elastic · shainaraskas · Jun 6, 2025 · Jun 9, 2025 · Jun 14, 2025 · Jun 14, 2025
@@ -1,7 +1,9 @@
 {{ecloud}} has built-in security. For example, HTTPS communications between {{ecloud}} and the internet, as well as inter-node communications, are secured automatically, and cluster data is encrypted at rest.
 
+In both {{ech}} amd {{serverless-full}}, you can also configure [IP filtering network security policies](/deploy-manage/security/ip-filtering-cloud.md) to prevent unauthorized access to your deployments and projects.
+
 In {{ech}}, you can augment these security features in the following ways:
-* Configure [traffic filtering](/deploy-manage/security/traffic-filtering.md) to prevent unauthorized access to your deployments.
+* [Configure private connectivity and apply VCPE filtering](/deploy-manage/security/traffic-filtering.md) to establish a secure connection for your {{ecloud}} deployments to communicate with other cloud services, and restrict traffic to deployments based on those private connections.
 * Encrypt your deployment with a [customer-managed encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md).
 * [Secure your settings](/deploy-manage/security/secure-settings.md) using {{es}} and {{kib}} keystores.
 * Use the list of [{{ecloud}} static IPs](/deploy-manage/security/elastic-cloud-static-ips.md) to allow or restrict communications in your infrastructure.

@@ -67,7 +67,7 @@ This table compares the core platform capabilities between {{ech}} deployments a
 | **Deployment monitoring** | AutoOps or monitoring cluster | Managed | Monitoring is handled by Elastic |
 | **Hardware configuration** | Limited control | Managed | Hardware choices are managed by Elastic |
 | **High availability** | ✅ | ✅ | Automatic resilience |
-| **Network security** | Public IP traffic filtering, private connectivity (VPCs, PrivateLink) | **Planned** | - Traffic filtering anticipated in a future release <br>- Private connectivity options anticipated in a future release |
+| **Network security** | Public IP filtering, private connectivity (VPCs, PrivateLink) | Public IP filtering | Private connectivity options anticipated in a future release |
 | **Node management** | User-controlled | Managed | No node configuration access by design |
 | **Snapshot/restore** | ✅ | **Planned** | User-initiated snapshots are anticipated in a future release |
 

@@ -52,21 +52,21 @@ The steps, information, and authentication method required to configure CCS and
     * [From an ECK environment](ec-enable-ccs-for-eck.md)
 
 
-## Remote clusters and traffic filtering [ec-ccs-ccr-traffic-filtering]
+## Remote clusters and network security [ec-ccs-ccr-traffic-filtering]
 
 ::::{note}
-Traffic filtering isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
+[Network security](../security/traffic-filtering.md) isn’t supported for cross-cluster operations initiated from an {{ece}} environment to a remote {{ech}} deployment.
 ::::
 
-API key authentication for remote clusters cannot be used in combination with traffic filtering.
+API key authentication for remote clusters cannot be used in combination with network security.
-API key authentication for remote clusters cannot be used in combination with network security.
+API key authentication for remote clusters cannot be used in combination with network security policies.
-API key authentication for remote clusters cannot be used in combination with network security.
+API key authentication for remote clusters cannot be used in combination with network security policies.
 
-For remote clusters configured using TLS certificate authentication, [traffic filtering](../security/traffic-filtering.md) can be enabled to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.
+For remote clusters configured using TLS certificate authentication, [network security policies](../security/traffic-filtering.md) can be applies to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.
-For remote clusters configured using TLS certificate authentication, [network security policies](../security/traffic-filtering.md) can be applies to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.
+For remote clusters configured using TLS certificate authentication, [network security policies](../security/traffic-filtering.md) can be applied to restrict access to deployments that are used as a local or remote cluster without any impact on cross-cluster search or cross-cluster replication.
-For remote clusters configured using TLS certificate authentication, [network security policies](../security/traffic-filtering.md) can be applies to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.
+For remote clusters configured using TLS certificate authentication, [network security policies](../security/traffic-filtering.md) can be applied to restrict access to deployments that are used as a local or remote cluster without any impact on cross-cluster search or cross-cluster replication.
 
-Traffic filtering for remote clusters supports 2 methods:
+Network security for remote clusters supports 2 methods:
 
 * [Filtering by IP addresses and Classless Inter-Domain Routing (CIDR) masks](../security/ip-traffic-filtering.md)
-* Filtering by Organization or {{es}} cluster ID with a Remote cluster type filter. You can configure this type of filter from the **Features** > **Traffic filters** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.
+* Filtering by Organization or {{es}} cluster ID with a **Remote cluster** private connection policy. You can configure this type of policy from the **Access and security** > **Network security** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.
-* Filtering by Organization or {{es}} cluster ID with a **Remote cluster** private connection policy. You can configure this type of policy from the **Access and security** > **Network security** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.
+* Filtering by Organization or {{es}} cluster ID with a **Remote cluster** private connection. You can configure this type of policy from the **Access and security** > **Network security** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.
-* Filtering by Organization or {{es}} cluster ID with a **Remote cluster** private connection policy. You can configure this type of policy from the **Access and security** > **Network security** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.
+* Filtering by Organization or {{es}} cluster ID with a **Remote cluster** private connection. You can configure this type of policy from the **Access and security** > **Network security** page of your organization or using the [{{ecloud}} RESTful API](https://www.elastic.co/docs/api/doc/cloud) and apply it from each deployment’s **Security** page.
 
 ::::{note}
-When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection.
+When setting up network security for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection.
 ::::
@@ -14,7 +14,7 @@ products:
 This section explains how to configure a deployment to connect remotely to clusters belonging to a different {{ecloud}} organization.
 
 ::::{note}
-If traffic filtering is enabled on the remote cluster, the remote cluster administrator must configure a traffic filter of type remote cluster, using either the organization ID or the Elasticsearch cluster ID as the filtering criteria. For detailed instructions, refer to [Remote clusters and traffic filtering](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-traffic-filtering).
+If network security policies are applied to the remote cluster, the remote cluster administrator must configure a network security private connection policy of type remote cluster, using either the organization ID or the Elasticsearch cluster ID as the filtering criteria. For detailed instructions, refer to [Remote clusters and traffic filtering](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-traffic-filtering).
-If network security policies are applied to the remote cluster, the remote cluster administrator must configure a network security private connection policy of type remote cluster, using either the organization ID or the Elasticsearch cluster ID as the filtering criteria. For detailed instructions, refer to [Remote clusters and traffic filtering](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-traffic-filtering).
+If network security policies are applied to the remote cluster, the remote cluster administrator must configure a private connection of type remote cluster, using either the organization ID or the Elasticsearch cluster ID as the filtering criteria. For detailed instructions, refer to [Remote clusters and traffic filtering](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-traffic-filtering).
-If network security policies are applied to the remote cluster, the remote cluster administrator must configure a network security private connection policy of type remote cluster, using either the organization ID or the Elasticsearch cluster ID as the filtering criteria. For detailed instructions, refer to [Remote clusters and traffic filtering](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-traffic-filtering).
+If network security policies are applied to the remote cluster, the remote cluster administrator must configure a private connection of type remote cluster, using either the organization ID or the Elasticsearch cluster ID as the filtering criteria. For detailed instructions, refer to [Remote clusters and traffic filtering](/deploy-manage/remote-clusters/ec-enable-ccs.md#ec-ccs-ccr-traffic-filtering).
 ::::
 
 ## Allow the remote connection [ec_allow_the_remote_connection_2]

@@ -18,6 +18,7 @@ products:
   - id: cloud-kubernetes
   - id: cloud-enterprise
   - id: cloud-hosted
+  - id: cloud-serverless
 ---
 
 # Security

@@ -1,3 +1,5 @@
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters** select **Apply filter**.
-3. Choose the filter you want to apply and select **Apply filter**.
+1. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
+
+   On the **Hosted deployments** page, you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+2. On the **Security** page, under **Network security**, select **Apply policies** > **{{policy-type}}**.
+3. Choose the policy you want to apply and select **Apply**.
@@ -3,5 +3,5 @@
   * **The transport layer**: Used mainly for inter-node communications, and in certain cases for cluster to cluster communication.
   * In self-managed {{es}} clusters, you can also [Configure {{kib}} and {{es}} to use mutual TLS](/deploy-manage/security/kibana-es-mutual-tls.md).
 * [Enable cipher suites for stronger encryption](/deploy-manage/security/enabling-cipher-suites-for-stronger-encryption.md): The TLS and SSL protocols use a cipher suite that determines the strength of encryption used to protect the data. You may want to enable the use of additional cipher suites, so you can use different cipher suites for your TLS communications or communications with authentication providers.
-* [Restrict connections using traffic filtering](/deploy-manage/security/traffic-filtering.md): Traffic filtering allows you to limit how your deployments can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust. Restrict access based on IP addresses or CIDR ranges, or, in {{ech}} deployments, secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
+* [Secure your network using IP filtering and private connectivity](/deploy-manage/security/traffic-filtering.md): Network security allows you to limit how your deployments can be accessed. Add another layer of security to your installation and deployments by restricting inbound traffic to only the sources that you trust. Restrict access based on IP addresses or CIDR ranges, or, in {{ech}} deployments, secure connectivity through AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
 * [Allow or deny {{ech}} IP ranges](/deploy-manage/security/elastic-cloud-static-ips.md): {{ecloud}} publishes a list of IP addresses used by its {{ech}} services for both incoming and outgoing traffic. Users can use these lists to configure their network firewalls as needed to allow or restrict traffic related to {{ech}} services.
@@ -19,8 +19,8 @@ Select your deployment type below to see what's available and how implementation
 |------------------|------------|--------------|-------------|
 | **Communication** | TLS (HTTP layer) | Fully managed | Automatically configured by Elastic |
 | | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
-| | Private link | Configurable | [Establish a secure VPC connection](/deploy-manage/security/private-link-traffic-filters.md) |
+| **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
+| | Private connectivity and VPC filtering | Configurable | [Establish a secure VPC connection](/deploy-manage/security/private-link-traffic-filters.md) |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | Managed | You can [bring your own encryption key](/deploy-manage/security/encrypt-deployment-with-customer-managed-encryption-key.md) |
 | | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |
@@ -36,8 +36,8 @@ Select your deployment type below to see what's available and how implementation
 |------------------|------------|--------------|-------------|
 | **Communication** | TLS (HTTP layer) | Fully managed | Automatically configured by Elastic |
 | | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
-| **Network** | IP traffic filtering | N/A | |
-| | Private link | N/A |  |
+| **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
+| | Private connectivity and VPC filtering | N/A |  |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | Fully managed | Automatically encrypted by Elastic |
 | | Secure settings | N/A |  |
@@ -53,8 +53,8 @@ Select your deployment type below to see what's available and how implementation
 |------------------|------------|--------------|-------------|
 | **Communication** | TLS (HTTP layer) | Managed | You can [configure custom certificates](/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md) |
 | | TLS (Transport layer) | Fully managed | Automatically configured by Elastic |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
-| | Private link | N/A |  |
+| **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-cloud.md) |
+| | Private connectivity and VPC filtering | N/A |  |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | N/A |  |
 | | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |
@@ -70,8 +70,8 @@ Select your deployment type below to see what's available and how implementation
 |------------------|------------|--------------|-------------|
 | **Communication** | TLS (HTTP layer) | Managed | [Multiple options](/deploy-manage/security/k8s-https-settings.md) for customization |
 | | TLS (Transport layer) | Managed | [Multiple options](/deploy-manage/security/k8s-transport-settings.md) for customization |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
-| | Private link | N/A |  |
+| **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
+| | Private connectivity and VPC filtering | N/A |  |
 | | Kubernetes network policies | Configurable | [Apply network policies to your Pods](/deploy-manage/security/k8s-network-policies.md) |
 | **Data** | Encryption at rest | N/A |  |
 | | Secure settings | Configurable | [Configure secure settings](/deploy-manage/security/k8s-secure-settings.md) |
@@ -88,8 +88,8 @@ Select your deployment type below to see what's available and how implementation
 |------------------|------------|--------------|-------------|
 | **Communication** | TLS (HTTP layer) | Configurable | Can be automatically or manually configured. See [Initial security setup](/deploy-manage/security/self-setup.md) |
 | | TLS (Transport layer) | Configurable | Can be automatically or manually configured. See [Initial security setup](/deploy-manage/security/self-setup.md) |
-| **Network** | IP traffic filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
-| | Private link | N/A |  |
+| **Network** | IP filtering | Configurable | [Configure IP-based access restrictions](/deploy-manage/security/ip-filtering-basic.md) |
+| | Private connectivity and VPC filtering | N/A |  |
 | | Kubernetes network policies | N/A |  |
 | **Data** | Encryption at rest | N/A |  |
 | | Keystore security | Configurable | [Configure secure settings](/deploy-manage/security/secure-settings.md) |

@@ -1,4 +1 @@
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-2. Find your deployment on the home page or on the **Hosted deployments** page, then select **Manage** to access its settings menus.
-3. Under the **Features** tab, open the **Traffic filters** page.
-4. Select **Create filter**.
+% no longer used
@@ -1,8 +1 @@
-If you need to remove a rule set, you must first remove any associations with deployments.
-
-To delete a rule set with all its rules:
-
-1. [Remove any deployment associations](/deploy-manage/security/gcp-private-service-connect-traffic-filters.md#remove-filter-deployment).
-2. From the **Account** menu, select **Traffic filters**.
-3. Find the rule set you want to edit.
-4. Select the **Remove** icon. The icon is inactive if there are deployments assigned to the rule set.
+% no longer used
@@ -1,3 +1,3 @@
 :::{tip}
-Elastic recommends that you use Kubernetes network policies over IP traffic filters for {{eck}}. This is because, in containerized environments like Kubernetes, IP addresses are usually dynamic, making network policies a more robust option.
+Elastic recommends that you use Kubernetes network policies over IP filters for {{eck}}. This is because, in containerized environments like Kubernetes, IP addresses are usually dynamic, making network policies a more robust option.
 :::
@@ -1,3 +1 @@
-1. From the **Account** menu, select **Traffic filters**.
-2. Find the rule set you want to edit.
-3. Select the **Edit** icon.
+% no longer used
@@ -0,0 +1,17 @@
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+
+2. Under **Hosted deployments**, find your deployment.
+
+:::{tip}
+If you have many deployments, you can instead go to the **Hosted deployments** ({{ech}}) page. On that page, you can narrow your deployments by name, ID, or choose from several other filters.
+:::
+
+3. Select **Manage**.
+4. In the deployment overview, under **Applications**, find the application that you want to test.
+5. Click **Copy endpoint**. The value looks something like the following:
+
+```text subs=true
+https://my-deployment-d53192.es.{{example-default-dn}}
+```
+
+In this endpoint, `my-deployment-d53192` is an alias, and `es` is the product you want to access within your deployment.
@@ -0,0 +1,3 @@
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. From any deployment or project on the home page, select **Manage**.
+3. From the left navigation menu, select **Access and security** > **Network security**. 
@@ -0,0 +1,15 @@
+If you are using {{service-name}} together with Fleet, and enrolling the Elastic Agent with a PrivateLink URL, you need to configure Fleet Server to use and propagate the {{service-name}} URL by updating the **Fleet Server hosts** field in the **Fleet settings** section of {{kib}}. Otherwise, Elastic Agent will reset to use a default address instead of the {{service-name}} URL. 
+
+The URL needs to follow this pattern: 
+
+```text
+https://{{fleet_component_ID_or_deployment_alias}}.fleet.{{private_hosted_zone_domain_name}}:443`
+```
+
+Similarly, the {{es}} host needs to be updated to propagate the PrivateLink URL. The {{es}} URL needs to follow this pattern: 
+
+```text
+https://elasticsearch_cluster_ID_or_deployment_alias}}.es.{{private_hosted_zone_domain_name}}:443
+```
+
+The settings `xpack.fleet.agents.fleet_server.hosts` and `xpack.fleet.outputs` that are needed to enable this configuration in {{kib}} are not available in the {{kib}} settings in {{ecloud}}.
@@ -0,0 +1,18 @@
+Use the following URL structure. This URL is built from endpoint information retrieved from your Elastic deployment and the private hosted zone domain name that you registered.
+
+  ```
+  https://{{alias}}.{{product}}.{{private_hosted_zone_domain_name}}
+  ```
+
+  For example:
+
+  ```text subs=true
+  https://my-deployment-d53192.es.{{example-phz-dn}}
+  ```
+
+
+:::{tip}
+You can use either 443 or 9243 as a port.
+
+You can also connect to the cluster using the {{es}} cluster ID, for example, https://6b111580caaa4a9e84b18ec7c600155e.{{example-phz-dn}}
+:::
@@ -1,4 +1 @@
-If you want to remove any traffic restrictions from a deployment or delete a rule set, you’ll need to remove any rule set associations first. To remove an association through the UI:
-
-1. Go to the deployment.
-2. On the **Security** page, under **Traffic filters** select **Remove**.
+% no longer used