Elasticsearch:Connect to a cluster using Kibana

Prerequisites

Before you begin, confirm the following:

• The Kibana public endpoint is enabled by default. Get it from the Kibana configuration page in the ES console.

• The port is fixed at 443.

• The public access whitelist denies all IP addresses by default. Add your device's IP address before logging on.

• The default authentication method is two-factor authentication: log on to your Alibaba Cloud account first, then authenticate with your ES instance credentials (username: elastic and the corresponding password).

Add your IP address to the public whitelist

The IP address to whitelist depends on how you access Kibana:

1. Log on to the Alibaba Cloud Elasticsearch console and go to the Basic Information page of the target instance.

2. In the left navigation pane, click Data Visualization. In the Kibana area, click Modify Configuration.

   

3. In the Network Access Configuration section, find Public IP Address Whitelist and click Edit.

   

   

4. Click Configure to the right of the default group. In the dialog box that appears, add the IP addresses to allow.

   • To use a custom group name, click Add a new IP whitelist group. Groups are for IP address management only and do not affect access permissions.

   IP address format

   Configuration type	Format and examples	Notes
   IPv4 address	Single IP: 192.168.0.1<br>CIDR block: 192.168.0.0/24 (merge scattered IPs into CIDR blocks where possible)<br>Up to 300 entries per cluster; separate multiple entries with a comma (no spaces)	Default value 127.0.0.1 denies all IPv4 addresses.<br>0.0.0.0/0 allows all IPv4 addresses — high security risk, not recommended. Some clusters and regions do not support 0.0.0.0/0; availability is shown in the console or error messages.

   

5. Click OK.

Configure the authentication method

The default authentication method is two-factor: log on to your Alibaba Cloud account first, then use your ES instance credentials (username: elastic and the corresponding password).

Log on to Kibana

Click Access over Internet and enter your credentials on the Kibana logon page.

• Username: elastic (fixed)

• Password: The password you set when creating the ES cluster. To reset it, see Reset the password.

To create roles for fine-grained access control, use the Elasticsearch X-Pack plugin in Kibana.

Prerequisites

Before enabling private network access, confirm the following:

• Kibana node specification: 2-core 4 GB or higher. Private network access cannot be enabled on smaller node specifications.

• Technology: Alibaba Cloud PrivateLink. Alibaba Cloud ES covers the PrivateLink endpoint costs.

• The private endpoint is disabled by default. Enable it and configure a PrivateLink endpoint before logging on.

• The port is fixed at 5601.

• The default authentication method is two-factor authentication: log on to your Alibaba Cloud account first, then authenticate with your ES instance credentials.

Configure the private endpoint

1. On the Network Access Configuration page, turn on the Private Network Access switch.

   

2. Configure the endpoint parameters:

   Parameter	Description
   Endpoint name	Auto-generated. Can be modified.
   VPC	Same VPC as the ES instance. Check the Basic Information page for the VPC ID.
   Zone	Check the Basic Information page for the zone.
   vSwitch	Same vSwitch as the ES instance. Check the vSwitch ID on the Basic Information page.
   Security group	Controls private network access to Kibana. Select an existing security group or create one. Manage security group rules in the ECS console: the destination port range must include 5601, and the source must include the IP address of the access device. When changing the security group, the type must remain the same (basic to basic; enterprise to enterprise). To quickly create a security group: click Create below the Security Group field, enter a name, and enter the private IP address of the device to authorize.
   Authentication method for private network access	Default: two-factor authentication (Alibaba Cloud account + ES instance credentials). Switching to ES instance credentials only reduces security and is not recommended.

   

3. Click OK. Configuration starts immediately. The endpoint is ready when its connection status shows Connected.

   

After the endpoint is created:

• Only the endpoint name can be modified. To manage security groups, go to the ECS console.

• Turning off Private Network Access automatically releases the associated PrivateLink endpoint resources. Re-enabling the feature requires creating new endpoint resources. The Kibana access address remains unchanged.

Verify the connection

VNC connection (Windows ECS instance)

Connect to the ECS instance via VNC, open a browser, and enter the private Kibana endpoint URL. Log on with your credentials.

• Username: elastic (fixed)

• Password: The password you set when creating the ES cluster. To reset it, see Reset the password.

Workbench (command line)

Connect to an ECS instance via Workbench and run:

curl.exe -u elastic:<password> -k -I "https://es-cn-xxxxxxxxxxxxxxxxx-kibana.internal.elasticsearch.aliyuncs.com:5601/"

A successful connection returns:

Prerequisites

Before you begin, confirm the following:

• The Kibana public endpoint is enabled by default. Get it from the Kibana configuration page in the ES console.

• The port is fixed at 5601.

• The public access whitelist denies all IP addresses by default. Add your device's IP address before logging on.

• The authentication method is ES instance credentials (username: elastic and the corresponding password).

Add your IP address to the public whitelist

The IP address to whitelist depends on how you access Kibana:

1. Log on to the Alibaba Cloud Elasticsearch console and go to the Basic Information page of the target instance.

2. In the left navigation pane, click Data Visualization. In the Kibana area, click Modify Configuration.

   

3. In the Network Access Configuration section, find the public IP address whitelist and click Modify.

4. Click Configure to the right of the default group. In the dialog box that appears, add the IP addresses to allow.

   • To use a custom group name, click Add a new IP whitelist group. Groups are for IP address management only and do not affect access permissions.

   IP address format

   Configuration type	Format and examples	Notes
   IPv4 address	Single IP: 192.168.0.1<br>CIDR block: 192.168.0.0/24 (merge scattered IPs into CIDR blocks where possible)<br>Up to 300 entries per cluster; separate multiple entries with a comma (no spaces)	Default value 127.0.0.1 denies all IPv4 addresses.<br>0.0.0.0/0 allows all IPv4 addresses — high security risk, not recommended. Some clusters and regions do not support 0.0.0.0/0; availability is shown in the console or error messages.
   IPv6 address (Hangzhou region only)	Single IP: 2401:XXXX:1000:24::5<br>CIDR block: 2401:XXXX:1000::/48<br>Up to 300 entries per cluster; separate multiple entries with a comma (no spaces)	::1 denies all IPv6 addresses.<br>::/0 allows all IPv6 addresses — high security risk, not recommended. Some cluster versions do not support ::/0; availability is shown in the console or error messages.

5. Click OK.

Log on to Kibana

Click Access over Internet and enter your credentials on the Kibana logon page.

• Username: elastic (fixed)

• Password: The password you set when creating the ES cluster. To reset it, see Reset the password.

To create roles for fine-grained access control, use the Elasticsearch X-Pack plugin in Kibana.

Prerequisites

Before enabling private network access, confirm the following:

• Kibana node specification: 2-core 4 GB or higher. Private network access cannot be enabled on smaller node specifications.

• The private endpoint is disabled by default. Enable it and configure the whitelist before logging on.

• The port is fixed at 5601.

• The private access whitelist denies all IP addresses by default.

• The authentication method is ES instance credentials (username: elastic and the corresponding password).

Enable private access and configure the whitelist

The ECS instance you use to access Kibana must be in the same virtual private cloud (VPC) as the ES cluster. Add the instance's private IP address to the whitelist.

1. In the left navigation pane, click Data Visualization. In the Kibana area, click Modify Configuration.

2. In the Network Access Configuration section, turn on the Private Network Access switch.

3. Find Private IP Address Whitelist and click Modify.

4. Click Configure to the right of the default group. In the dialog box that appears, add the private IP addresses to allow.

   • To use a custom group name, click Add a new IP whitelist group. Groups are for IP address management only and do not affect access permissions.

   IP address format

   Configuration type	Format and examples	Notes
   IPv4 address	Single IP: 192.168.0.1<br>CIDR block: 192.168.0.0/24 (merge scattered IPs into CIDR blocks where possible)<br>Up to 300 entries per cluster; separate multiple entries with a comma (no spaces)	Default value 127.0.0.1 denies all IPv4 addresses.<br>0.0.0.0/0 allows all IPv4 addresses — high security risk, not recommended. Some clusters and regions do not support 0.0.0.0/0; availability is shown in the console or error messages.

5. Click OK.

Verify the connection

Connect to an ECS instance via Workbench and run:

curl.exe -u elastic:<password> -k -I "https://es-xx-xxxxxxxxxxxxxxxxx-kibana.internal.elasticsearch.aliyuncs.com:5601/"

A successful connection returns:

When to use this approach

Kibana is a JavaScript application — requests originate from the user's browser, not from a fixed server IP. If users access Kibana from many different locations, maintaining a per-user IP whitelist becomes impractical. An Nginx reverse proxy consolidates all client traffic through a single server IP, so you only need to whitelist that one IP address.

Prerequisites

Before you begin, confirm the following:

• Configure the Kibana endpoint the proxy will connect to:

  • Private endpoint: Follow the Log on to Kibana over a private network (V3) section. Set the authentication method to ES instance access password only.

  • Public endpoint: Follow the Log on to Kibana over the internet (V3) section. Set the authentication method to ES instance access password only.

• Public access port: 443. Private access port: 5601. The Nginx server listens on port 80.

• Add the on-premises device IP and port 80 to the security group of the ECS instance running Nginx. Manage security group rules in the ECS Security Group console. For rule configuration details, see Modify security group rules.

Configure Nginx

Update the Nginx configuration on the proxy server. The key parameters are:

• server_name: The domain name of the proxy server. Replace with your actual domain name.

• proxy_pass: The backend Kibana endpoint (private or public) with the corresponding port.

server {
    listen 80;
    # Replace server_name with the actual domain name of your server
    server_name _;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    location / {
        # Proxy requests to the backend Kibana service
        proxy_pass https://es-xx-xxxxxxxxxxxxxxxxx-kibana.internal.elasticsearch.aliyuncs.com:5601;

        # Certificate verification (use a valid certificate in production)
        proxy_ssl_verify off;
        proxy_ssl_server_name on;

        # Header settings
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_cache_bypass $http_upgrade;

        # Timeout settings
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
}