If you want to access an Alibaba Cloud Elasticsearch cluster over the Internet or a virtual private cloud (VPC), you can add the IP address of your device to the public or private IP address whitelist of the cluster. This topic describes how to configure a public or private IP address whitelist for an Elasticsearch cluster.
Prerequisites
An Alibaba Cloud Elasticsearch cluster is created. For more information, see Create an Alibaba Cloud Elasticsearch cluster.
Precautions
When you access an Alibaba Cloud Elasticsearch cluster over the Internet, the network may be unstable, and network security may be compromised. If you require high network security and stability, we recommend that you use a VPC for access.
Configure an IP address whitelist
- Log on to the Alibaba Cloud Elasticsearch console.
- In the left-side navigation pane, click Elasticsearch Clusters.
- Navigate to the desired cluster.
- In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
- On the Elasticsearch Clusters page, find the cluster and click its ID.
In the left-side navigation pane of the page that appears, choose .
In the Network Settings section of the page that appears, click Update on the right side of VPC Whitelist or Public Network Whitelist to configure a private or public IP address whitelist.
NoteBy default, the Public Network Access switch is turned off. Before you can configure a public IP address whitelist, you must turn on Public Network Access.
In the panel that appears, click Configure on the right side of default.
NoteBy default, requests from all public IP addresses are denied, and requests from all private IPv4 addresses are allowed.
You can also click Add IP Address Whitelist to create a custom whitelist. For more information, see Manage an IP address whitelist.
In the dialog box that appears, add the IP address of your device to the whitelist.
The following table describes the methods that you can use to obtain the IP address of your device in different scenarios.
Scenario
IP address to be obtained
Method
You want to use a client to access the cluster over a VPC. For example, if your application is deployed on an Elastic Compute Service (ECS) instance that resides in the same VPC as your Elasticsearch cluster, you can use the ECS instance to access the cluster over the VPC.
Private IP address of the client
The following operations provide an example on how to obtain the private or public IP address of an ECS instance:
Log on to the ECS console.
In the left-side navigation pane, click Instances.
In the top navigation bar, select the region where the ECS instance resides.
On the Instances page, find the ECS instance and view the private or public IP address of the ECS instance.
You want to use a client to access the cluster over the Internet. For example, if your application is deployed on an ECS instance that resides in a different VPC from your Elasticsearch cluster, you can use the ECS instance to access the cluster over the Internet.
Public IP address of the client
You want to use an on-premises machine to access the cluster.
Public IP address of the on-premises machine
If your on-premises machine is connected to a home network or to a LAN of an office, you must add the IP address of the Internet egress instead of the private or public IP address of the machine to the whitelist. We recommend that you visit myip.ipip.net to query the IP address of the Internet egress.
When you configure an IP address whitelist, you must follow the following rules:
You can enter IP addresses or CIDR blocks in the IP Addresses in Whitelist field. For example, you can enter 192.168.0.1 or 192.168.0.0/24. Separate multiple IP addresses or CIDR blocks with commas (,). You can enter 127.0.0.1 to deny requests from all IPv4 addresses or enter 0.0.0.0/0 to allow requests from all IPv4 addresses. For security purposes, we recommend that you do not enter 0.0.0.0/0.
NoteA whitelist can contain a maximum of 50 IP addresses or CIDR blocks.
If you enter CIDR blocks, make sure that the IP address that precedes the forward slash (/) in each CIDR block is the first IP address obtained based on subnet mask calculation.
For clusters in the China (Chengdu), China (Guangzhou), and China (Ulanqab) regions and clusters of some versions, you cannot specify 0.0.0.0/0 in an IP address whitelist. If you specify 0.0.0.0/0 for such a cluster, the system displays an error message. If your IP address dynamically changes, we recommend that you specify a CIDR block in an IP address whitelist.
You are not allowed to specify both 0.0.0.0/0 and one or more IP addresses or CIDR blocks in an IP address whitelist. Otherwise, the system displays an error message. If you need to specify 0.0.0.0/0 in an IP address whitelist for a test, specify only 0.0.0.0/0 in the whitelist.
Access from public IPv6 addresses are supported in the China (Hangzhou) region, and you can configure public IPv6 address whitelists for clusters that reside in this region. For example, you can specify 2401:b180:1000:24::5 or 2401:b180:1000::/48 in a public IPv6 address whitelist. In the IP Addresses in Whitelist field, you can enter ::1 to deny requests from all IPv6 addresses or enter ::/0 to allow requests from all IPv6 addresses. For security purposes, we recommend that you do not enter ::/0.
NoteFor clusters of some versions, you cannot specify ::/0 in an IPv6 address whitelist. If you specify ::/0 for such a cluster, the system displays an error message. If your IP address dynamically changes, we recommend that you specify a CIDR block in an IP address whitelist.
Click OK.
If the IP address that you added appears in the related whitelist after you click OK, the whitelist configuration is successful. Then, you can use the device whose IP address is added to the whitelist to access the cluster.
Manage an IP address whitelist
This section provides an example on how to manage a private IP address whitelist.
Add an IP address whitelist
On the Security page, click Update on the right side of VPC Whitelist.
In the Edit VPC Whitelist panel, click Add IP Address Whitelist.
In the Add IP Address Whitelist dialog box, configure Name and IP Addresses in Whitelist.
Parameter
Description
Name
The name of the IP address whitelist. The name must be 2 to 120 characters in length and can contain lowercase letters, digits, and underscores (_). The name must start with a letter and end with a letter or digit.
IP Addresses in Whitelist
You can enter IP addresses or CIDR blocks in the IP Addresses in Whitelist field. For example, you can enter 192.168.0.1 or 192.168.0.0/24. Separate multiple IP addresses or CIDR blocks with commas (,). You can enter 127.0.0.1 to deny requests from all IPv4 addresses or enter 0.0.0.0/0 to allow requests from all IPv4 addresses. For security purposes, we recommend that you do not enter 0.0.0.0/0.
NoteA whitelist can contain a maximum of 50 IP addresses or CIDR blocks.
If you enter CIDR blocks, make sure that the IP address that precedes the forward slash (/) in each CIDR block is the first IP address obtained based on subnet mask calculation.
For clusters in the China (Chengdu), China (Guangzhou), and China (Ulanqab) regions and clusters of some versions, you cannot specify 0.0.0.0/0 in an IP address whitelist. If you specify 0.0.0.0/0 for such a cluster, the system displays an error message. If your IP address dynamically changes, we recommend that you specify a CIDR block in an IP address whitelist.
You are not allowed to specify both 0.0.0.0/0 and one or more IP addresses or CIDR blocks in an IP address whitelist. Otherwise, the system displays an error message. If you need to specify 0.0.0.0/0 in an IP address whitelist for a test, specify only 0.0.0.0/0 in the whitelist.
Access from public IPv6 addresses are supported in the China (Hangzhou) region, and you can configure public IPv6 address whitelists for clusters that reside in this region. For example, you can specify 2401:b180:1000:24::5 or 2401:b180:1000::/48 in a public IPv6 address whitelist. In the IP Addresses in Whitelist field, you can enter ::1 to deny requests from all IPv6 addresses or enter ::/0 to allow requests from all IPv6 addresses. For security purposes, we recommend that you do not enter ::/0.
NoteFor clusters of some versions, you cannot specify ::/0 in an IPv6 address whitelist. If you specify ::/0 for such a cluster, the system displays an error message. If your IP address dynamically changes, we recommend that you specify a CIDR block in an IP address whitelist.
NoteA default IP address whitelist named default is provided. The whitelist contains the default IP address or CIDR block. You can add IP addresses or CIDR blocks to the whitelist.
Click OK.
After you click OK, the system displays the IP address whitelist in the Edit VPC Whitelist panel. You can view, modify, or delete the whitelist.
View the IP addresses in an IP address whitelist
On the Security page, click Update on the right side of VPC Whitelist.
In the Edit VPC Whitelist panel, click the name of an IP address whitelist.
View the IP addresses in the IP address whitelist.
Modify an IP address whitelist
On the Security page, click Update on the right side of VPC Whitelist.
In the Edit VPC Whitelist panel, find the IP address whitelist that you want to modify and click Configure on the right side of the name of the whitelist.
In the dialog box that appears, change the value of IP Addresses in Whitelist.
NoteYou cannot change the value of Name.
Click OK.
Delete an IP address whitelist
On the Security page, click Update on the right side of VPC Whitelist.
In the Edit VPC Whitelist panel, find the IP address whitelist that you want to delete and click Delete on the right side of the name of the whitelist.
Click OK.
References
API operations for enabling or disabling access to an Elasticsearch cluster over the Internet or a VPC:
API operations for updating a public or private IP address whitelist for an Elasticsearch cluster: