To access the Kibana service over the Internet or an internal network, you must add the IP address of your host to the related IP address whitelist of Kibana. This topic describes how to configure a public or private IP address whitelist for Kibana.

Prerequisites

An Alibaba Cloud Elasticsearch cluster is created. For more information, see Create an Alibaba Cloud Elasticsearch cluster.

Go to the Kibana access configuration page

  1. Log on to the Elasticsearch console.
  2. In the left-side navigation pane, click Elasticsearch Clusters.
  3. Navigate to the desired cluster.
    1. In the top navigation bar, select a resource group and a region.
    2. In the left-side navigation pane, click Elasticsearch Clusters. On the Elasticsearch Clusters page, find the desired cluster and click its ID.
  4. In the left-side navigation pane, click Data Visualization.
  5. In the Kibana section of the page that appears, click Edit Configuration.
    You can then view the Network Access Configuration section on the Kibana Configuration page.
  6. In the Network Access Configuration section, perform the following operations:
    Network Access Configuration
    • Configure a public IP address whitelist for Kibana
      Add the public IP address of your host to the public IP address whitelist of Kibana. Then, you can use this host to log on to the Kibana console. By default, 127.0.0.1,::1 is added to the whitelist. This indicates that requests from all IPv4 and IPv6 addresses are denied.
      Notice After the public IP address whitelist is configured, you can access Kibana over the Internet. You can use the Kibana console to access only services in virtual private clouds (VPCs). You cannot use the Kibana console to access Internet services such as Baidu Maps and AMAP.
    • Configure a private IP address whitelist for Kibana

      Add the private IP address of your host to the private IP address whitelist of Kibana. Then, you can use this host to log on to the Kibana console. You can configure the private IP address whitelist only after you enable the Private Network Access feature. This feature is disabled by default.

Configure a public IP address whitelist for Kibana

  1. In the Network Access Configuration section of the Kibana Configuration page, check whether Public Network Access is turned on (indicated by the color green).
    Notice
    • Public Network Access is turned on by default.
    • If Public Network Access is turned off, the entry point for access to Kibana over the Internet is not displayed in the Kibana section of the Data Visualization page. In this case, you cannot log on to the Kibana console over the Internet.
    • Turning on Public Network Access can trigger changes on the Server Load Balancer (SLB) instance that is connected to Kibana but does not trigger changes on the Elasticsearch cluster. Therefore, this operation does not affect the Elasticsearch cluster.
    • If yes, go to the next step.
    • If no, click Public Network Access to turn it on.
  2. Click Update on the right side of Kibana Whitelist.
  3. Enter the IP address that you want to add in the text box.

    You can enter IP addresses or CIDR blocks. Enter IP addresses in the 192.168.0.1 format and CIDR blocks in the 192.168.0.0/24 format. Separate multiple IP addresses or CIDR blocks with commas (,). You can enter 127.0.0.1 to deny requests from all IPv4 addresses or enter 0.0.0.0/0 to allow requests from all IPv4 addresses.

    If your Elasticsearch cluster is deployed in the China (Hangzhou) region, you can enter IPv6 addresses or CIDR blocks. Enter IPv6 addresses in the 2401:b180:1000:24::5 format and CIDR blocks in the 2401:b180:1000::/48 format. You can enter ::1 to deny requests from all IPv6 addresses or enter ::/0 to allow requests from all IPv6 addresses.

    Warning The default setting is 0.0.0.0/0,::/0, which indicates that requests from all public IP addresses are allowed. This may cause security risks.
  4. Click OK.

Configure a private IP address whitelist for Kibana

  1. In the Network Access Configuration section of the Kibana Configuration page, check whether Private Network Access is turned on (indicated by the color green).
    Notice
    • Private Network Access is turned off (indicated by the color gray) by default.
    • If Private Network Access is turned on, the entry point for access to Kibana over an internal network is displayed in the Kibana section of the Data Visualization page. In this case, you can log on to the Kibana console over an internal network.
    • Turning on Private Network Access can trigger changes on the SLB instance that is connected to Kibana but does not trigger changes on the Elasticsearch cluster. Therefore, this operation does not affect the Elasticsearch cluster.
    • If yes, go to the next step.
    • If no, click Private Network Access to turn it on.
  2. Click Update on the right side of Private Network Whitelist.
  3. Enter the IP address that you want to add in the text box.
    You can enter IP addresses or CIDR blocks. Enter IP addresses in the 192.168.0.1 format and CIDR blocks in the 192.168.0.0/24 format. Separate multiple IP addresses or CIDR blocks with commas (,). You can enter 127.0.0.1 to deny requests from all IPv4 addresses or enter 0.0.0.0/0 to allow requests from all IPv4 addresses.
  4. Click OK.