Open b2ronn opened 11 months ago
This seems specific to pf-host-agent and not Elastic Agent, or maybe HAProxy, @SeanHeelan might have an idea or know where to route this issue.
With the Google Private Service Connect filter activated, I can't use the collection-agent endpoint that generates the kibana/agent. and through *profiling.psc.europe-west3.gcp.cloud.es.io:443 endpoint it is not possible to connect.
Interesting. So from within the client VPC, the endpoint should be visible at profiling.psc.europe-west3.gcp.cloud.es.io:443
, right?
Looking at the pf-host-agent command line:
pf-host-agent -project-id=1 \
-tags='cloud_region:europe-west3;env:staging' \
-secret-token=TOKEN \
-collection-agent=profiling.domain.com:443 -v
The -collection-agent
parameter should likely point to the domain profiling.psc...
?
from the instructions
https://www.elastic.co/guide/en/cloud/current/ec-traffic-filtering-psc.html when enabling Google Private Service Connect filtering, we must use the endpoints at https://{alias}.{product}.{private_hosted_zone_domain_name}
.
Also, to use own domain for Elastic Cloud, we also need to configure a reverse proxy, as explained in https://www.elastic.co/guide/en/cloud/current/ec-regional-deployment-aliases.html#ec_setting_up_a_proxy.
and we use our domain profiling.domain.com
to access <alias>.profiling.psc.europe-west3.gcp.cloud.es.io
However, when it comes to profiling, it is challenging to route traffic when using a reverse proxy along with Google Private Service Connect.
do you have any news/recommendations?
Digging into the docs, will reply shortly.
do you have any news/recommendations?
Did you manage to resolve this? Facing a similar problem
Since October 2023 new versions of the Elastic stack, including Universal Profiling, were released. Recently we also improved error handling when dealing with proxies. This is included with the 8.13 release. Please check out it out.
In our Elastic Cloud cluster, we use traffic filtering through Google Private Service Connect. We also have HAProxy configured on our side to use our domain names(apm.domain.com/kibana.domain.com/elastic.domain.com/fleet.domain.com/profiling.domain.com) for accessing services. Elasticsearch, Kibana, and Fleet are available and working Elasticsearch backend
the Universal profiling HAProxy backend configuration
trying to run pf-host-agen
However, all attempts to enable Universal Profiling through HAProxy fail to connect the binary agent to the collector. I receive such an error:
and in the responses, I see the following message:
Without Google Private Service Connect, and the agents were able to connect and send events.