All Products
Search
Document Center

Elasticsearch:Configure a public or private IP address whitelist for an Elasticsearch cluster

Last Updated:Jan 31, 2024

Before you access an Alibaba Cloud Elasticsearch cluster over the Internet or a virtual private cloud (VPC), you need to add the IP address of your device to a public or private IP address whitelist of the cluster first. If your access to an Elasticsearch cluster fails, you can follow the instructions in this topic to check whether you add a correct IP address to an appropriate IP address whitelist of the cluster.

Prerequisites

An Alibaba Cloud Elasticsearch cluster is created. For more information, see Create an Alibaba Cloud Elasticsearch cluster.

Precautions

  • When you access an Elasticsearch cluster over the Internet, the network may be unstable, and network security may be compromised. If you require high network security and stability, we recommend that you use a VPC for access.

  • You can access an Elasticsearch cluster over the Internet free of charge. The default bandwidth is 5 Gbit/s.

Procedure

  1. Log on to the Alibaba Cloud Elasticsearch console.
  2. In the left-side navigation pane, click Elasticsearch Clusters.
  3. Navigate to the desired cluster.
    1. In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
    2. On the Elasticsearch Clusters page, find the cluster and click its ID.
  4. In the left-side navigation pane of the page that appears, choose Configuration and Management > Security.

  5. In the Network Settings section of the page that appears, click Modify on the right side of Private IP Address Whitelist or Public IP Address Whitelist to configure a private or public IP address whitelist.

    Note

    By default, the Public Network Access switch is turned off. Before you can configure a public IP address whitelist, you must turn on the switch.

  6. In the panel that appears, click Configure on the right side of default.

    Note

    You can also click Add IP Address Whitelist to create a custom whitelist. For more information, see Manage an IP address whitelist.

  7. In the dialog box that appears, add the IP address of your device to the whitelist.

    We recommend that you obtain the IP address of your device based on the instructions provided in the following table.

    Scenario

    IP address to be obtained

    Method to obtain the IP address

    Access to an Elasticsearch cluster from an on-premises machine

    Public IP address of the on-premises machine

    Note

    If your on-premises machine is connected to a home network or to a LAN of an office, you must add the IP address of the Internet egress to the whitelist.

    Visit www.cip.cc by using a browser on the on-premises machine or run the curl cip.cc command on the machine.

    Access to an Elasticsearch cluster from a client over the Internet

    Public IP address of the client

    For example, you want to use an Elastic Compute Service (ECS) instance that resides in a different VPC from your Elasticsearch cluster to access the cluster over the Internet. In this case, you need to obtain the public IP address of the ECS instance.

    The following operations provide an example on how to obtain the private or public IP address of an ECS instance:

    1. Log on to the ECS console.

    2. In the left-side navigation pane, click Instances.

    3. In the top navigation bar, select the region where the ECS instance resides.

    4. On the Instances page, find the ECS instance and view the private or public IP address of the ECS instance.

    Access to an Elasticsearch cluster from a client over a VPC

    Private IP address of the client

    For example, you want to use an ECS instance that resides in the same VPC as your Elasticsearch cluster to access the cluster over the VPC. In this case, you need to obtain the private IP address of the ECS instance.

    When you configure an IP address whitelist, you must follow the following rules:

    • You can specify IP addresses or CIDR blocks, such as 192.168.0.1 or 192.168.0.0/24, in a whitelist.

      Note

      If you specify CIDR blocks, make sure that the IP address that precedes the forward slash (/) in each CIDR block is the first IP address obtained based on subnet mask calculation.

    • You can specify up to 300 IP addresses or CIDR blocks in a whitelist. Separate multiple IP addresses or CIDR blocks with commas (,).

    • If your IP address dynamically changes, we recommend that you specify a CIDR block in a whitelist.

    • 127.0.0.1 is specified in the default public IP address whitelist. This indicates that access from all IPv4 addresses is not allowed.

    • 0.0.0.0/0 is specified in the default private IP address whitelist. This indicates that access from all IPv4 addresses are allowed. For security purposes, we recommend that you do not specify 0.0.0.0/0 in a private IP address whitelist.

      Note

      For clusters in some regions and clusters of some versions, you are not allowed to specify 0.0.0.0/0 in a whitelist. You can check whether you can perform this configuration in the console.

    • Access from public IPv6 addresses are supported only in the China (Hangzhou) region, and you can configure public IPv6 address whitelists in this region. For example, you can specify 2401:b180:1000:24::5 or 2401:b180:1000::/48 in a whitelist.

      Note
      • In a whitelist, you can specify ::1 to deny requests from all IPv6 addresses or specify ::/0 to allow requests from all IPv6 addresses. For security purposes, we recommend that you do not specify ::/0.

      • For clusters of some versions, you are not allowed to specify ::/0 in a whitelist. You can check whether you can perform this configuration in the console.

  8. Click OK.

  9. (Optional) Click the image.png icon in the upper-right corner of the panel to return to the Security page. Then, view the private or public IP address whitelist that you configured.

    If some IP addresses that you specified are not displayed, you can move the pointer over the IP addresses that are displayed to view all the specified IP addresses. If the IP addresses you specified appear in the whitelist, the whitelist configuration is successful.白名单配置成功

Manage an IP address whitelist

This section provides an example on how to manage a public IP address whitelist.

Operation

Step

Add an IP address whitelist

  1. On the Security page, click Modify on the right side of Public IP Address Whitelist.

  2. In the Modify Public IP Address Whitelist panel, click Add IP Address Whitelist.

    Note

    A default IP address whitelist named default is provided. The whitelist contains the default IP address or CIDR block.

  3. In the dialog box that appears, configure Name and IP Addresses in Whitelist, and click OK.

View the IP addresses in an IP address whitelist

On the Security page, view the IP addresses in the IP address whitelist.

If some IP addresses that you specified are not displayed, you can move the pointer over the IP addresses that are displayed to view all the specified IP addresses.

Modify an IP address whitelist

  1. On the Security page, click Modify on the right side of Public IP Address Whitelist.

  2. In the Modify Public IP Address Whitelist panel, find the IP address whitelist that you want to modify and click Configure on the right side of the name of the whitelist.

  3. In the dialog box that appears, change the value of IP Addresses in Whitelist and click OK.

    Note

    The value of Name cannot be changed.

Delete an IP address whitelist

  1. On the Security page, click Modify on the right side of Public IP Address Whitelist.

  2. In the Modify Public IP Address Whitelist panel, find the IP address whitelist that you want to delete and click Delete on the right side of the name of the whitelist.

  3. In the message that appears, click OK.

FAQ

  • Q: I have configured a whitelist, but I still cannot access my Elasticsearch cluster. What do I do?

    A: The IP addresses you add to the whitelist may be incorrect. Check whether the IP addresses you add to the whitelist are correct based on the preceding configuration instructions. You can also run a cURL command to check whether the Elasticsearch cluster can be accessed. For more information, see Access an Elasticsearch cluster.

  • Q: What do I do if the number of IP addresses I specify in a whitelist exceeds the upper limit?

    A: You can merge the IP addresses into CIDR blocks to reduce the number of IP addresses.

References