Cluster and node definitions for Search Guard licensing

Definition of a Production cluster

We follow the Elasticsearch definition of a node /cluster which you can find here


A cluster consists of one or more nodes which share the same cluster name. Each cluster has a single master node which is chosen automatically by the cluster and which can be replaced if the current master node fails.


A node is a running instance of Elasticsearch which belongs to a cluster. Multiple nodes can be started on a single server for testing purposes, but usually you should have one node per server. At startup, a node will use unicast to discover an existing cluster with the same cluster name and will try to join that cluster.

A failover cluster does not count as a regular production cluster. License fees for HA clusters depend on whether they are operated as cold- or hot-standby systems. For cold-standby, we usually do not charge extra. For hot-standby systems, we charge 50% of the regular license. While hot-standby clusters are not really productive clusters (strictly speaking), we argue that they are part of the productive infrastructure nonetheless.

A production cluster is therefore defined as a single cluster that is used for business benefit. In other words if the cluster has :-

1. Production datasets. (Unless used in dev/test/staging clusters – see below). Production datasets are Real-world data regularly collected by running the business, as opposed to sample and test data.

2. Put in operation for their intended use by end users to provide business benefit.

3. Is accessible by external stakeholders (customers, suppliers etc.)

4. Is used to make business and/or it decisions (e.g. log analytics, enterprise search)

5. Is used in any other way to run the business.

Clusters that are not used for business benefit are those that allow the production clusters to function more efficiently including Dev/test/staging clusters. These clusters are typically not accessible by end users.