From f988f547aee2991d4d257addca27dc9e0f47ade7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Sun, 9 Nov 2025 11:28:06 +0100 Subject: [PATCH 1/2] Revise TCP port requirements for ECE remote clusters Updated TCP port requirements for ECE proxies and load balancers based on the selected security model. --- deploy-manage/remote-clusters/ece-enable-ccs.md | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/deploy-manage/remote-clusters/ece-enable-ccs.md b/deploy-manage/remote-clusters/ece-enable-ccs.md index 79c7b8214e..b0c592e362 100644 --- a/deploy-manage/remote-clusters/ece-enable-ccs.md +++ b/deploy-manage/remote-clusters/ece-enable-ccs.md @@ -32,8 +32,18 @@ To use CCS or CCR, your environment must meet the following criteria: :::{include} _snippets/remote-cluster-certificate-compatibility.md ::: -* Proxies must answer TCP requests on the port 9400. Check the [prerequisites for the ports that must permit outbound or inbound traffic](../deploy/cloud-enterprise/ece-networking-prereq.md). -* Load balancers must pass-through TCP requests on port 9400. Check the [configuration details](../deploy/cloud-enterprise/ece-load-balancers.md). +* ECE proxies must answer TCP requests on the port used by the selected [security model](./security-models.md): + * `9400` when using TLS certificate–based authentication (deprecated). + * `9443` when using API key–based authentication. + + For details, refer to the [remote cluster security models](../path/to/security-models.md) documentation and [ECE networking prerequisites](../deploy/cloud-enterprise/ece-networking-prereq.md). + +* Load balancers must pass through TCP requests on the port that corresponds to the security model: + * `9400` for TLS certificate–based authentication (deprecated). + * `9443` for API key–based authentication. + + For configuration details, refer to the [ECE load balancer requirements](../deploy/cloud-enterprise/ece-load-balancers.md). + * If your deployment was created before ECE version `2.9.0`, the Remote clusters page in {{kib}} must be enabled manually from the **Security** page of your deployment, by selecting **Enable CCR** under **Trust management**. ::::{note} @@ -62,4 +72,4 @@ The steps, information, and authentication method required to configure CCS and ## Remote clusters and network security [ece-ccs-ccr-network-security] -If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to the remote cluster, you might need to take extra steps on the remote side to allow traffic from the local cluster. Some remote cluster configurations have limited compatibility with network security. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security). \ No newline at end of file +If you have [network security policies](/deploy-manage/security/network-security-policies.md) applied to the remote cluster, you might need to take extra steps on the remote side to allow traffic from the local cluster. Some remote cluster configurations have limited compatibility with network security. To learn more, refer to [Remote clusters and network security](/deploy-manage/remote-clusters.md#network-security). From 57d2dfa5e3f7ec0cd9e7d4480d7fb0932e9f1073 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Mon, 10 Nov 2025 10:54:08 +0100 Subject: [PATCH 2/2] Update deploy-manage/remote-clusters/ece-enable-ccs.md --- deploy-manage/remote-clusters/ece-enable-ccs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/remote-clusters/ece-enable-ccs.md b/deploy-manage/remote-clusters/ece-enable-ccs.md index b0c592e362..f3b11217d6 100644 --- a/deploy-manage/remote-clusters/ece-enable-ccs.md +++ b/deploy-manage/remote-clusters/ece-enable-ccs.md @@ -36,7 +36,7 @@ To use CCS or CCR, your environment must meet the following criteria: * `9400` when using TLS certificate–based authentication (deprecated). * `9443` when using API key–based authentication. - For details, refer to the [remote cluster security models](../path/to/security-models.md) documentation and [ECE networking prerequisites](../deploy/cloud-enterprise/ece-networking-prereq.md). + For details, refer to the [remote cluster security models](./security-models.md) documentation and [ECE networking prerequisites](/deploy-manage/deploy/cloud-enterprise/ece-networking-prereq.md). * Load balancers must pass through TCP requests on the port that corresponds to the security model: * `9400` for TLS certificate–based authentication (deprecated).