If you want to access the Kibana service over the Internet or an internal network, you must add the IP address of your device to the related IP address whitelist of Kibana. This topic describes how to configure a public or private IP address whitelist for Kibana.

Prerequisites

An Alibaba Cloud Elasticsearch cluster is created. For more information, see Create an Alibaba Cloud Elasticsearch cluster.

Precautions

After you configure a public IP address whitelist for Kibana, you can use the Kibana console of your Elasticsearch cluster to access only services in virtual private clouds (VPCs). You cannot use the Kibana console to access Internet services such as Baidu Maps and AMAP.

Configure an IP address whitelist

  1. Log on to the Elasticsearch console.
  2. In the left-side navigation pane, click Elasticsearch Clusters.
  3. Navigate to the desired cluster.
    1. In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
    2. In the left-side navigation pane, click Elasticsearch Clusters. On the Elasticsearch Clusters page, find the cluster and click its ID.
  4. In the left-side navigation pane of the page that appears, choose Configuration and Management > Data Visualization.
  5. In the Kibana section of the page that appears, click Edit Configuration.
  6. In the Network Access Configuration section of the page that appears, click Update on the right side of Kibana Whitelist or Private Network Whitelist to configure a public or private IP address whitelist.
    Note
    • By default, the Private Network Access switch is turned off. Before you can configure a private IP address whitelist, you must turn on Private Network Access.
    • By default, the Public Network Access switch is turned on, which is indicated by the color green. If you turn off this switch, the entry point for access to Kibana over the Internet is not displayed in the Kibana section of the Data Visualization page. In this case, you cannot log on to the Kibana console over the Internet. If you turn on the Public Network Access switch, changes may occur on the Server Load Balancer (SLB) instance that is connected to Kibana but not on the Elasticsearch cluster. Therefore, this operation does not affect the Elasticsearch cluster.
    • By default, the Private Network Access switch is turned off, which is indicated by the color gray. After you turn on this switch, the entry point for access to Kibana over an internal network is displayed in the Kibana section of the Data Visualization page. Then, you can log on to the Kibana console over a VPC. If you turn on the Private Network Access switch, changes may occur on the SLB instance that is connected to Kibana but not on the Elasticsearch cluster. Therefore, this operation does not affect the Elasticsearch cluster.
  7. In the panel that appears, click Configure on the right side of default.
    Note
    • By default, requests from all public IP addresses are denied, and requests from all private IPv4 addresses are allowed. You can enable Private Network Access only if port 5601 is enabled for access to Kibana over the Internet. If port 443 is enabled for access to Kibana over the Internet, you cannot enable Private Network Access. You can go to the console to check whether you can enable Private Network Access.
    • You can also click Add IP Address Whitelist to create a custom whitelist. For more information, see Manage an IP address whitelist.
  8. In the dialog box that appears, add the IP address of your device to the whitelist.
    The following table describes the methods that you can use to obtain the IP address of your device in different scenarios.
    Scenario IP address to be obtained How to obtain the IP address
    You want to use a client to access the Kibana service over an internal network. For example, if your application is deployed on an Elastic Compute Service (ECS) instance that resides in the same VPC as your Elasticsearch cluster, you can use the ECS instance to access the Kibana service over the VPC. Private IP address of the client The following operations provide an example on how to obtain the private or public IP address of an ECS instance:
    1. Log on to the ECS console.
    2. In the left-side navigation pane, click Instances.
    3. In the top navigation bar, select the region where the ECS instance resides.
    4. On the Instances page, find the ECS instance and view the private or public IP address of the ECS instance.
    You want to use a client to access the Kibana service over the Internet. For example, if your application is deployed on an ECS instance that resides in a different VPC from your Elasticsearch cluster, you can use the ECS instance to access the Kibana service over the Internet. Public IP address of the client
    You want to use an on-premises machine to access the Kibana service. Public IP address of the on-premises machine If your on-premises machine is connected to a home network or to a LAN of an office, add the IP address of the Internet egress instead of the private or public IP address of the machine to the whitelist. We recommend that you visit myip.ipip.net to query the IP address of the Internet egress.
    When you configure an IP address whitelist, you must follow the following rules:
    • You can enter IP addresses or CIDR blocks in the IP Addresses in Whitelist field. For example, you can enter 192.168.0.1 or 192.168.0.0/24. Separate multiple IP addresses or CIDR blocks with commas (,). You can enter 127.0.0.1 to deny requests from all IPv4 addresses or enter 0.0.0.0/0 to allow requests from all IPv4 addresses. For security purposes, we recommend that you do not enter 0.0.0.0/0.
      Note
      • A whitelist can contain a maximum of 300 IP addresses or CIDR blocks.
      • You are not allowed to specify both 0.0.0.0/0 and one or more IP addresses or CIDR blocks in an IP address whitelist. Otherwise, the system displays an error message. If you need to specify 0.0.0.0/0 in an IP address whitelist for a test, specify only 0.0.0.0/0 in the whitelist.
    • Access from public IPv6 addresses are supported in the China (Hangzhou) region, and you can configure public IPv6 address whitelists for clusters that reside in this region. For example, you can specify 2401:b180:1000:24::5 or 2401:b180:1000::/48 in a public IPv6 address whitelist. In the IP Addresses in Whitelist field, you can enter ::1 to deny requests from all IPv6 addresses or enter ::/0 to allow requests from all IPv6 addresses. For security purposes, we recommend that you do not enter ::/0.
      Note For clusters of some versions, you cannot specify ::/0 in an IPv6 address whitelist. If you specify ::/0 for such a cluster, the system displays an error message. If your IP address dynamically changes, we recommend that you specify a CIDR block in an IP address whitelist.
  9. Click OK.
    If the IP address that you added appears in the related whitelist after you click OK, the whitelist configuration is successful. Then, you can use the device whose IP address is added to the whitelist to access the Kibana service. Network Access Configuration

Manage an IP address whitelist

This section provides an example on how to manage a public IP address whitelist.

Add an IP address whitelist

  1. In the Network Access Configuration section of the Kibana Configuration page, click Update on the right side of Kibana Whitelist.
  2. In the Modify Public Network Whitelist panel, click Add IP Address Whitelist.
  3. In the Add IP Address Whitelist dialog box, configure Name and IP Addresses in Whitelist.
    Add an IP address whitelist
    Parameter Description
    Name The name of the IP address whitelist. The name must be 2 to 120 characters in length and can contain lowercase letters, digits, and underscores (_). The name must start with a letter and end with a letter or digit.
    IP Addresses in Whitelist
    • You can enter IP addresses or CIDR blocks in the IP Addresses in Whitelist field. For example, you can enter 192.168.0.1 or 192.168.0.0/24. Separate multiple IP addresses or CIDR blocks with commas (,). You can enter 127.0.0.1 to deny requests from all IPv4 addresses or enter 0.0.0.0/0 to allow requests from all IPv4 addresses. For security purposes, we recommend that you do not enter 0.0.0.0/0.
      Note
      • A whitelist can contain a maximum of 300 IP addresses or CIDR blocks.
      • You are not allowed to specify both 0.0.0.0/0 and one or more IP addresses or CIDR blocks in an IP address whitelist. Otherwise, the system displays an error message. If you need to specify 0.0.0.0/0 in an IP address whitelist for a test, specify only 0.0.0.0/0 in the whitelist.
    • Access from public IPv6 addresses are supported in the China (Hangzhou) region, and you can configure public IPv6 address whitelists for clusters that reside in this region. For example, you can specify 2401:b180:1000:24::5 or 2401:b180:1000::/48 in a public IPv6 address whitelist. In the IP Addresses in Whitelist field, you can enter ::1 to deny requests from all IPv6 addresses or enter ::/0 to allow requests from all IPv6 addresses. For security purposes, we recommend that you do not enter ::/0.
      Note For clusters of some versions, you cannot specify ::/0 in an IPv6 address whitelist. If you specify ::/0 for such a cluster, the system displays an error message. If your IP address dynamically changes, we recommend that you specify a CIDR block in an IP address whitelist.
    Note A default IP address whitelist named default is provided. The whitelist contains the default IP address or CIDR block. You can add IP addresses or CIDR blocks to the whitelist.
  4. Click OK.
    After you click OK, the system displays the IP address whitelist in the Edit VPC Whitelist panel. You can view, modify, or delete the whitelist. Creation result

View the IP addresses in an IP address whitelist

  1. In the Network Access Configuration section of the Kibana Configuration page, click Update on the right side of Kibana Whitelist.
  2. In the Modify Public Network Whitelist panel, click the name of an IP address whitelist.
  3. View the IP addresses in the IP address whitelist.

Modify an IP address whitelist

  1. In the Network Access Configuration section of the Kibana Configuration page, click Update on the right side of Kibana Whitelist.
  2. In the Modify Public Network Whitelist panel, find the IP address whitelist that you want to modify and click Configure on the right side of the name of the whitelist.
  3. In the dialog box that appears, change the value of IP Addresses in Whitelist.
    Note You cannot change the value of Name.
  4. Click OK.

Delete an IP address whitelist

  1. In the Network Access Configuration section of the Kibana Configuration page, click Update on the right side of Kibana Whitelist.
  2. In the Modify Public Network Whitelist panel, find the IP address whitelist that you want to delete and click Delete on the right side of the name of the whitelist.
  3. In the message that appears, click OK.

References

  • API operation for enabling or disabling access to Kibana over the Internet or an internal network: TriggerNetwork
  • API operation for updating a public or private IP address whitelist for Kibana: ModifyWhiteIps

FAQ