elastic · shainaraskas · Mar 21, 2025 · Mar 21, 2025 · Mar 21, 2025 · Mar 21, 2025
@@ -10,7 +10,6 @@ mapped_urls:
   - https://www.elastic.co/guide/en/cloud-enterprise/current/ece-securing-ece.html
   - https://www.elastic.co/guide/en/cloud-heroku/current/ech-security.html
   - https://www.elastic.co/guide/en/kibana/current/using-kibana-with-security.html
-  - https://www.elastic.co/guide/en/elasticsearch/reference/current/security-limitations.html
   - https://www.elastic.co/guide/en/elasticsearch/reference/current/es-security-principles.html
   - https://www.elastic.co/guide/en/cloud/current/ec-faq-technical.html
 ---
@@ -25,26 +24,14 @@ mapped_urls:
 
 % Note that the encryption happens at the file system level.
 
+% We do provide [static IP ranges](../../../deploy-manage/security/elastic-cloud-static-ips.md), but they should be used with caution as noted in the documentation. IP addresses assigned to cloud resources can change without notice. This could be initiated by cloud providers with no knowledge to us. For this reason, we generally do not recommend that you use firewall rules to allow or restrict certain IP ranges. If you do wish to secure communication for deployment endpoints on {{ech}}, please use [Private Link](../../../deploy-manage/security/traffic-filtering.md). However, in situations where using Private Link services do not meet requirements (for example, secure traffic **from** Elastic Cloud), static IP ranges can be used.
+
 % What needs to be done: Refine
 
 % GitHub issue: https://github.com/elastic/docs-projects/issues/346
 
 % Scope notes: this is just communication security - link to users + roles, spaces, monitoring, ++
 
-% Use migrated content from existing pages that map to this page:
-
-% - [ ] ./raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md
-%      Notes: redirect only
-% - [ ] ./raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md
-% - [ ] ./raw-migrated-files/kibana/kibana/xpack-security.md
-% - [ ] ./raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-securing-stack.md
-% - [ ] ./raw-migrated-files/cloud/cloud-enterprise/ece-securing-ece.md
-% - [ ] ./raw-migrated-files/cloud/cloud-heroku/ech-security.md
-% - [ ] ./raw-migrated-files/kibana/kibana/using-kibana-with-security.md
-% - [ ] ./raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md
-% - [ ] ./raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md
-% - [ ] ./raw-migrated-files/cloud/cloud/ec-faq-technical.md
-
 $$$field-document-limitations$$$
 
 $$$alias-limitations$$$
@@ -59,18 +46,6 @@ $$$maintaining-audit-trail$$$
 **This page is a work in progress.** 
 :::
 
-% The documentation team is working to combine content pulled from the following pages:
-
-% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md)
-% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md)
-% * [/raw-migrated-files/kibana/kibana/xpack-security.md](/raw-migrated-files/kibana/kibana/xpack-security.md)
-% * [/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-securing-stack.md](/raw-migrated-files/cloud-on-k8s/cloud-on-k8s/k8s-securing-stack.md)
-% * [/raw-migrated-files/cloud/cloud-enterprise/ece-securing-ece.md](/raw-migrated-files/cloud/cloud-enterprise/ece-securing-ece.md)
-% * [/raw-migrated-files/cloud/cloud-heroku/ech-security.md](/raw-migrated-files/cloud/cloud-heroku/ech-security.md)
-% * [/raw-migrated-files/kibana/kibana/using-kibana-with-security.md](/raw-migrated-files/kibana/kibana/using-kibana-with-security.md)
-% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/security-limitations.md)
-% * [/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md](/raw-migrated-files/elasticsearch/elasticsearch-reference/es-security-principles.md)
-% * [/raw-migrated-files/cloud/cloud/ec-faq-technical.md](/raw-migrated-files/cloud/cloud/ec-faq-technical.md)
 
 # Security
 

@@ -1,5 +1,7 @@
 ---
-navigation_title: "Limitations"
+mapped_pages:
+- https://www.elastic.co/guide/en/elasticsearch/reference/current/security-limitations.html
+navigation_title: Limitations
 ---
 
 # Security limitations [security-limitations]
@@ -23,7 +25,7 @@ Multi get and multi term vectors API throw IndexNotFoundException when trying to
 
 ## Filtered index aliases [_filtered_index_aliases]
 
-Aliases containing filters are not a secure way to restrict access to individual documents, due to the limitations described in [Index and field names can be leaked when using aliases](../../../deploy-manage/security.md#alias-limitations). The {{stack-security-features}} provide a secure way to restrict access to documents through the [document-level security](../../../deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md) feature.
+Aliases containing filters are not a secure way to restrict access to individual documents, due to the limitations described in [Index and field names can be leaked when using aliases](/deploy-manage/security.md#alias-limitations). The {{stack-security-features}} provide a secure way to restrict access to documents through the [document-level security](/deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md) feature.
 
 
 ## Field and document level security limitations [field-document-limitations]
@@ -40,7 +42,7 @@ Until this limitation is addressed, avoid index and field names that contain con
 
 ## LDAP realm [_ldap_realm]
 
-The [LDAP Realm](../../../deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md) does not currently support the discovery of nested LDAP Groups. For example, if a user is a member of `group_1` and `group_1` is a member of `group_2`, only `group_1` will be discovered. However, the [Active Directory Realm](../../../deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md) **does** support transitive group membership.
+The [LDAP Realm](/deploy-manage/users-roles/cluster-or-deployment-auth/ldap.md) does not currently support the discovery of nested LDAP Groups. For example, if a user is a member of `group_1` and `group_1` is a member of `group_2`, only `group_1` will be discovered. However, the [Active Directory Realm](/deploy-manage/users-roles/cluster-or-deployment-auth/active-directory.md) **does** support transitive group membership.
 
 
 ## Resource sharing check for users and API keys [can-access-resources-check]
@@ -49,5 +51,4 @@ The result of [async search](https://www.elastic.co/docs/api/doc/elasticsearch/o
 
 * Two different realms can have the same name on different nodes. This is not a recommended way to configure realms, therefore the resource sharing check does not attempt to detect this inconsistency.
 * Realms can be renamed. This can cause inconsistency for the resource sharing check when you submit an async search or scroll then rename the realm and try to retrieve the results. Hence, changing realm names should be handled with care since it can cause complications for more than just the resource sharing check.
-* The username is dynamically computed for realms backed by certain external authentication providers. For example, the username can be derived from part of the DN in an LDAP realm. It is in theory possible that two distinct users from the external system get mapped to the same username. Our recommendation is to avoid this situation in the first place. Hence, the resource sharing check does not account for this potential discrepancy.
-
+* The username is dynamically computed for realms backed by certain external authentication providers. For example, the username can be derived from part of the DN in an LDAP realm. It is in theory possible that two distinct users from the external system get mapped to the same username. Our recommendation is to avoid this situation in the first place. Hence, the resource sharing check does not account for this potential discrepancy.
@@ -504,6 +504,7 @@ toc:
       - file: security/secure-clients-integrations.md
         children:
           - file: security/httprest-clients-security.md
+      - file: security/limitations.md
   - file: users-roles.md
     children:
       - file: users-roles/cloud-organization.md