How do I set up an OpenSearch Serverless collection with an Amazon VPC endpoint and access the collection's dashboard?

4 minute read

I want to set up an Amazon OpenSearch Serverless collection with an Amazon Virtual Private Cloud (Amazon VPC) endpoint and access the collection's dashboard.

Short description

To create a private connection between your Amazon VPC and your OpenSearch Serverless collection, set up an Amazon VPC with network access to your collection.

To view and manage your data, access OpenSearch Dashboards based on your authentication type.

Resolution

Set up an OpenSearch Serverless collection with Amazon VPC network access

To create an OpenSearch Serverless collection with Amazon VPC network access, complete the following steps.

Create an Amazon VPC, subnet, and related resources

To create an Amazon VPC and associated resources, complete the following steps:

Open the Amazon VPC console.
Create an Amazon VPC. Use the following settings:
For DNS Settings, select Enable DNS resolutionInfo and Enable DNS hostnamesInfo.
Create an internet gateway, and then attach it to your Amazon VPC.
In your Amazon VPC, create a subnet.
In the route table that's associated with your subnet, add a route for all traffic (0.0.0.0/0) to go through your internet gateway.
Create a security group for your Amazon VPC.
Add an ingress rule to your security group that allows all inbound traffic (0.0.0.0/0).
Note: To allow only certain IP addresses or resources in your Amazon VPC, modify the inbound rules for your use case.

Create OpenSearch Serverless collection with an Amazon VPC endpoint

To create an OpenSearch Serverless collection, complete the following steps:

Open the Amazon OpenSearch console, and then choose Collections.
Choose Create collection.
Enter your Collection name, Description, and Collection type.
For Security, choose Standard Create.
For Network access settings, choose VPC (recommended).
Choose Create VPC endpoints, and then choose your Amazon VPC, subnet, and security group.
Under Resource type, select Enable access to OpenSearch endpoint and OpenSearch Dashboards.
Choose Next.
In Configure data access, grant permission to roles, users, and groups who can access the OpenSearch Serverless collection. For more information, see Creating data access policies (console).
Choose Next, and then provide a Name for your data access policy.
Review your configuration, and then choose Submit.

Grant IAM permissions

You must grant additional AWS Identity and Access Management (IAM) permissions to the principals that you granted permissions to in your collection's data access policy. The principals require these permissions to access the data plane APIs and OpenSearch Dashboards. Only IAM or SAML identities can access OpenSearch Dashboards.

The following sample policy lists the required permissions:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "aoss:APIAccessAll",
        "Resource": "arn:aws:aoss:region:account-id:collection/collection-id"
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "aoss:DashboardsAccessAll",
        "Resource": "arn:aws:aoss:region:account-id:dashboards/default"
    }
    ]
}

You can also grant permissions for specific actions that are related to OpenSearch Dashboards. For more information, see Identity-based policy examples for OpenSearch Serverless.

If you use SAML authentication for OpenSearch Serverless, then you can use your existing identity provider for single sign-on (SSO) access to OpenSearch endpoints.

Access the collection's dashboard

To access the collection's dashboard, complete the following steps to create an Amazon Elastic Compute Cloud (Amazon EC2) instance in your Amazon VPC:

Create an EC2 instance in the same Amazon VPC that you used to create the endpoint for your collection.
In the AWS Management Console, navigate to VPC, and then choose Security Groups.
In the inbound rule of the security group that's associated with the endpoint, allow the security group that's attached to your Amazon EC2 instance.
Launch the EC2 instance.
In the instance, open a browser. Then, complete the following steps depending on your authentication type:
For IAM authentication, sign in to the AWS Management Console as your IAM identity. Then, choose OpenSearch Dashboards URL from the Amazon OpenSearch console.
-or-
For SAML authentication, open the OpenSearch endpoint to be redirected to provide your authentication details.

Related information

Access Amazon OpenSearch Serverless collections using a VPC endpoint

Access Amazon OpenSearch Serverless using an interface endpoint (AWS PrivateLink)

Data access policies versus IAM policies

Topics

Analytics Database

Relevant content

Cannot create Serverless Collection
Cookie
asked 8 months ago
401 AuthenticationException when trying to call API endpoints of OpenSearch Serverless collection from within a VPC
Accepted Answer
maodag
asked a year ago
Zero-ETL OpenSearch Serverless Collection Endpoint hosts
pabs
asked 4 months ago
Getting a 401 when trying to access OpenSearch serverless dashboard
flyingalphaunicorn
asked a year ago
Is it possible to allow a VPC in one AWS account to access an opensearch serverless collection in a different AWS account?
rePost-User-2237608
asked a year ago
How can I use an SSH tunnel to access OpenSearch Dashboards from outside of a VPC with Amazon Cognito authentication?
AWS OFFICIALUpdated a year ago
How do I use an NGINX proxy to access OpenSearch Dashboards from outside a VPC that's using Amazon Cognito authentication?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot connectivity issues between an interface Amazon VPC endpoint and an endpoint service?
AWS OFFICIALUpdated 6 months ago
How can I set up a private network connection between a file gateway and Amazon S3?
AWS OFFICIALUpdated 2 years ago
Secure way to set up IPsec VPN between IBM Cloud and an AWS-managed VPN endpoint with static routing
EXPERT
Vinay Gugueoth
published 6 months ago