Network sec: rebrand and new cloud UX, IP filters in serverless

[shainaraskas]

This PR updates the core pages related to traffic filtering to reflect the new ux (issue: https://github.com/elastic/platform-docs-team/issues/682)

This is PR 1 of 2 or 3 many. The first PR will capture the core changes needed to ship the feature. Subsequent PRs will update references to traffic filters other places in the docs, do any necessary API reference cleanup, etc.

Followup PRs to merge right after:

• traffic filters > network security: file renames and xlinks #2047

any order after:

• [doc] rebranding traffic filters to network security policies in ECH ecctl#735
• https://github.com/elastic/cloud/pull/143306
• [doc] Rename traffic filters to network security elasticsearch#130651
• [doc] Rebrand privatelink traffic filters to private connectivity elastic-serverless-forwarder#922

independent (ship anytime after the feature is released):

• https://github.com/elastic/cloud/pull/143427

Summary

• rebranded traffic filters feature area to network security
• added IP filter support for serverless
• rebranded privatelink filters as private connectivity / private connections
• rebranded rules to policies
• rebranded remote cluster traffic filters to remote cluster private connection policies
• repositioned private connection policies to disconnect allowing traffic over PrivateLink from filtering traffic to deployments to specific VPCEs
• split elastic cloud policy logic into its own page
• split ECE traffic filter instructions and logic into its own page
• updated all procedures impacted by ux changes
• moved an API-centric page that applied to both IP filters and private connections higher in the nav for visibility + added serverless API procedures

This PR is pretty big, so you can use the links below to review it

Key changes

Network security and network security policies

Page (preview link)	Changes	Related files
Network security	Rebranded the "umbrella" of features as network security, added IP filter support for serverless, rebranded PrivateLink filters as private connections Pulled policy/rule logic out of this page and into dedicated pages for Elastic Cloud and ECE	deploy-manage/security/traffic-filtering.md
Network security policies in Elastic Cloud	NEW PAGE split from the ECE version. Rebrand, slight reorganization for readability, changed flows impacted by UX changes, added serverless flows	deploy-manage/security/network-security-policies.md
Manage network security through the API	Rebrand for changed terms (provided a mapping due to unchanged endpoints), brought up a level so it would apply to both IP filters and private connections, added serverless examples based on the API design	deploy-manage/security/ec-traffic-filtering-through-the-api.md

IP filters

Page (preview link)	Changes	Related files
IP filtering	Scoped to serverless, linked to new split docs for Elastic Cloud / ECE, some organizational headings to support	deploy-manage/security/ip-traffic-filtering.md
Manage IP filters in ECH or Serverless	Scoped to ECH and serverless, removed ECE info to another doc Rebranded as "IP filter network security policies" Updated all flows impacted by UX changes	deploy-manage/security/ip-filtering-cloud.md snippet: wayfinding to network security page

Private connections

Page (preview link)	Changes	Related files
Private connections (overview)	Rebranded private link filters to private connections repositioned them as a connectivity strategy with VCPE filtering optional for everything but Azure	deploy-manage/security/private-link-traffic-filters.md
AWS PrivateLink private connections	Updated with new UX flows, clarified connection between private connection + VPCE filtering, split processes repeated across CSPs into snippets, readability + flow improvements, fixed testing examples to account for the "allow traffic over private link by default" change used deployment aliases to test/connect privatelink for consistency	deploy-manage/security/aws-privatelink-traffic-filters.md snippets: wayfinding to network security page, associate filter, private url structure, find endpoint, fleet
Azure Private Link private connections	Updated with new UX flows, clarified connection between private connection + VPCE filtering, split processes repeated across CSPs into snippets, readability + flow improvements, fixed testing examples to account for the "allow traffic over private link by default" change used deployment aliases to test/connect privatelink for consistency	deploy-manage/security/azure-private-link-traffic-filters.md snippets: wayfinding to network security page, associate filter, private url structure, find endpoint, fleet
GCP Private Service Connect private connections	Updated with new UX flows, clarified connection between private connection + VPCE filtering, split processes repeated across CSPs into snippets, readability + flow improvements, fixed testing examples to account for the "allow traffic over private link by default" change used deployment aliases to test/connect privatelink for consistency	deploy-manage/security/gcp-private-service-connect-traffic-filters.md snippets: wayfinding to network security page, associate filter, private url structure, find endpoint, fleet

Remote clusters

Page (preview link)	Changes	Related files
Remote clusters with Elastic Cloud Hosted Access deployments of another Elastic Cloud organization	remote cluster traffic filters are now remote cluster private conenction policies	deploy-manage/remote-clusters/ec-enable-ccs.md deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md

Secondary changes

todo: serverless reference doc URL

Page (preview link)	Changes	Related files
Deploy and manage > Security (overview)	Scoped to serverless (this is the first configurable security feature) Updated references to traffic filters to "network security" or "IP filtering and private connections" as needed, added IP filtering to the list of security features for serverless	deploy-manage/security.md deploy-manage/_snippets/ecloud-security.md snippets: security in elastic cloud, features for cluster communication and network security, feature comparison
Secure your cluster, deployment, or project	Scoped to serverless, updated references to traffic filters to "network security" or "IP filtering and private connections" as needed, added IP filtering to the list of security features for serverless	deploy-manage/security/secure-your-cluster-deployment.md snippets: features for cluster communication and network security, feature comparison
Compare Elastic Cloud Hosted and Serverless	Added public IP filtering as a serverless feature	deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md
Manage IP filters in ECE	NEW PAGE split from the cloud (ECH/serverless) version. instructions remain the same, references to ECH/serverless removed	deploy-manage/security/ip-filtering-ece.md
Traffic filter rules in Elastic Cloud Enterprise	NEW PAGE split from the cloud (ECH/serverless) version. information and instructions remain the same, references to ECH/serverless removed. slight organizational improvements to break out logic info from restrictions	deploy-manage/security/ece-filter-rules.md
Claim VCPE ID ownership	Rebrand away from traffic filter link ID to VCPE ID	deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md

Open questions

• Is the umbrella term for private connection filters "VCPE filtering" (e.g. "add a private connection, then filter traffic to your deployment using VCPE filters")? Will this term be used for GCP?

  ANSWER: It's "VPC filtering"

• For Azure, is associating a private connection policy with a deployment required, or optional?

  ANSWER: technically optional but strongly recommended

• For Azure inter-region private links, what region should the associated policy be created in?

  ANSWER: same region as the deployment

SR TODO

• VCPE filter(ing) -> VCP filter(ing)
• azure policy association is optional but should be done so you can track your secured resources
• new "look up secured resources" procedure
• terminology consistency assessment
• [ ] more visibility to azure inter-region private links

[github-actions]

🔍 Preview links for changed docs:

• deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md
• deploy-manage/remote-clusters/ec-enable-ccs.md
• deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
• deploy-manage/security.md
• deploy-manage/security/aws-privatelink-traffic-filters.md
• deploy-manage/security/azure-private-link-traffic-filters.md
• deploy-manage/security/claim-traffic-filter-link-id-ownership-through-api.md
• deploy-manage/security/ec-traffic-filtering-through-the-api.md
• deploy-manage/security/ece-filter-rules.md
• deploy-manage/security/gcp-private-service-connect-traffic-filters.md
• deploy-manage/security/ip-filtering-cloud.md
• deploy-manage/security/ip-filtering-ece.md
• deploy-manage/security/ip-traffic-filtering.md
• deploy-manage/security/network-security-policies.md
• deploy-manage/security/private-link-traffic-filters.md
• deploy-manage/security/secure-your-cluster-deployment.md
• deploy-manage/security/traffic-filtering.md

🔔 The preview site may take up to 3 minutes to finish building. These links will become live once it completes.

[igor-kupczynski]

Amazing work @shainaraskas to me it improves clarity as the terminology changes make sense. The reorganization also LGTM. With the minor fixes, it provides excellent documentation update.

[eedugon]

Amazing improvements here!! I love the new structure!

I have added some comments for your review, feel free to ignore any of them.

In general the majority of my comments are about:

• You have used multiple times by default all your deployments are accessible over the internet to mean that all access is allowed, or is accessible without restrictions. The first statement is in my opinion not accurate or doesn't add any value (this is explained more in other comments).

• When dealing with IP filters the terms IP filters, traffic filters and even the usage of the word rules feel a bit randomly used, and could be misleading.

Most probably I'm missing background in some of my comments, so feel free to correct me!

[eedugon]

Thanks a lot for the updates, the content feels smoother and clearer now!

I've shared some concerns about the API doc, as I got completely stucked understanding it.

Hoping it will help!

[eedugon]

Considering network security is a wide topic, should we include in the introduction a link to TLS encryption / HTTPS in case the reader is interested on that topic more than filtering traffic?

[eedugon]

We mention only inbound traffic in that introductory sentence. I think it's all right because the majority of features are to control inbound traffic, but we also control outbound traffic in some use cases (ECH, k8s network policies, not sure if in self-managed).

Not sure if it's worthy to mention both in this intro or just keep inbound. FYI :)

[eedugon]

In this doc I have some mixed feelings.

The repetition multiple times of IP filter policy or IP filtering rule set feels a bit weird, first of all because I don't understand or perceive the differences (if there are), and because in the API examples that's not clear either (you explain very well that the API hasn't implemented conceptual differences, though, which helps).

I try to understand this with the terminology table, but IP filter policy doesn't appear in the table...

What's the reason to have this so many times? To me it would feel better to leave one term always, even if in one of the products the same feature is named in a different way. Otherwise just explain it at the beginning and use one term.

Reading the or so many times makes me wonder.... are both the same? what do the writer wants to transmit with this?

[eedugon]

Update: after having learned by reading multiple times I see that the terms are equivalent.

• I think we just need to explain at the beginning of the page that a policy consists of multiple rules, and in ECE and the API examples these policies are still called rule sets.
• Also each rule relates with a source IP address or CIDR range, and they referred as the sources in the API.

Then in the text of the page we can probably rely on policies term only, as it's the newer term. Or keeping both, but with a clear note at the beginning of the page that clarifies that IP filter policy and IP filtering rule set mean the same from logical entity point of view.

[eedugon]

I think this section is a great idea but I have to say something.... I didn't understand it at first sight, and after spending time on it there are still unclear parts to me :(

Maybe we can discuss that in private, and as soon as I get a better view maybe I can propose something specific.

The note we have in the new landing page might help here to understand this better. It says:

• The network security feature was formerly referred to as traffic filtering.
• Network security policies were formerly referred to as traffic filter rules.

With that in mind, the exact terms used in this table don't match, which doesn't help.

I think some extra narrative + the table would be ideal here, or even use only narrative with the most important messages (I'm sharing here some examples).

It feels that users need to learn this, which isn't included in the page:

A policy consists of multiple rules (that's why it's called also a rule set), and each rule is associated with an IP address (that's why individual rules are referred as IP filter sources).

^^ Not sure if my understanding is totally accurate there.

Maybe after something like that we can describe the table to understand better the API examples.