My Amazon OpenSearch Service cluster is in a virtual private cloud (VPC). I want to access the OpenSearch Dashboards endpoint from outside the VPC.
Resolution
To access OpenSearch Dashboards, use either an SSH tunnel, NGINX proxy, or AWS Site-to-Site VPN.
Use an SSH tunnel
An SSH tunnel provides a secure connection over the SSH protocol, and all connections use the SSH port. However, an SSH tunnel requires a client-side configuration and a proxy server.
For more information, see How can I use an SSH tunnel to access OpenSearch Dashboards from outside of a VPC with Amazon Cognito authentication?
Use an NGINX proxy
An NGINX proxy requires only a server-side configuration and uses standard HTTP (port 80) and HTTPS (port 443). However, an NGINX proxy requires a proxy server, and the connection's security level depends on how you configure the proxy server.
For more information, see How do I use an NGINX proxy to access OpenSearch Dashboards from outside a VPC that's using Amazon Cognito authentication?
(Optional) If you turned on fine-grained access control, then add an Amazon Cognito authenticated role
If you turned on fine-grained access control for your OpenSearch Service cluster, then you might receive a missing role error.
To resolve the missing role error, complete the following steps:
- Open the OpenSearch Service console.
- In the navigation pane, under Managed clusters, choose Domains.
- Choose Actions, and then choose Edit security configurations.
- Choose Set IAM ARN as your master user.
- For IAM ARN, enter the Amazon Cognito authenticated AWS Identity and Access Management (IAM) role's Amazon Resource Name (ARN).
- Choose Submit.
For existing clusters with fine-grained access control and OpenSearch Dashboards access, you can map the Amazon Cognito user as the backend role for an internal user. You can also map the user to the all_access role in OpenSearch Dashboards.
Complete the following steps:
- Open the OpenSearch Service console.
- In the navigation pane, under Managed clusters, choose Domains.
- Log in into the OpenSearch Dashboards for your cluster.
- Select the all_access role.
- Under Dashboards, choose Security, and then choose Roles/Internal Users.
- For Roles, select all_access, or select a user from your internal users.
- Choose Manage Mappings.
- For Backend role, enter the Amazon Cognito authenticated IAM role's ARN, and then choose Map.
- Under Edit Cluster Settings, turn on Cognito Authentication for the user pool and identity pools for your Amazon Cognito authenticated IAM role.
Note: This setting causes a blue/green deployment.
- Update cluster access through an NGINX proxy, or use AWS VPN.
For more information about fine-grained access control, see Tutorial: Configure a domain with an IAM master user and Amazon Cognito authentication.
Use Site-to-Site VPN
A Site-to-Site VPN creates a secure connection between your on-premises equipment and your VPCs and uses standard TCP and UDP for an SSL/TLS VPN. However, a Site-to-Site VNP connection requires a VPN setup and client-side configuration.
Note: To allow or restrict access to resources, modify the VPC network configuration and the security groups that are associated with the OpenSearch Service domain. For more information, see Testing VPC domains.
Related information
How do I troubleshoot Amazon Cognito authentication issues with OpenSearch Dashboards?
Configuring Amazon Cognito authentication for OpenSearch Dashboards
Why did I get a "User: anonymous is not authorized" error when I tried to access my OpenSearch Service cluster?