Questo contenuto non è disponibile nella lingua selezionata

Lavoriamo costantemente per rendere disponibili i contenuti nella lingua selezionata. Ti ringraziamo per la comprensione.

How do I set up an OpenSearch Serverless collection with an Amazon VPC endpoint and access the collection's dashboard?

6 minuti di lettura

I want to set up an Amazon OpenSearch Serverless collection with an Amazon Virtual Private Cloud (Amazon VPC) endpoint and access the collection's dashboard.

Short description

To create a private connection between your Amazon VPC and your OpenSearch Serverless collection, complete the following tasks:

Set up a VPC with a VPC endpoint.
Configure network and data access policies.
Grant IAM permissions.

To access OpenSearch Dashboards, connect from within the same VPC and authenticate with IAM or SAML.

Resolution

Create an Amazon VPC, subnet, and related resources

To create an Amazon VPC and associated resources, complete the following steps:

Open the Amazon VPC console.
Create an Amazon VPC.
Note: For DNS Settings, select Enable DNS resolution and Enable DNS hostnames. The VPC endpoint requires both DNS settings to resolve correctly.
(Optional) If your Amazon Elastic Compute Cloud (Amazon EC2) instance requires internet access for IAM-based Dashboards authentication, then add internet access to a subnet. The VPC endpoint doesn't require this to function.
In your Amazon VPC, create a subnet.
(Optional) If you created an internet gateway in step 3, then add a route for 0.0.0.0/0 to the internet gateway.
Note: Add this route in the route table associated with your subnet.
Create a security group for your Amazon VPC.
Add an inbound rule to your security group. Allow HTTPS on port 443 from the CIDR range or security groups of resources that need access to the collection.

Important: For production environments, restrict inbound rules to only the IP addresses or security groups that require access. Avoid using 0.0.0.0/0. For more information, see Data plane access through AWS PrivateLink.

Create an OpenSearch Serverless collection

Complete the following steps:

Open the OpenSearch Service console.
In the navigation pane, under Serverless, choose Collections, and then choose Create collection.
For Collection name, enter a name for your collection.
(Optional) For Description, enter a description for your collection.
For Collection type, choose your collection type.
For Collection creation method, choose Standard create.
Note: Use this method to configure encryption, network, and data access policies during the collection creation workflow.
Under Network access settings, for Access type, choose Private (recommended).
Choose VPC endpoints for access, and then choose your VPC endpoint or enter your VPC endpoint ID.
Note: When you create the collection with VPC access through the console, the console automatically creates a network policy. This policy grants your VPC endpoint access to the collection. If you use the AWS CLI or API to create collections, then you must create a network policy separately.
Under Configure data access, choose Create as a new data access policy.
For Access policy name, enter a name for your data access policy.
Use the Visual editor or JSON to define rules that grant permissions to the roles, users, or groups that need access to your collection. For more information, see Creating data access policies.
Choose Create collection.

Note: If you use the AWS CLI or API to create collections, then you must also create an encryption policy. The resource pattern must match your collection name before you call CreateCollection. The console handles this automatically during the Standard create workflow.

Grant IAM permissions

You must grant IAM permissions to the same principals that you specified in your collection's data access policy. Only IAM or SAML identities can access OpenSearch Dashboards.

The following sample policy lists the required permissions:

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Sid": "OpenSearchServerlessAPIAccess",
   "Effect": "Allow",
   "Action": "aoss:APIAccessAll",
   "Resource": "arn:aws:aoss:REGION:ACCOUNT-ID:collection/COLLECTION-ID"
  },
  {
   "Sid": "OpenSearchServerlessDashboardAccess",
   "Effect": "Allow",
   "Action": "aoss:DashboardsAccessAll",
   "Resource": "arn:aws:aoss:REGION:ACCOUNT-ID:dashboards/default"
  }
 ]
}

Note: Replace REGION with your AWS Region, ACCOUNT-ID with your AWS account ID, and COLLECTION-ID with your collection ID.

You can also grant permissions for specific actions related to OpenSearch Dashboards. For more information, see Identity-based policy examples for OpenSearch Serverless.

If you use SAML authentication for OpenSearch Serverless, then use your existing identity provider for single sign-on (SSO) access to OpenSearch endpoints.

Access the collection's dashboard

To access the collection's dashboard, you must create an EC2 instance in your Amazon VPC.

Complete the following steps:

Create an EC2 instance in the same Amazon VPC that you used to create the endpoint for your collection.
Open the Amazon VPC console.
In the navigation pane, choose Security Groups.
Choose the security group associated with your VPC endpoint.
Choose the Actions dropdown list, and then choose Edit inbound rules.
Choose Add rule.
For Type, choose HTTPS.
For Source, enter the security group ID attached to your Amazon EC2 instance.
Choose Save rules.
In your instance, open a browser. Based on your authentication type, take the following actions:
For IAM authentication, sign in to the AWS Management Console as your IAM identity. Then, open the Amazon OpenSearch Service console, choose your collection, and then choose the Dashboards URL.
For SAML authentication, open the collection's OpenSearch Dashboards URL directly. Your browser redirects you to your identity provider for authentication.

Use alternative access methods

To access OpenSearch Dashboards without opening a browser on an EC2 instance, use one of the following methods:

AWS Systems Manager Session Manager port forwarding: Forward port 443 from an EC2 instance in the VPC to your local machine. Then, access Dashboards in your local browser. For more information, see Starting a session (port forwarding).
AWS Client VPN: Create a Client VPN endpoint associated with your VPC to access Dashboards directly from your workstation.
AWS Direct Connect or Site-to-Site VPN: If your on-premises network connects to the VPC, then access Dashboards directly. You need a DNS resolver that can resolve the VPC endpoint's private hosted zone. For more information, see Forwarding inbound DNS queries to your VPCs.
Note: If you're on-premises and outside of your VPC, then you can't use a DNS resolver for the OpenSearch Serverless VPC endpoint resolution directly. Route 53 provides an inbound endpoint option to resolve DNS queries to your VPC from your on-premises network.

Related information

Access Amazon OpenSearch Serverless collections using a VPC endpoint

Data access policies versus IAM policies

How do I troubleshoot OpenSearch Serverless Dashboards access errors?

Argomenti: Analytics Database
Tag: Amazon OpenSearch Serverless
Lingua: English

AWS UFFICIALEAggiornata 17 giorni fa

1 commento

This article was reviewed and updated on 2026-05-29.

MODERATORE

AWS Official

risposta 16 giorni fa

Contenuto pertinente

Come posso risolvere gli errori 403 o 401 che ricevo quando mi connetto al mio cluster o alle mie dashboard OpenSearch serverless?
AWS UFFICIALEAggiornata un anno fa
Come posso collegare la mia dashboard Grafana gestito da Amazon a OpenSearch serverless?
AWS UFFICIALEAggiornata un anno fa
Come posso risolvere gli errori di autorizzazione che ricevo quando creo una knowledge base in Amazon Bedrock?
AWS UFFICIALEAggiornata un anno fa
Come posso creare un modello di indice nel mio cluster del Servizio OpenSearch?
AWS UFFICIALEAggiornata 10 mesi fa