Skill

cloud-network-security

Manages Elastic Cloud Serverless network security: create, update, delete IP filters and AWS PrivateLink VPC filters. Use for restricting network access or private connectivity.

Python

AWS

security

infrastructure

Install

npx claudepluginhub elastic/agent-skills --plugin elastic-security

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Manage network security policies for Elastic Cloud Serverless projects: IP filters to allowlist specific IPs or CIDRs,

Supporting Assets

references/api-reference.mdscripts/cloud_network_security.py

SKILL.md

Similar Skills

github-deep-research

2 files

Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.

bytedance-deer-flow-1

63.9k

surprise-me

Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.

bytedance-deer-flow-1

63.9k

image-generation

2 files

Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.

bytedance-deer-flow-1

63.9k

Stats

Stars383

Forks27

Last CommitApr 3, 2026

Actions

View Source View Plugin View on GitHub View README

Cloud Network Security

Manage network security policies for Elastic Cloud Serverless projects: IP filters to allowlist specific IPs or CIDRs, and VPC filters (AWS PrivateLink) to restrict traffic to specific VPC endpoints.

Prerequisite: This skill assumes the cloud-setup skill has already run — EC_API_KEY is set in the environment and the organization context is established. If EC_API_KEY is missing, instruct the agent to invoke cloud-setup first. Do NOT prompt the user for an API key directly.

For project creation and day-2 operations (including associating filters with projects), see cloud-create-project and cloud-manage-project. For identity and access management (users, roles, API keys), see cloud-access-management.

For detailed API endpoints and request schemas, see references/api-reference.md.

Terminology

This skill uses network security as the umbrella term, aligned with the Elastic Cloud UI direction. The underlying API uses traffic filters — you will see traffic-filters in endpoint paths and traffic_filters in JSON fields. When a user or agent says "traffic filter," they mean the same thing as "network security policy." The two filter types are IP filters (type ip) and VPC filters (type vpce).

Jobs to Be Done

Create an IP filter to restrict ingress to specific IPs or CIDR blocks
Create a VPC filter (AWS PrivateLink) to restrict traffic to specific VPC endpoint IDs
List, inspect, update, and delete network security policies
Look up PrivateLink region metadata (service names, domain names, availability zones)
Associate or disassociate filters with Serverless projects (delegates to cloud-manage-project)
Audit the current network security posture for an organization

Prerequisites and permissions

Item	Description
EC_API_KEY	Cloud API key (set by cloud-setup). Required for all operations.
Region	Filters are region-scoped. The user must specify the target region when creating filters.
Project IDs	Required only when associating filters with projects (handled by cloud-manage-project).

Run python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters to verify that EC_API_KEY is valid before proceeding with any operation.

Operation-level permissions

The following permissions are required for common network security operations in Elastic Cloud Serverless.

Operation	Required permission
List filters / get metadata	Any organization member
Create / update / delete filters	Organization owner (`organization-admin`)
Associate filters with projects	Organization owner or project Admin

This skill does not perform a separate role pre-check. Attempt the requested operation and let the API enforce authorization. If the API returns an authorization error (for example, 403 Forbidden), stop and ask the user to verify the provided API key permissions.

Manual setup fallback (when cloud-setup is unavailable)

If this skill is installed standalone and cloud-setup is not available, instruct the user to configure Cloud environment variables manually before running commands. Never ask the user to paste API keys in chat.

Variable	Required	Description
`EC_API_KEY`	Yes	Elastic Cloud API key (see permissions table above for required roles by operation).
`EC_BASE_URL`	No	Cloud API base URL (default: `https://api.elastic-cloud.com`).

Note: If EC_API_KEY is missing, or the user does not have a Cloud API key yet, direct the user to generate one at Elastic Cloud API keys, then configure it locally using the steps below.

Preferred method (agent-friendly): create a .env file in the project root:

EC_API_KEY=your-api-key
EC_BASE_URL=https://api.elastic-cloud.com

All cloud/* scripts auto-load .env from the working directory.

Alternative: export directly in the terminal:

export EC_API_KEY="<your-cloud-api-key>"
export EC_BASE_URL="https://api.elastic-cloud.com"

Terminal exports may not be visible to sandboxed agents running in separate shell sessions, so prefer .env when using an agent.

Decomposing Network Security Requests

When the user describes a network security need in natural language (for example, "restrict my search project to our office IP"), break the request into discrete tasks before executing.

Step 1 — Identify the components

Component	Question to answer
Filter type	IP filter (public IPs/CIDRs) or VPC filter (AWS PrivateLink endpoint)?
Region	Which AWS region are the target projects in?
Rules	What source IPs, CIDRs, or VPC endpoint IDs should be allowed?
Scope	Apply to all new projects by default, or specific projects only?
Projects	Which existing projects should this filter be associated with?

Step 2 — Check existing state

Before creating a new filter, check what already exists:

python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters --region us-east-1

Filter hygiene: If an existing filter already covers the same source rules for the same purpose, reuse it instead of creating a duplicate. Filters are region-scoped and can be associated with multiple projects, so a single filter with the right rules serves many projects. Two filters with identical source rules are fine when they serve different purposes (for example, different teams managing their own policies), but creating a second filter for the same purpose is unnecessary.

Step 3 — Create the filter

Run the appropriate command from skills/cloud/network-security/scripts/cloud_network_security.py.

Step 4 — Associate with projects

Filter association is managed using the project PATCH endpoint. Use cloud-manage-project to associate or disassociate filters:

PATCH /api/v1/serverless/projects/{type}/{id}
Body: { "traffic_filters": [{ "id": "filter-id-1" }, { "id": "filter-id-2" }] }

When updating associations, provide the complete list of filter IDs. Any filter not included in the list is disassociated from the project.

Step 5 — Verify

After execution, list filters again or GET the project to confirm the change took effect.

IP Filters versus VPC Filters

Aspect	IP Filter (`ip`)	VPC Filter (`vpce`)
Purpose	Allowlist public IP addresses or CIDR blocks	Restrict traffic to specific AWS VPC endpoint IDs
Use case	Office IPs, CI/CD runners, partner access	Private connectivity without public internet exposure
Source format	IP address or CIDR (for example, `203.0.113.0/24`)	AWS VPC endpoint ID (for example, `vpce-0abc123def456`)
Network path	Public internet	AWS PrivateLink (private, never leaves AWS network)
Prerequisite	None	VPC endpoint and DNS record created in AWS console first

Key concept: Private connectivity in AWS is accepted by default in Elastic Cloud. Creating a VPC filter is only needed to restrict traffic to specific VPC endpoint IDs. If you only need private connectivity (without filtering), create the VPC endpoint and DNS record in AWS — no filter is needed on the Elastic Cloud side.

Examples

Allowlist an office IP range

Prompt: "Only allow traffic from our office network 203.0.113.0/24 to projects in us-east-1."

python3 skills/cloud/network-security/scripts/cloud_network_security.py create-filter \
  --name "Office IP allowlist" \
  --type ip \
  --region us-east-1 \
  --rules '[{"source": "203.0.113.0/24", "description": "Office network"}]'

Then associate the filter with specific projects using cloud-manage-project.

Restrict traffic to a VPC endpoint

Prompt: "Lock down my observability project to only accept traffic from our VPC endpoint."

python3 skills/cloud/network-security/scripts/cloud_network_security.py create-filter \
  --name "Production VPC" \
  --type vpce \
  --region us-east-1 \
  --rules '[{"source": "vpce-0abc123def456", "description": "Production VPC endpoint"}]'

List all filters in a region

Prompt: "Show me all network security policies in eu-west-1."

python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters --region eu-west-1

Update a filter to add a new IP

Prompt: "Add the VPN IP 198.51.100.5 to our existing office filter."

python3 skills/cloud/network-security/scripts/cloud_network_security.py get-filter --filter-id tf-12345
# Review current rules, then update with the complete rule set:
python3 skills/cloud/network-security/scripts/cloud_network_security.py update-filter \
  --filter-id tf-12345 \
  --body '{"rules": [{"source": "203.0.113.0/24", "description": "Office network"}, {"source": "198.51.100.5", "description": "VPN"}]}'

Look up PrivateLink metadata for a region

Prompt: "What PrivateLink service name do I need for us-east-1?"

python3 skills/cloud/network-security/scripts/cloud_network_security.py get-metadata --region us-east-1

Delete an unused filter

Prompt: "Remove the old staging IP filter."

python3 skills/cloud/network-security/scripts/cloud_network_security.py delete-filter --filter-id tf-67890 --dry-run
# Review what would be deleted, then confirm:
python3 skills/cloud/network-security/scripts/cloud_network_security.py delete-filter --filter-id tf-67890

Guidelines

If EC_API_KEY is not set, do not prompt the user — instruct the agent to invoke cloud-setup first.
Always confirm destructive actions (delete filter) with the user before executing.
Filters are region-scoped: a filter created in us-east-1 can only be associated with projects in that region.
Filter hygiene — reuse, scope, and clean up:
- Before creating a filter, always run list-filters and check whether an existing filter for the same purpose already has the required source rules. Filters can be associated with multiple projects, so one filter with the right rules is better than duplicates.
- Duplicate filters means filters for the same purpose with identical source rules — not merely overlapping IPs. Two filters covering different project groups with the same CIDR are legitimate.
- Review unused filters periodically. If a filter is no longer associated with any project, prompt the user to delete it to reduce clutter.
Updating rules replaces the entire rule set. When adding a rule using PATCH, include all existing rules plus the new one. Omitting an existing rule removes it.
Deleting a filter fails if it is still associated with a project. Disassociate first using cloud-manage-project (PATCH the project with the filter removed from the traffic_filters list), then delete.
include_by_default automatically associates the filter with all new projects in the region. Use with caution — it affects every future project.
For project association and disassociation, delegate to the cloud-manage-project skill. This skill manages filter definitions only.
For identity and access management (users, roles, API keys), see cloud-access-management.
For Elasticsearch-level security (native users, role mappings, DLS/FLS), see elasticsearch-authz.