cloud-network-security▌
elastic/agent-skills · updated Apr 8, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Manage network security policies for Elastic Cloud Serverless projects: IP filters to allowlist specific IPs or CIDRs,
- ›and VPC filters (AWS PrivateLink) to restrict traffic to specific VPC endpoints.
Cloud Network Security
Manage network security policies for Elastic Cloud Serverless projects: IP filters to allowlist specific IPs or CIDRs, and VPC filters (AWS PrivateLink) to restrict traffic to specific VPC endpoints.
Prerequisite: This skill assumes the cloud-setup skill has already run —
EC_API_KEYis set in the environment and the organization context is established. IfEC_API_KEYis missing, instruct the agent to invoke cloud-setup first. Do NOT prompt the user for an API key directly.
For project creation and day-2 operations (including associating filters with projects), see cloud-create-project and cloud-manage-project. For identity and access management (users, roles, API keys), see cloud-access-management.
For detailed API endpoints and request schemas, see references/api-reference.md.
Terminology
This skill uses network security as the umbrella term, aligned with the Elastic Cloud UI direction. The underlying
API uses traffic filters — you will see traffic-filters in endpoint paths and traffic_filters in JSON fields.
When a user or agent says "traffic filter," they mean the same thing as "network security policy." The two filter types
are IP filters (type ip) and VPC filters (type vpce).
Jobs to Be Done
- Create an IP filter to restrict ingress to specific IPs or CIDR blocks
- Create a VPC filter (AWS PrivateLink) to restrict traffic to specific VPC endpoint IDs
- List, inspect, update, and delete network security policies
- Look up PrivateLink region metadata (service names, domain names, availability zones)
- Associate or disassociate filters with Serverless projects (delegates to cloud-manage-project)
- Audit the current network security posture for an organization
Prerequisites and permissions
| Item | Description |
|---|---|
| EC_API_KEY | Cloud API key (set by cloud-setup). Required for all operations. |
| Region | Filters are region-scoped. The user must specify the target region when creating filters. |
| Project IDs | Required only when associating filters with projects (handled by cloud-manage-project). |
Run python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters to verify that EC_API_KEY
is valid before proceeding with any operation.
Operation-level permissions
The following permissions are required for common network security operations in Elastic Cloud Serverless.
| Operation | Required permission |
|---|---|
| List filters / get metadata | Any organization member |
| Create / update / delete filters | Organization owner (organization-admin) |
| Associate filters with projects | Organization owner or project Admin |
This skill does not perform a separate role pre-check. Attempt the requested operation and let the API enforce
authorization. If the API returns an authorization error (for example, 403 Forbidden), stop and ask the user to verify
the provided API key permissions.
Manual setup fallback (when cloud-setup is unavailable)
If this skill is installed standalone and cloud-setup is not available, instruct the user to configure Cloud
environment variables manually before running commands. Never ask the user to paste API keys in chat.
| Variable | Required | Description |
|---|---|---|
EC_API_KEY |
Yes | Elastic Cloud API key (see permissions table above for required roles by operation). |
EC_BASE_URL |
No | Cloud API base URL (default: https://api.elastic-cloud.com). |
Note: If
EC_API_KEYis missing, or the user does not have a Cloud API key yet, direct the user to generate one at Elastic Cloud API keys, then configure it locally using the steps below.
Preferred method (agent-friendly): create a .env file in the project root:
EC_API_KEY=your-api-key
EC_BASE_URL=https://api.elastic-cloud.com
All cloud/* scripts auto-load .env from the working directory.
Alternative: export directly in the terminal:
export EC_API_KEY="<your-cloud-api-key>"
export EC_BASE_URL="https://api.elastic-cloud.com"
Terminal exports may not be visible to sandboxed agents running in separate shell sessions, so prefer .env when using
an agent.
Decomposing Network Security Requests
When the user describes a network security need in natural language (for example, "restrict my search project to our office IP"), break the request into discrete tasks before executing.
Step 1 — Identify the components
| Component | Question to answer |
|---|---|
| Filter type | IP filter (public IPs/CIDRs) or VPC filter (AWS PrivateLink endpoint)? |
| Region | Which AWS region are the target projects in? |
| Rules | What source IPs, CIDRs, or VPC endpoint IDs should be allowed? |
| Scope | Apply to all new projects by default, or specific projects only? |
| Projects | Which existing projects should this filter be associated with? |
Step 2 — Check existing state
Before creating a new filter, check what already exists:
python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters --region us-east-1
Filter hygiene: If an existing filter already covers the same source rules for the same purpose, reuse it instead of creating a duplicate. Filters are region-scoped and can be associated with multiple projects, so a single filter with the right rules serves many projects. Two filters with identical source rules are fine when they serve different purposes (for example, different teams managing their own policies), but creating a second filter for the same purpose is unnecessary.
Step 3 — Create the filter
Run the appropriate command from skills/cloud/network-security/scripts/cloud_network_security.py.
Step 4 — Associate with projects
Filter association is managed using the project PATCH endpoint. Use cloud-manage-project to associate or disassociate filters:
PATCH /api/v1/serverless/projects/{type}/{id}
Body: { "traffic_filters": [{ "id": "filter-id-1" }, { "id": "filter-id-2" }] }
When updating associations, provide the complete list of filter IDs. Any filter not included in the list is disassociated from the project.
Step 5 — Verify
After execution, list filters again or GET the project to confirm the change took effect.
IP Filters versus VPC Filters
| Aspect | IP Filter (ip) |
VPC Filter (vpce) |
|---|---|---|
| Purpose | Allowlist public IP addresses or CIDR blocks | Restrict traffic to specific AWS VPC endpoint IDs |
| Use case | Office IPs, CI/CD runners, partner access | Private connectivity without public internet exposure |
| Source format | IP address or CIDR (for example, 203.0.113.0/24) |
AWS VPC endpoint ID (for example, vpce-0abc123def456) |
| Network path | Public internet | AWS PrivateLink (private, never leaves AWS network) |
| Prerequisite | None | VPC endpoint and DNS record created in AWS console first |
Key concept: Private connectivity in AWS is accepted by default in Elastic Cloud. Creating a VPC filter is only needed to restrict traffic to specific VPC endpoint IDs. If you only need private connectivity (without filtering), create the VPC endpoint and DNS record in AWS — no filter is needed on the Elastic Cloud side.
Examples
Allowlist an office IP range
Prompt: "Only allow traffic from our office network 203.0.113.0/24 to projects in us-east-1."
python3 skills/cloud/network-security/scripts/cloud_network_security.py create-filter \
--name "Office IP allowlist" \
--type ip \
--region us-east-1 \
--rules '[{"source": "203.0.113.0/24", "description": "Office network"}]'
Then associate the filter with specific projects using cloud-manage-project.
Restrict traffic to a VPC endpoint
Prompt: "Lock down my observability project to only accept traffic from our VPC endpoint."
python3 skills/cloud/network-security/scripts/cloud_network_security.py create-filter \
--name "Production VPC" \
--type vpce \
--region us-east-1 \
--rules '[{"source": "vpce-0abc123def456", "description": "Production VPC endpoint"}]'
List all filters in a region
Prompt: "Show me all network security policies in eu-west-1."
python3 skills/cloud/network-security/scripts/cloud_network_security.py list-filters --region eu-west-1
Update a filter to add a new IP
Prompt: "Add the VPN IP 198.51.100.5 to our existing office filter."
python3 skills/cloud/network-security/scripts/cloud_network_security.py get-filter --filter-id tf-12345
# Review current rules, then update with the complete rule set:
python3 skills/cloud/network-security/scripts/cloud_network_security.py update-filter \
--filter-id tf-12345 \
--body '{"rules": [{"source": "203.0.113.0/24", "description": "Office network"}, {"source": "198.51.100.5", "description": "VPN"}]}'
Look up PrivateLink metadata for a region
Prompt: "What PrivateLink service name do I need for us-east-1?"
python3 skills/cloud/network-security/scripts/cloud_network_security.py get-metadata --region us-east-1
Delete an unused filter
Prompt: "Remove the old staging IP filter."
python3 skills/cloud/network-security/scripts/cloud_network_security.py delete-filter --filter-id tf-67890 --dry-run
# Review what would be deleted, then confirm:
python3 skills/cloud/network-security/scripts/cloud_network_security.py delete-filter --filter-id tf-67890
Guidelines
- If
EC_API_KEYis not set, do not prompt the user — instruct the agent to invoke cloud-setup first. - Always confirm destructive actions (delete filter) with the user before executing.
- Filters are region-scoped: a filter created in
us-east-1can only be associated with projects in that region. - Filter hygiene — reuse, scope, and clean up:
- Before creating a filter, always run
list-filtersand check whether an existing filter for the same purpose already has the required source rules. Filters can be associated with multiple projects, so one filter with the right rules is better than duplicates. - Duplicate filters means filters for the same purpose with identical source rules — not merely overlapping IPs. Two filters covering different project groups with the same CIDR are legitimate.
- Review unused filters periodically. If a filter is no longer associated with any project, prompt the user to delete it to reduce clutter.
- Before creating a filter, always run
- Updating rules replaces the entire rule set. When adding a rule using PATCH, include all existing rules plus the new one. Omitting an existing rule removes it.
- Deleting a filter fails if it is still associated with a project. Disassociate first using
cloud-manage-project (PATCH the project with the filter removed from the
traffic_filterslist), then delete. include_by_defaultautomatically associates the filter with all new projects in the region. Use with caution — it affects every future project.- For project association and disassociation, delegate to the cloud-manage-project skill. This skill manages filter definitions only.
- For identity and access management (users, roles, API keys), see cloud-access-management.
- For Elasticsearch-level security (native users, role mappings, DLS/FLS), see elasticsearch-authz.
How to use cloud-network-security on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add cloud-network-security
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches cloud-network-security from GitHub repository elastic/agent-skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate cloud-network-security. Access the skill through slash commands (e.g., /cloud-network-security) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.6★★★★★64 reviews- ★★★★★Ganesh Mohane· Dec 28, 2024
I recommend cloud-network-security for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Noah Kim· Dec 24, 2024
cloud-network-security has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Lucas Flores· Dec 16, 2024
We added cloud-network-security from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Mateo Nasser· Dec 12, 2024
cloud-network-security is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Mia Thomas· Dec 12, 2024
cloud-network-security fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Sakshi Patil· Nov 19, 2024
Solid pick for teams standardizing on skills: cloud-network-security is focused, and the summary matches what you get after install.
- ★★★★★Maya Liu· Nov 15, 2024
cloud-network-security reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Mia Taylor· Nov 7, 2024
cloud-network-security fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
- ★★★★★Valentina Agarwal· Nov 3, 2024
Keeps context tight: cloud-network-security is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Lucas Lopez· Nov 3, 2024
We added cloud-network-security from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
showing 1-10 of 64