All Products
Search
Document Center

Elasticsearch:Configure a public or private IP address whitelist for Kibana

Last Updated:Feb 27, 2024

Before you access the Kibana service over the Internet or a virtual private cloud (VPC), you need to add the IP address of your device to a public or private IP address whitelist of Kibana.

Prerequisites

Your Elasticsearch cluster is in a normal state.

Configure a public IP address whitelist for Kibana

You can control access to Kibana over the Internet by directly managing IP addresses in whitelists for Kibana.

  1. Log on to the Alibaba Cloud Elasticsearch console.
  2. In the left-side navigation pane, click Elasticsearch Clusters.
  3. Navigate to the desired cluster.
    1. In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
    2. On the Elasticsearch Clusters page, find the cluster and click its ID.
  4. In the left-side navigation pane of the page that appears, choose Configuration and Management > Data Visualization.

  5. In the Kibana section of the page that appears, click Modify Configuration.

  6. In the Network Access Configuration section of the page that appears, click Modify on the right side of Public IP Address Whitelist.

    Note
    • If the Public Network Access switch is turned off, you must turn on the switch first.

    • If the external port of the Elasticsearch cluster is port 443, you are not allowed to turn off the Public Network Access switch.

  7. In the Modify Public IP Address Whitelist panel, click Add IP Address Whitelist, or click Configure on the right side of the name of the desired whitelist.

    Note

    After an IP address whitelist is created, the name of the IP address whitelist cannot be changed.

  8. In the dialog box that appears, add the IP address of your device to the whitelist.

    We recommend that you obtain the IP address of your device based on the instructions provided in the following table.

    Scenario

    IP address to be obtained

    Method to obtain the IP address

    Access to Kibana from an on-premises machine

    Public IP address of the on-premises machine

    Note

    If your on-premises machine is connected to a home network or to a LAN of an office, you must add the IP address of the Internet egress to the whitelist.

    Visit www.cip.cc by using a browser on the on-premises machine or run the curl cip.cc command on the machine.

    Access to Kibana from a client

    Public IP address of the client

    For example, you want to use an Elastic Compute Service (ECS) instance that resides in a different VPC from Kibana to access Kibana over the Internet. In this case, you need to obtain the public IP address of the ECS instance.

    The following operations provide an example on how to obtain the public IP address of an ECS instance:

    1. Log on to the ECS console.

    2. In the left-side navigation pane, click Instances.

    3. In the top navigation bar, select the region where the ECS instance resides.

    4. On the Instances page, find the ECS instance and view the private or public IP address of the ECS instance.

    When you configure an IP address whitelist, you must follow the following rules:

    • You can specify IP addresses or CIDR blocks, such as 192.168.0.1 or 192.168.0.0/24, in a whitelist.

    • You can specify up to 300 IP addresses or CIDR blocks in a whitelist. Separate multiple IP addresses or CIDR blocks with commas (,).

    • You can specify 127.0.0.1 to prohibit access from all IPv4 addresses or specify 0.0.0.0/0 to allow access from all IPv4 addresses. For security purposes, we recommend that you do not specify 0.0.0.0/0 in a whitelist.

    • Access from public IPv6 addresses are supported only in the China (Hangzhou) region, and you can configure public IPv6 address whitelists in this region. For example, you can specify 2401:b180:1000:24::5 or 2401:b180:1000::/48 in a whitelist.

      Note
      • In a whitelist, you can specify ::1 to deny requests from all IPv6 addresses or specify ::/0 to allow requests from all IPv6 addresses. For security purposes, we recommend that you do not specify ::/0.

      • For clusters of some versions, you are not allowed to specify ::/0 in a whitelist. You can check whether you can perform this configuration in the console.

  9. Click OK.

  10. (Optional) Click the image.png icon in the upper-right corner of the panel to return to the Kibana Configuration page. Then, in the Network Access Configuration section, view the public IP address whitelist that you configured for Kibana.

    If some IP addresses that you specified are not displayed, you can move the pointer over the IP addresses that are displayed to view all the specified IP addresses. If the IP addresses you specified appear in the whitelist, the whitelist configuration is successful.

    Kibana公网访问权限

Configure a private IP address whitelist for Kibana

By default, Private Network Access is turned off. Before you configure a private IP address whitelist, you must turn on Private Network Access.

Port 5601 is used for access to Kibana over the Internet

After you turn on Private Network Access, you can configure a private IP address whitelist for Kibana by referring to the operations in Configure a public IP address whitelist for Kibana.

Note

If you want to use a client, such as an ECS instance, to access Kibana over a VPC, you must add the private IP address of the client to a private IP address whitelist for Kibana.

Port 443 is used for access to Kibana over the Internet

After you turn on Private Network Access, you can use PrivateLink to establish a private connection between your VPC and Kibana. You can control access to Kibana over VPCs by managing IP addresses specified in security group rules.

Note

The fees for PrivateLink endpoints used by Elasticsearch are included in the bills of Elasticsearch. For more information about PrivateLink, see What is PrivateLink?

  1. Log on to the Alibaba Cloud Elasticsearch console.
  2. In the left-side navigation pane, click Elasticsearch Clusters.
  3. Navigate to the desired cluster.
    1. In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
    2. On the Elasticsearch Clusters page, find the cluster and click its ID.
  4. In the left-side navigation pane of the page that appears, choose Configuration and Management > Data Visualization.

  5. In the Kibana section of the page that appears, click Modify Configuration.

  6. In the Network Access Configuration section of the page that appears, turn on Private Network Access.

  7. In the Enable Private Network Access for Kibana panel, configure an endpoint and a security group, and click OK.

    You can use PrivateLink to implement access to Kibana over VPCs. Each Kibana node must be associated with an independent endpoint.

    Note

    A service-linked role is required when you use PrivateLink to implement access to Kibana over VPCs. If you have not created the related service-linked role, the system automatically creates the role. For more information, see Elasticsearch service-linked roles.

    Parameter

    Description

    Endpoint Name

    The endpoint name is automatically generated and can be changed.

    Endpoint Network Configuration

    • Same as Elasticsearch: The VPC and vSwitch used to create the endpoint are the same as those of the Elasticsearch cluster.

    • Custom: Select a VPC and a vSwitch to create the endpoint.

    Security Group

    You can use security group rules to control access to Kibana over VPCs.

    • Select an existing security group.

      Note

      Port 5601 must be included in the port range of the security group because this port is used for access to Kibana over VPCs. To modify a security group rule, go to the Security Group page of the ECS console. For information about how to modify a security group rule, see Modify a security group rule.

    • Use a new security group.

      1. Click Create below the Security Group field.

      2. In the dialog box that appears, enter a name for the security group.

        The security group name is automatically generated and can be changed.

      3. Enter an IP address in the Authorized IP Address field.

        The IP address must be the private IP address of the device to be authorized. For example, if you want to use an ECS instance to access Kibana over a VPC, you must enter the private IP address of the ECS instance.

    Note
    • After you click OK, wait for a period of time. If an endpoint list is displayed in the lower part of the Network Access Configuration section, the configuration is successful.

    • Endpoints are in a unified format. After an endpoint is created, you can only change the endpoint name.

    • In the Elasticsearch console, you can only change security groups. To query and manage security groups, go to the Security Group page of the ECS console.

    • After you turn off Private Network Access, endpoint resources are automatically released. If you turn on Private Network Access again, you need to create new endpoint resources. However, the access address of Kibana remains unchanged.

FAQ

  • Q: Will my Elasticsearch cluster be affected if I enable the Private Network Access or Public Network Access feature for Kibana?

    A: No, your Elasticsearch cluster will not be affected. If you enable the Private Network Access or Public Network Access feature for Kibana, the system only triggers a change on the Server Load Balancer (SLB) instance that is connected to Kibana.

    Note

    The first time you enable the Private Network Access feature for Kibana, the system restarts Kibana nodes but does not trigger a change on the Elasticsearch cluster.

  • Q: What do I do if I still fail to access Kibana after I add the IP address of my device to an IP address whitelist of Kibana?

    A: Troubleshoot the issue based on the following instructions:

    • Your Elasticsearch cluster is unhealthy.

    • The IP address you add may be incorrect. If you access Kibana from an on-premises machine, visit www.cip.cc to obtain the IP address of the machine, and check whether the obtained IP address is added to a public IP address whitelist of Kibana.

    • You may add the IP address of your device to an IP address whitelist of your Elasticsearch cluster. You need to go to the cluster details page, choose Configuration and Management > Data Visualization in the left-side navigation pane, and then click Modify Configuration in the Kibana section. On the Kibana Configuration page, add the IP address of your device to a private or public IP address whitelist of Kibana.

    • Clear the cache of your browser and try again.

    • Restart Kibana nodes and try again.

  • Q: Why am I still unable to access Kibana after I configure a security group and add the correct IP address to a security group rule?

    A: Port 5601 is used for access to Kibana over VPCs. Therefore, you must include this port in the port range of the security group rule. To modify the security group rule, go to the Security Group page of the ECS console. For more information, see Modify a security group rule.

  • Q: Why am I unable to modify security group rules in the Elasticsearch console?

    A: After you modify a security group rule, the modification affects all access scenarios controlled by the security group rule. Therefore, you are not allowed to modify a security group rule in the Elasticsearch console. To modify a security group rule, go to the Security Group page of the ECS console.

  • Q: The specifications of my Kibana node are 1 vCPU and 2 GiB of memory. Why am I unable to enable the Private Network Access feature of Kibana?

    A: The Kibana node with 1 vCPU and 2 GiB of memory is used for testing purposes and is not recommended in production environments. If you want to access Kibana over a VPC, we recommend that you first upgrade the specifications of the Kibana node to 2 vCPUs and 4 GiB of memory or higher. For more information, see Upgrade the configuration of a cluster.

  • Can I use the Kibana console to access Internet services such as Baidu Maps and AMAP?

  • Why does the IP address that is resolved based on the internal domain name of the Kibana console for an Elasticsearch V7.16 cluster not belong to my VPC?

References