Skip to content

Accessing Kibana and Elasticsearch using Private Endpoint

In a private Elastic Stack deployment, service endpoints are not exposed to the public internet. Access to Elasticsearch, Kibana, fleet and related services is available only through private networking and approved routes.

To connect to the deployment, users must create an Azure Private Endpoint that connects to the Private Link Service automatically created during Elastic Stack deployment.

If you need additional information about your deployment (such as deployment name, region, or subscription), you can obtain it from one of the following locations:

Create a Private Endpoint

Follow the steps below to create a Private Endpoint.

  1. Open the Azure Portal:
    https://portal.azure.com

  2. Sign in using your Azure account.

  3. Navigate to Network Foundation.

  4. In the left navigation pane, select
    Private Link → Private Endpoints.

  5. Click Create Private Endpoint.

  6. In the Basics tab, provide the following information:

  7. Subscription

  8. Resource group
  9. Name for the Private Endpoint

  10. Region (should typically match your deployment region)

  11. Under Connection method, select
    Connect to an Azure resource by resource ID or alias.

  12. Provide the Private Link Service resource ID in the following format:

    /subscriptions/{subscriptionID}/resourceGroups/mc_{deploymentName}-aks_{deploymentRegion}_node-rg/providers/Microsoft.Network/privateLinkServices/ElasticStack{DeploymentNameWithFirstLetterAsCapital}Svc

    Example:

    /subscriptions/xxxx/resourceGroups/mc-elastic-aks-westus2_node-rg/providers/Microsoft.Network/privateLinkServices/ElasticStackExampleSvc

  13. Continue through the wizard and provide the required networking configuration such as the virtual network and subnet where the Private Endpoint will be created.

  14. Review the configuration and click Create.

Private Endpoint approval

Approval behavior depends on where the Private Endpoint is created.

Same subscription

If the Private Endpoint is created in the same subscription as the Elastic Stack deployment, the connection will be automatically approved.

Different subscription

If the Private Endpoint is created in a different subscription, the connection must be manually approved.

To approve the request:

  1. Open the Azure Portal.
  2. Navigate to Network Foundations → Private Link → Pending Connections.
  3. Locate the pending connection for the Elastic Stack deployment.
  4. Approve the connection request.

Once approved, the Private Endpoint will establish connectivity to the Elastic Stack services through the private network.