When your OpenSearch domains or serverless collections reside inside a VPC, the OpenSearch UI application needs explicit authorization to reach them through VPC endpoints. Without this configuration, the application cannot connect to your data sources.
VPC Access
Why VPC access matters
OpenSearch domains deployed in a VPC are not accessible from the public internet. The OpenSearch UI service runs as a managed AWS service outside your VPC, so it needs a pathway to communicate with VPC-based resources. This is accomplished by:
- Authorizing the OpenSearch UI service to create an interface VPC endpoint
- Ensuring security groups allow traffic from the service
- Configuring network policies (for serverless collections)
Authorizing access for managed domains
For OpenSearch managed domains in a VPC, use the authorize-vpc-endpoint-access API to grant the OpenSearch UI service permission to connect:
aws opensearch authorize-vpc-endpoint-access \
--domain-name my-vpc-domain \
--service application.opensearchservice.amazonaws.com \
--region us-east-1To verify the authorization:
aws opensearch list-vpc-endpoint-access \
--domain-name my-vpc-domain \
--region us-east-1The response should include application.opensearchservice.amazonaws.com in the list of authorized services.
Revoking access
If you need to remove the authorization:
aws opensearch revoke-vpc-endpoint-access \
--domain-name my-vpc-domain \
--service application.opensearchservice.amazonaws.com \
--region us-east-1Revoking access disconnects the OpenSearch UI application from the domain. Any workspaces using this domain as a data source will lose connectivity.
Authorizing access for serverless collections
Serverless collections use network policies instead of VPC endpoint authorization. Create a network policy that allows the OpenSearch UI service:
[
{
"Description": "Allow OpenSearch UI service access to collection",
"Rules": [
{
"ResourceType": "collection",
"Resource": ["collection/my-collection"]
}
],
"SourceServices": [
"application.opensearchservice.amazonaws.com"
],
"AllowFromPublic": false
}
]Apply the policy using the CLI:
aws opensearchserverless create-security-policy \
--type network \
--region us-east-1 \
--name opensearch-ui-network-access \
--policy file://network-policy.jsonIf a network policy already exists for the collection, update it to include the SourceServices entry:
aws opensearchserverless update-security-policy \
--type network \
--region us-east-1 \
--name existing-policy-name \
--policy-version "MTY3..." \
--policy file://updated-network-policy.jsonSecurity group configuration
The security group attached to your VPC domain must allow inbound traffic from the OpenSearch UI service. The service connects through the VPC endpoint, so the traffic originates from the endpoint's network interface.
Recommended security group rules
| Direction | Protocol | Port Range | Source/Destination | Purpose |
|---|---|---|---|---|
| Inbound | TCP | 443 | VPC CIDR block | HTTPS from VPC endpoint |
| Inbound | TCP | 443 | Security group self-reference | Endpoint-to-domain communication |
| Outbound | All | All | 0.0.0.0/0 | Allow responses |
The OpenSearch UI service communicates over HTTPS (port 443). You do not need to open port 9200 or any other port.
Verifying security group settings
- Open the VPC console
- Navigate to Security Groups
- Find the security group attached to your OpenSearch domain
- Confirm that inbound rules allow TCP 443 from the VPC CIDR or the endpoint's security group
Setting up VPC access via the console
- Open the Amazon OpenSearch Service console
- Select your VPC-based domain
- Navigate to the Security tab
- Under VPC endpoint access, click Authorize
- Select application.opensearchservice.amazonaws.com as the service
- Click Authorize access
After authorization, associate the domain with your OpenSearch UI application as you would any other data source.
End-to-end setup checklist
Use this checklist to ensure all VPC access components are configured:
- Domain is in Active state
-
authorize-vpc-endpoint-accesshas been called for the domain - Security group allows inbound TCP 443
- Domain access policy permits the OpenSearch UI service principal
- Domain is associated with the application via
update-application - (Serverless only) Network policy includes
SourceServicesentry
Accessing the OpenSearch UI from within a VPC
If your users are inside a VPC (for example, connecting through a VPN or bastion host), the OpenSearch UI application URL is publicly accessible by default — users do not need to be inside the VPC to access the UI.
The VPC configuration only affects the backend connection between the OpenSearch UI service and your data sources. The UI itself is served over the public internet with authentication (IAM or SAML).
Troubleshooting
"Unable to connect to data source" after association
- Verify the VPC endpoint authorization is in place:
aws opensearch list-vpc-endpoint-access \ --domain-name my-vpc-domain - Check the domain's security group allows inbound TCP 443
- Confirm the domain access policy includes the OpenSearch UI service
Domain appears but shows "Unhealthy" status
- The VPC endpoint may still be provisioning — wait 5-10 minutes after authorization
- The security group may be blocking traffic — verify inbound rules
- The domain itself may be in a degraded state — check the domain health in the console
"Access denied" when authorizing VPC endpoint
Your IAM principal needs these permissions:
{
"Effect": "Allow",
"Action": [
"es:AuthorizeVpcEndpointAccess",
"es:ListVpcEndpointAccess",
"es:RevokeVpcEndpointAccess"
],
"Resource": "arn:aws:es:us-east-1:123456789012:domain/my-vpc-domain"
}Serverless collection not reachable
- Verify the network policy is applied and active
- Ensure the policy includes the correct collection name
- Check that
SourceServicescontainsapplication.opensearchservice.amazonaws.com - Confirm the data access policy grants the application's IAM role read permissions
Connection works intermittently
- Security group rules may have been modified — re-check inbound rules
- The domain may be undergoing a configuration change — wait for it to complete
- Check CloudWatch metrics for the domain to identify any resource constraints