow traffic through VPCEP.

Enabling the VPC Endpoint Service

  1. Log in to the CSS management console.

  2. On the Create Cluster page, set Advanced Settings to Custom. Enable the VPC endpoint service.

    • Private Domain Name Creation: If you enable this function, the system automatically creates a private domain name for you, which you can use to access the cluster.

    • VPC Endpoint Service Whitelist: You can add an authorized account ID to the VPC endpoint service whitelist. Then you can access the cluster using the domain name or the node IP address.

      Click image1 to add multiple accounts. You can also click Delete in the Operation column to delete accounts.


    • If the authorization account ID is set to *, all users are allowed to access the cluster.

    • You can view authorized account IDs on the My Credentials page.

    • After the VPC endpoint service is enabled for a cluster, you will be billed per use. For more information, see .

Managing VPC Endpoint Service

You can enable the VPC endpoint service while creating a cluster, and also enable it by performing the following steps after cluster creation.

  1. Log in to the CSS management console.

  2. On the Clusters page, click the name of the target cluster.

  3. Click the VPC Endpoint Service tab, and turn on the button next to VPC Endpoint Service.

    image2 indicates disabling the VPC endpoint service and image3 indicates enabling the VPC endpoint service.

    In the displayed dialog box, you can determine whether to enable the private domain name. After a private domain name is created, you can access the cluster using the private domain name.


  4. Click Yes to enable the VPC endpoint service.

  5. (Optional) Click Update next to VPC Endpoint Service Whitelist to update the existing whitelist.

  6. Manage connections of the VPC endpoint.

    The VPC Endpoint Service page displays all VPC endpoints connected to the current VPC endpoint service. You can accept or reject the connection with these endpoints. If you reject the connection with a VPC endpoint, you cannot access the cluster through the private domain name generated by the VPC endpoint.

Accessing the Cluster Using the Private Domain Name or Node IP Address

  1. Obtain the private domain name or node IP address.

    • Current user

      Log in to the CSS console, click the target cluster name and go to the Basic Information page. Click the VPC Endpoint Service tab and view the private domain name.

    • Other users

      If you have applied for the VPC endpoint service, log in to the and click the target ID to go to the Summary page and view the private domain name.

  2. Run the cURL command to execute the API or call the API by using a program before accessing the cluster. For details about Elasticsearch operations and APIs, see the Elasticsearch Reference.

    The ECS must meet the following requirements:

    • Sufficient disk space is allocated for the ECS.

    • The ECS and the cluster must be in the same VPC. After enabling the VPC endpoint service, you can access the cluster from the ECS even when the cluster is not in the same VPC as the ECS.

    • The security group of the ECS must be the same as that of the cluster.

      If this requirement is not met, modify the ECS security group or configure the inbound and outbound rules of the ECS security group to allow the ECS security group to be accessed by all security groups of the cluster. For details, see Configuring Security Group Rules.

    • Configure security group rule settings of the target CSS cluster. Set Protocol to TCP and Port Range to 9200 or a port range including port 9200 for both the outbound and inbound directions.

    • If the cluster does not have the security mode enabled, run the following command:

      curl 'http://vpcep-7439f7f6-2c66-47d4-b5f3-790db4204b8d.region01.xxxx.com:9200/_cat/indices'
    • If the cluster you access has the security mode enabled, access the cluster using HTTPS and add the username, password and -u to the cURL command.