Amazon OpenSearch Serverless simplifies the management of OpenSearch clusters by providing a fully managed, serverless option. This architecture is crucial when you need secure access to multiple OpenSearch Serverless collections from both on-premises environments and various AWS accounts.
This article discusses two connectivity patterns that can help organizations achieve secure access while addressing key challenges:
Key Challenges
- Managing multiple OpenSearch Serverless collections centrally.
- Ensuring secure access from various accounts and on-premises environments.
Architecture Overview
The proposed architecture separates responsibilities among different teams. The central networking account manages Route 53 Profiles for DNS propagation, while the OpenSearch Serverless account maintains control over its VPC endpoint and private hosted zones (PHZs). This setup allows application owners to manage DNS configurations and collection management independently.
Connectivity Management
A single VPC endpoint can handle multiple collections, simplifying the infrastructure and reducing costs. The networking team oversees connectivity, while application teams manage their OpenSearch collections and data access policies. This architecture supports connectivity from on-premises networks via AWS Direct Connect or AWS Site-to-Site VPN.
Understanding DNS Resolution
Before diving deeper, it's essential to understand OpenSearch Serverless interface VPC endpoint DNS resolution. When an endpoint is created, AWS provisions four private hosted zones, which work together to resolve collection endpoints to private IP addresses.
Architecture Components
The architecture consists of three main components:
- Route 53 Profiles: Created in the central networking account and shared with the OpenSearch Serverless account.
- Central AOSS VPC: Contains the interface VPC endpoint for OpenSearch Serverless.
- On-Premises DNS Resolver: Configured for conditional forwarding to the Route 53 Resolver Inbound Endpoint.
Multi-Account Access
For access from multiple AWS accounts, compute resources in spoke account VPCs can connect to OpenSearch Serverless collections through a shared interface VPC endpoint. This allows for seamless DNS resolution and data routing without the need for additional VPC endpoints or manual configurations.
Permissions Management
When sharing Route 53 Profiles, the central networking account must create a custom managed permission in AWS RAM to allow the OpenSearch Serverless account to associate its VPC endpoint and PHZs with the shared Profiles.
Conclusion
This article outlined how to provide secure access to OpenSearch Serverless collections from both on-premises and distributed AWS accounts using a centralized VPC endpoint and Route 53 Profiles. This architecture streamlines network infrastructure and DNS management, making it suitable for organizations with centralized OpenSearch Serverless management.
In Part 2, we will examine how to adapt this architecture for distributed ownership, where individual business units manage their own collections while still leveraging centralized connectivity.
