Kibana is a core component of Alibaba Cloud Elasticsearch (ES) that provides a visual interface to explore, analyze, and display data. Kibana is built into the ES console. A successful logon to Kibana confirms a successful connection to the cluster, which lets you explore your data.
Log on to Kibana over the internet (for V3 deployment architecture)
To log on to Kibana over the internet, you need to configure or obtain the following information:
Public endpoint: The Kibana public endpoint is enabled by default. You can obtain it from the Kibana configuration page in the ES console.
Public access whitelist: By default, the public access whitelist denies access from all IP addresses to Kibana over the internet. You must add the IP address of your device to the whitelist.
Authentication method: The default method is two-factor authentication with an Alibaba Cloud account and the ES instance access password. This means you first log on to your Alibaba Cloud account, and then use your ES instance credentials (username: elastic, and the corresponding password) to authenticate.
Port number: The port is fixed at 443.
Log on to the Alibaba Cloud Elasticsearch console, and navigate to the Basic Information page of the target instance.
In the navigation pane on the left, click Data Visualization. In the Kibana area, click Modify Configuration.
In the Network Access Configuration section, you can modify the Public IP Address Whitelist and Authentication Method for Public Network Access.
Obtain the IP address of the access device
You can obtain the IP address of your device based on the following scenarios.
Scenario
IP address to obtain
Method
Access Kibana from an on-premises device over the internet.
The public IP address of the on-premises device.
NoteIf your on-premises device is on a home network or a corporate local area network (LAN), you need to add the public egress IP address of the LAN.
Run the
curl ipinfo.io/ipcommand to query the public IP address of the on-premises device.Access Kibana from an ECS instance over the internet.
If the ECS instance and the ES cluster are in different virtual private clouds (VPCs), you can access Kibana using the public IP address of the ECS instance. In this case, you must obtain the public IP address of the ECS instance and add it to the ES public access whitelist.
Log on to the ECS console and view the public IP address of the instance in the instance list.
Add the IP address to the public whitelist
Find Public IP Address Whitelist and click Edit.
Click Configure to the right of the default group, and in the dialog box that appears, add an IP whitelist., in the dialog box that appears, add an IP whitelist.
You can also click Add a new IP whitelist group to customize the group name.
Groups are for IP address management only and do not affect access permissions.
Configuration type
Format and example values
Important notes
IPv4 address format
Single IP address:
192.168.0.1CIDR block:
192.168.0.0/24. We recommend that you merge scattered IP addresses into CIDR blocks.
A single cluster can have up to 300 IP addresses or CIDR blocks. Separate multiple entries with a comma (,). Do not add spaces before or after the comma.
Default public address:
127.0.0.1. This denies access from all IPv4 addresses.0.0.0.0/0: Allows access from all IPv4 addresses.ImportantWe strongly recommend that you do not configure
0.0.0.0/0. It poses a high security threat.Some clusters and regions do not support
0.0.0.0/0. The availability is subject to the information on the UI or the error messages.
After completing the configuration, click OK.
Configure the public logon authentication method
The default method is two-factor authentication with an Alibaba Cloud account and the ES instance access password. This means you first log on to your Alibaba Cloud account, and then use your ES instance credentials (username: elastic, and the corresponding password) to authenticate.
ImportantYou can change the method to use only the ES instance access password (username: elastic, and the corresponding password). This method reduces cluster security and is not recommended.
Click Access over Internet and enter your username and password on the Kibana logon page to access the Kibana console and explore your ES data.
Username: The username is fixed as elastic.
You can use the Elasticsearch X-Pack plugin in Kibana to create roles for fine-grained permission management.
Password: The password that you set when you created the ES cluster. If you forget the password, you can reset the password.
Log on to Kibana over a private network (for V3 deployment architecture)
To log on to Kibana over a private network, you need to configure or obtain the following information:
Private endpoint: This is disabled by default. You need to use Alibaba Cloud PrivateLink to access Kibana over a private network from within a VPC. You must associate an independent endpoint with Kibana. Alibaba Cloud ES covers the costs incurred by the PrivateLink endpoint.
ImportantYou can enable the private endpoint when the Kibana node specifications are 2-core 4 GB or higher.
Private access authentication method: The default method is two-factor authentication with an Alibaba Cloud account and the ES instance access password. This means you first log on to your Alibaba Cloud account, and then use your ES instance credentials (username: elastic, and the corresponding password) to authenticate.
Port number: The port is fixed at 5601.
Configure the private logon endpoint
On the Network Access Configuration page, turn on the Private Network Access switch.
Configure the endpoint information as prompted on the page.
Parameter
Description
Endpoint Name
The endpoint name is automatically generated but can be modified.
VPC
The VPC is the same as that of the ES instance. You can view the VPC of the instance on the Basic Information page.
Zone
You can view the Zone on the Basic Information page of the instance.
vSwitch
The vSwitch must be the same as that of the ES instance. You can view the vSwitch ID of the instance on its Basic Information page.
Security Group
Use security group rules to control network access to Kibana over the private network. You can select an existing security group or quickly create a new one. You need to go to the ECS console to modify security group rules:
The destination port range must include the Kibana private port 5601.
The source must include the IP address of the device used for access.
When you modify the security group for private access to Kibana, you must select a security group of the same type as the one you initially chose:
If you initially selected a basic security group, you can only change it to another basic security group.
If you initially selected an enterprise security group, you can only change it to another enterprise security group.
Quickly create a security group:
Click Create below the Security Group text box.
Enter a security group name.
The security group name is automatically generated but can be modified.
Enter the authorized IP address.
This is the private IP address of the device to be authorized. For example, if you access the Kibana service from an ECS instance over a private network, you need to enter the private IP address of the ECS instance. Log on to the ECS console and view the private IP address of the instance in the instance list.
Authentication Method for Private Network Access
The default method is two-factor authentication with an Alibaba Cloud account and the ES instance access password. This means you first log on to your Alibaba Cloud account, and then use your ES instance credentials (username: elastic; and the corresponding password) to authenticate.
ImportantYou can change the method to use only the ES instance access password (username: elastic; and the corresponding password). This method reduces cluster security and is not recommended.
After you click OK, the configuration of the Kibana internal-facing access address begins. The process is complete when the endpoint connection status is Connected.
After the endpoint is created, you can modify only its name. To query and manage security groups, go to the ECS console to make changes.
If you turn off Private Network Access, the associated endpoint resources are automatically released. If you turn this feature on again, you must create new endpoint resources. However, the Kibana access address remains unchanged.
Connection examples
The following example shows how to use a VNC connection to an ECS instance (running Windows) and then connect to Kibana using the private endpoint.
Enter your username and password, and then click Log On.
Username: The username is fixed as elastic.
You can use the Elasticsearch X-Pack plugin in Kibana to create roles for fine-grained permission management.
Password: The password that you set when you created the ES cluster. If you forget the password, you can reset the password.
The following example shows how to use Workbench to remotely connect to an ECS instance and then run the following command to connect to Kibana using the private endpoint:
curl.exe -u elastic:passdord! -k -I "https://es-cn-xxxxxxxxxxxxxxxxx-kibana.internal.elasticsearch.aliyuncs.com:5601/"A successful connection returns the following information:
Log on to Kibana over the internet (for V2 deployment architecture)
To log on to Kibana over the internet, you need to configure or obtain the following information:
Public endpoint: The Kibana public endpoint is enabled by default. You can obtain it from the Kibana configuration page in the ES console.
Public access whitelist: By default, the public access whitelist denies access from all IP addresses to Kibana over the internet. You must add the IP address of your device to the whitelist.
Authentication method: Authenticate using the ES username and password (username: elastic, and the corresponding password).
Port number: The port is fixed at 5601.
You can log on to the Alibaba Cloud Elasticsearch console and navigate to the Basic Information page of the target instance.
In the navigation pane on the left, click Data Visualization. In the Kibana area, click Modify Configuration.
In the Network Access Configuration section, you can modify the Kibana public access whitelist.
Obtain the IP address of the access device
You can obtain the IP address of your device based on the following scenarios.
Scenario
IP address to obtain
Method
Access Kibana from an on-premises device over the internet.
The public IP address of the on-premises device.
NoteIf your on-premises device is on a home network or a corporate LAN, you need to add the public egress IP address of the LAN.
Run the
curl ipinfo.io/ipcommand to query the public IP address of the on-premises device.Access Kibana from an ECS instance over the internet.
If the ECS instance and the ES cluster are in different VPCs, you can access Kibana using the public IP address of the ECS instance. In this case, you must obtain the public IP address of the ECS instance and add it to the ES public access whitelist.
Log on to the ECS console and view the public IP address of the instance in the instance list.
Add the IP address to the public whitelist
In the Private IP Address Whitelist section, click Modify.
Click Configure to the right of the default group to add an IP whitelist in the dialog box that appears.
You can also click Add a new IP whitelist group to create a group with a custom name.
Groups are for IP address management only and do not affect access permissions.
Configuration type
Format and example values
Important notes
IPv4 address format
Single IP address:
192.168.0.1CIDR block:
192.168.0.0/24. We recommend that you merge scattered IP addresses into CIDR blocks.
A single cluster can have up to 300 IP addresses or CIDR blocks. Separate multiple entries with a comma (,). Do not add spaces before or after the comma.
Default public address:
127.0.0.1. This denies access from all IPv4 addresses.0.0.0.0/0: Allows access from all IPv4 addresses.ImportantWe strongly recommend that you do not configure
0.0.0.0/0. It poses a high security threat.Some clusters and regions do not support
0.0.0.0/0. Availability is subject to the information in the UI or the error messages.
IPv6 address format
(Supported only in the Hangzhou region)
Single IP address:
2401:XXXX:1000:24::5CIDR block:
2401:XXXX:1000::/48
A single cluster can have up to 300 IP addresses or CIDR blocks. Separate multiple entries with a comma (,). Do not add spaces before or after the comma.
::1: Denies access from all IPv6 addresses.::/0: Allows access from all IPv6 addresses.ImportantWe strongly recommend that you do not configure
::/0. It poses a high security threat.Some cluster versions do not support
::/0. Availability is subject to the information in the console UI or the error messages.
After completing the configuration, click OK.
Click Access over Internet, enter your username and password on the Kibana logon page, and log on to the Kibana console, where you can explore data in ES.
Username: The username is fixed as elastic.
You can use the Elasticsearch X-Pack plugin in Kibana to create roles for fine-grained permission management.
Password: The password that you set when you created the ES cluster. If you forget the password, you can reset the password.
Log on to Kibana over a private network (for V2 deployment architecture)
To log on to Kibana over a private network, you need to configure or obtain the following information:
Private endpoint: This is disabled by default. You can enable it from the console.
ImportantYou can enable the private endpoint when the Kibana node specifications are 2-core 4 GB or higher.
Private access whitelist: By default, the private access whitelist denies access from all IP addresses to Kibana over a private network. You must add the IP address of your device to the whitelist.
Private access authentication method: Log on using the ES username and password (username: elastic, and the corresponding password).
Port number: The port is fixed at 5601.
In the navigation pane on the left, click Data Visualization. In the Kibana area, click Modify Configuration.
In the Network Access Configuration section, enable the Private Network Access switch and configure the access whitelist.
Obtain the IP address of the access device
You can obtain the IP address of your device based on the following scenarios.
Scenario
IP address to obtain
Method
Access Kibana from an ECS instance over a private network.
If the ECS instance and the ES cluster are in the same VPC, you need to obtain the private IP address of the ECS instance to connect to the ES cluster.
Log on to the ECS console and view the public IP address of the instance in the instance list.
Add the IP address to the private whitelist
For Private IP Address Whitelist, click Modify.
Click Configure to the right of the default group and add an IP whitelist in the dialog box.
If needed, you can also click Add a new IP whitelist group to create a group with a custom name.
Groups are for IP address management only and do not affect access permissions.
Configuration type
Format and example values
Important notes
IPv4 address format
Single IP address:
192.168.0.1CIDR block:
192.168.0.0/24. We recommend that you merge scattered IP addresses into CIDR blocks.
A single cluster can have up to 300 IP addresses or CIDR blocks. Separate multiple entries with a comma (,). Do not add spaces before or after the comma.
Default public address:
127.0.0.1. This denies access from all IPv4 addresses.0.0.0.0/0: Allows access from all IPv4 addresses.ImportantWe strongly recommend that you do not configure
0.0.0.0/0. It poses a high security threat.Some clusters and regions do not support
0.0.0.0/0. The availability is subject to the information on the UI or the error messages.
After completing the configuration, click OK.
Connection example
The following example shows how to use Workbench to remotely connect to an ECS instance and then run the following command to connect to Kibana using the private endpoint:
curl.exe -u elastic:password! -k -I "https://es-xx-xxxxxxxxxxxxxxxxx-kibana.internal.elasticsearch.aliyuncs.com:5601/"A successful connection returns the following information:
Access Kibana through an Nginx proxy (V3 deployment architecture example)
When you access Kibana through an Nginx proxy, you need to configure or obtain the following information:
Kibana endpoint:
Private endpoint and authentication method: For instructions on how to configure the private endpoint, see the Log on to Kibana over a private network (for V3 deployment architecture) section. When you access Kibana through an Nginx proxy, only the ES instance access password can be used as the authentication method.
Public endpoint, whitelist, and authentication method: For information about obtaining the endpoint and configuring the whitelist, see Log on to Kibana over the internet (for V3 deployment architecture). Only the ES instance access password can be used as the authentication method.
Port number: 443 for public access and 5601 for private access.
Security group configuration: If you access Kibana from a local browser through an Nginx proxy (for example, on an ECS server), you need to add the IP address of your on-premises device and port 80 to the security group of the ECS instance.
Modify the Nginx configuration. The key parameters are described as follows:
server_name: The domain name of the server. You can replace it with the actual domain name of your server.
proxy_pass: Proxies requests to the backend Kibana service. You must replace the value with the Kibana private or public connection information (endpoint and port number).
server { listen 80; # You can replace server_name with the actual domain name of your server server_name _ ; # Security settings add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; location / { # Proxy requests to the backend Kibana service proxy_pass https://es-xx-xxxxxxxxxxxxxxxxx-kibana.internal.elasticsearch.aliyuncs.com:5601; # Certificate verification (use a valid certificate in a production environment) proxy_ssl_verify off; proxy_ssl_server_name on; # Header settings proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_cache_bypass $http_upgrade; # Timeout settings proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; } }
Switch the Kibana language
Kibana supports Chinese and English (default). You can switch the Kibana language for ES versions 6.7.0 and later.
Log on to the Alibaba Cloud Elasticsearch console and navigate to the Basic Information page of the target instance.
In the navigation pane on the left, click Data Visualization. Then, in the Kibana area, click Modify Configuration.
Click Modify Configuration to change the Kibana language.
FAQ
Q: How do I distinguish between V2 and V3 deployment architectures?
A: Clusters have two control deployment modes: cloud-native control (v3) and basic control (v2).
Q: Does enabling public or private access to Kibana affect the ES cluster?
A: No, it does not. Enabling public or private access to Kibana affects only the Server Load Balancer (SLB) that connects to Kibana.
NoteEnabling private access to Kibana for the first time triggers a restart of the Kibana node, but it does not trigger changes to the ES cluster.
Q: I added an IP address to the whitelist, but I still cannot access Kibana. What should I do?
A: Check the following items to troubleshoot the issue:
The ES instance must be in a healthy state.
The IP address configuration might be incorrect: If you access the Kibana service from an on-premises device, visit www.cip.cc in your browser to verify that the obtained IP address is in the Kibana public access whitelist.
If you have configured an access whitelist for the ES instance, you must also configure a public or internal-facing access whitelist to log on to Kibana. You can modify the Kibana whitelist configuration in the section of the ES instance.
Clear the browser cache and retry.
Restart the Kibana node and retry.
Q: Why can't I modify security group rules in the ES console?
A: Adjusting security group rules affects all scenarios that use them for access control. Therefore, you cannot modify security group rules in the ES console. To modify security group rules, go to the ECS Security Group console.
Can I access services on the internet (such as Baidu Maps or AMAP) from the Kibana console?
What do I do if I cannot access Kibana through an Nginx proxy?
What do I do if I cannot access Kibana using a custom domain name with a CNAME record?
References
API documentation:
To enable or disable public or private access to Kibana, see the TriggerNetwork API operation.
To update the public or private access whitelist for Kibana, see the ModifyWhiteIps API operation.
If you encounter problems when you log on to or use Kibana, see Kibana FAQ.