Skip to content

Network sec: rebrand and new cloud UX, IP filters in serverless #1785

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 53 commits into
base: main
Choose a base branch
from
Open

Network sec: rebrand and new cloud UX, IP filters in serverless #1785

wants to merge 53 commits into from
+1,420 −730

Conversation

shainaraskas
Copy link
Collaborator

@shainaraskas shainaraskas commented Jun 18, 2025
edited
Loading

This PR updates the core pages related to traffic filtering to reflect the new ux (issue: https://github.com/elastic/platform-docs-team/issues/682)

This is PR 1 of 2 or 3. The first PR will capture the core changes needed to ship the feature. Subsequent PRs will update references to traffic filters other places in the docs, do any necessary API reference cleanup, etc.

Followup PRs to merge right after:

any order after:

todo:

Summary

  • rebranded traffic filters feature area to network security
  • added IP filter support for serverless
  • rebranded privatelink filters as private connectivity / private connections
  • rebranded rules to policies
  • rebranded remote cluster traffic filters to remote cluster private connection policies
  • repositioned private connection policies to disconnect allowing traffic over PrivateLink from filtering traffic to deployments to specific VPCEs
  • split elastic cloud policy logic into its own page
  • split ECE traffic filter instructions and logic into its own page
  • updated all procedures impacted by ux changes
  • moved an API-centric page that applied to both IP filters and private connections higher in the nav for visibility + added serverless API procedures

This PR is pretty big, so you can use the links below to review it

Key changes

Network security and network security policies

Page (preview link) Changes Related files
Network security Rebranded the "umbrella" of features as network security, added IP filter support for serverless, rebranded PrivateLink filters as private connections

Pulled policy/rule logic out of this page and into dedicated pages for Elastic Cloud and ECE		 deploy-manage/security/traffic-filtering.md
Network security policies in Elastic Cloud NEW PAGE split from the ECE version. Rebrand, slight reorganization for readability, changed flows impacted by UX changes, added serverless flows deploy-manage/security/network-security-policies.md
Manage network security through the API Rebrand for changed terms (provided a mapping due to unchanged endpoints), brought up a level so it would apply to both IP filters and private connections, added serverless examples based on the API design deploy-manage/security/ec-traffic-filtering-through-the-api.md

IP filters

Page (preview link) Changes Related files
IP filtering Scoped to serverless, linked to new split docs for Elastic Cloud / ECE, some organizational headings to support deploy-manage/security/ip-traffic-filtering.md
Manage IP filters in ECH or Serverless Scoped to ECH and serverless, removed ECE info to another doc

Rebranded as "IP filter network security policies"

Updated all flows impacted by UX changes		 deploy-manage/security/ip-filtering-cloud.md

snippet: wayfinding to network security page

Private connections

Page (preview link) Changes Related files
Private connections (overview) Rebranded private link filters to private connections

repositioned them as a connectivity strategy with VCPE filtering optional for everything but Azure		 deploy-manage/security/private-link-traffic-filters.md
AWS PrivateLink private connections Updated with new UX flows, clarified connection between private connection + VPCE filtering, split processes repeated across CSPs into snippets, readability + flow improvements, fixed testing examples to account for the "allow traffic over private link by default" change

used deployment aliases to test/connect privatelink for consistency		 deploy-manage/security/aws-privatelink-traffic-filters.md

snippets: wayfinding to network security page, associate filter, private url structure, find endpoint, fleet
Azure Private Link private connections Updated with new UX flows, clarified connection between private connection + VPCE filtering, split processes repeated across CSPs into snippets, readability + flow improvements, fixed testing examples to account for the "allow traffic over private link by default" change

used deployment aliases to test/connect privatelink for consistency		 deploy-manage/security/azure-private-link-traffic-filters.md

snippets: wayfinding to network security page, associate filter, private url structure, find endpoint, fleet
GCP Private Service Connect private connections Updated with new UX flows, clarified connection between private connection + VPCE filtering, split processes repeated across CSPs into snippets, readability + flow improvements, fixed testing examples to account for the "allow traffic over private link by default" change

used deployment aliases to test/connect privatelink for consistency		 deploy-manage/security/gcp-private-service-connect-traffic-filters.md

snippets: wayfinding to network security page, associate filter, private url structure, find endpoint, fleet

Remote clusters

Page (preview link) Changes Related files
Remote clusters with Elastic Cloud Hosted

Access deployments of another Elastic Cloud organization		 remote cluster traffic filters are now remote cluster private conenction policies deploy-manage/remote-clusters/ec-enable-ccs.md

deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md

Secondary changes

todo: serverless reference doc URL

Page (preview link) Changes Related files
Deploy and manage > Security (overview) Scoped to serverless (this is the first configurable security feature)
Updated references to traffic filters to "network security" or "IP filtering and private connections" as needed, added IP filtering to the list of security features for serverless		 deploy-manage/security.md

deploy-manage/_snippets/ecloud-security.md

snippets: security in elastic cloud, features for cluster communication and network security, feature comparison
Secure your cluster, deployment, or project Scoped to serverless, updated references to traffic filters to "network security" or "IP filtering and private connections" as needed, added IP filtering to the list of security features for serverless deploy-manage/security/secure-your-cluster-deployment.md

snippets: features for cluster communication and network security, feature comparison
Compare Elastic Cloud Hosted and Serverless Added public IP filtering as a serverless feature deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md
Manage IP filters in ECE NEW PAGE split from the cloud (ECH/serverless) version. instructions remain the same, references to ECH/serverless removed deploy-manage/security/ip-filtering-ece.md
Traffic filter rules in Elastic Cloud Enterprise NEW PAGE split from the cloud (ECH/serverless) version. information and instructions remain the same, references to ECH/serverless removed. slight organizational improvements to break out logic info from restrictions deploy-manage/security/ece-filter-rules.md
Claim VCPE ID ownership Rebrand away from traffic filter link ID to VCPE ID deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md

Open questions

  • Is the umbrella term for private connection filters "VCPE filtering" (e.g. "add a private connection, then filter traffic to your deployment using VCPE filters")? Will this term be used for GCP?

    ANSWER: It's "VPC filtering"

  • For Azure, is associating a private connection policy with a deployment required, or optional?

    ANSWER: technically optional but strongly recommended

  • For Azure inter-region private links, what region should the associated policy be created in?

SR TODO

  • VCPE filter(ing) -> VCP filter(ing)
  • azure policy association is optional but should be done so you can track your secured resources
  • new "look up secured resources" procedure
  • terminology consistency assessment
  • more visibility to azure inter-region private links

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 18, 2025
edited
Loading

🔍 Preview links for changed docs:

🔔 The preview site may take up to 3 minutes to finish building. These links will become live once it completes.

@shainaraskas shainaraskas changed the title Network security: rebrand and new elastic cloud UX Network sec: rebrand and new cloud UX, IP filters in serverless Jun 18, 2025
@shainaraskas
Copy link
Collaborator Author

shainaraskas commented Jul 4, 2025
edited
Loading

language update @alxchalkias

Concept Term Explanation
All policies Network security policies Only used to refer to overall management and interaction of both types of policies
IP filter policies IP filters for brevity. not "IP filter policies or "IP filter network security policies". Added "these are a type of network security policy" in some key places

very occasionally specified "IP filter policies" to differentiate IP address sources from the modular "policy" item (in terms of how granular an IP filter policy can be)
Private connections Private connections This is the CSP config side of private connectivity, and the E2E config of a private connection (from CSP config to policy application). Not used to refer specifically to a private connection policy ever.
policies for private connections Private connection policies Chosen to distinguish between the establishment of the private connection (VPC) on the CSP vs. the creation of the policy on the Elastic Cloud side. Never "private connection network security policies". also added context that private connection policies are a type of network security policy in key places

for consistency, we have to use this for remote cluster private connection policies as well

could consider changing IP filters to "IP filter policies" for consistency

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 4, 2025
edited
Loading

🔍 Preview links for changed docs

More links …

@shainaraskas shainaraskas requested a review from a team as a code owner July 4, 2025 19:24
@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 4, 2025

⚠️ Markdown file changes detected

The following 5 Markdown files were removed in this PR:

  • deploy-manage/security/aws-privatelink-traffic-filters.md
  • deploy-manage/security/azure-private-link-traffic-filters.md
  • deploy-manage/security/ec-traffic-filtering-through-the-api.md
  • deploy-manage/security/gcp-private-service-connect-traffic-filters.md
  • deploy-manage/security/ip-traffic-filtering.md

The following Markdown file was renamed in this PR:

  • deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.mddeploy-manage/security/claim-private-connection-api.md

Action Required

We currently do not have an easy way to implement redirects for removed or renamed files. If possible, please:

  • Keep files whenever possible and hide them from the TOC by using hidden
  • Add a notice at the top of the file indicating that the page has moved with a link to the new location
  • Ensure you've updated redirects.yml accordingly if files must be removed or renamed

Thank you!

@shainaraskas shainaraskas removed the request for review from a team July 4, 2025 19:29
@shainaraskas
Copy link
Collaborator Author

@bobbybho @igor-kupczynski @cargious this is ready for a dev review. I think your attention is best focused on these pages:

  1. Manage IP filters in ECH or Serverless: I've added serverless API calls here that could use validation
  2. CSP-specific guides, probably one of AWS or GCP and then definitely Azure

the PR overview points out the files related to these changes for ease of review.

feel free to review any other bits of this PR and provide feedback in whatever way is easiest.

@shainaraskas shainaraskas requested a review from eedugon July 4, 2025 19:40
This was referenced Jul 4, 2025
Draft
Draft
shainaraskas added a commit to elastic/elasticsearch that referenced this pull request Jul 4, 2025
@shainaraskas
Rename traffic filters to network security
aebc503 
Part of elastic/platform-docs-team#682

Rebrands "traffic filters" to "network security" 

Depends on the following PRs:
* elastic/docs-content#1785
* elastic/docs-content#2047
@shainaraskas shainaraskas mentioned this pull request Jul 4, 2025
Draft
shainaraskas added a commit to shainaraskas/elastic-serverless-forwarder that referenced this pull request Jul 4, 2025
@shainaraskas
Rebrand privatelink traffic filters to private connectivity
42cb8b2 
part of elastic/platform-docs-team#682

prerequisites:
* elastic/docs-content#1785
* elastic/docs-content#2047
@shainaraskas shainaraskas mentioned this pull request Jul 4, 2025
Draft
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alxchalkias alxchalkias alxchalkias left review comments

@eedugon eedugon Awaiting requested review from eedugon

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Website]: IP traffic filtering doc including examples for Virtual private links
2 participants
@shainaraskas @alxchalkias