Access Elastic Search internet endpoint only from my VPC/Subnets

Question

I have an internet Elastic Search endpoint. I wanted to access it only within my 2 VPC's, to be specific from my EC2 instances only. Here is the policy i am trying with my VPC CIDR block IP's, but i am unable to access the endpoint from my EC2 instances. My EC2 instances are in private subnets , accessing internet through NAT Gateway. Here is my access policy which is not working

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:1XXXXXXXXXXX:domain/my-elasticsearch/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "xx.xx.xx.xx/24",
            "xx.xx.xx.xx/24"
          ]
        }
      }
    }
  ]
}

I have also tried something like this to allow access from only my EC2 instances assigned IAM role, that didnt work either

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::XXXXXXXXXXX:role/MyEC2Role"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:us-east-1:XXXXXXXXXXX:domain/my-elasticsearch/*"
    }
  ]
}

What am i doing wrong ? Or is there a better way to restrict access ?

Answer 1

Since you have a public AWS Elasticsearch cluster, allowing your EC2 instance from a private subnet having private IP's wont work. Try adding the public IP of the NAT in the Access policy of your AWS ES cluster and see if that works. Also if you are having IAM based access polices, make sure all the requests to AWS ES are signed as mentioned here: https://aws.amazon.com/blogs/database/get-started-with-amazon-elasticsearch-service-an-easy-way-to-send-aws-sigv4-signed-requests/