How to create a private Amazon OpenSearch Serverless collection in shared VPC subnets

2 minute read
Content level: Intermediate
1

If you are working in an account where your VPC subnets are shared from another account, you will need to follow the steps outlined in this article in order to be able to create a private OpenSearch Serverless collection in your account

Solution Diagram

Solution Diagram

Instructions

The instructions assume you already created and shared the VPC subnets using Resource Access Manager (RAM) from the Network Account to the Workload Account.

In the Network Account

  1. Create security group with inbound rule that allows HTTPS inbound traffic from the IP address ranges expected to communicate with the OpenSearch service (e.g., the entire VPC CIDR). Note: you cannot use the default security group with its default configuration because it allows inbound traffic only from resources that have the same security group associated with them, and this security group cannot be assigned to resources in the shared account. see more details in the Security groups section in the following link.

Create security group

  1. From the Amazon OpenSearch Service console create VPC endpoint. Select the VPC and subnets being shared with the Workload Account and the security group created in previous step. Create VPC endpoint

  2. Wait for the VPC endpoint status to become active and copy the Endpoint ID to your clipboard (you will need it in a later step). Copy VPC endpoint ID

In the Workload Account

  1. From the Amazon OpenSearch Service console create a new Serverless Collection. Create Serverless Collection

  2. In the Configure collection settings dialog under the Security section select Standard create. Security

  3. In the Configure collection settings dialog under the Network access settings -> Access type select Private (recommended), select the VPC endpoints for access checkbox and fill in VPCe id = <VPC_ENDPOINT_ID> with the value you copied earlier. Note: the value will not auto-populate as it was not created within this account. Network access settings

  4. Fill in the other parameters as needed and submit the Serverless collection creation.

Congratulations! you now have a Private Amazon OpenSearch Serverless collection running in a shared subnet.

This article was co-authored with Victor Feinman, Sr. Solutions Architect at AWS