Configure a public or private IP address whitelist for Kibana - Elasticsearch

If you want to access the Kibana service over the Internet or an internal network, you must add the IP address of your device to the related IP address whitelist of Kibana. This topic describes how to configure a public or private IP address whitelist for Kibana.

Prerequisites

An Alibaba Cloud Elasticsearch cluster is created. For more information, see Create an Alibaba Cloud Elasticsearch cluster.

Precautions

After you configure a public IP address whitelist for Kibana, you can use the Kibana console of your Elasticsearch cluster to access only services in virtual private clouds (VPCs). You cannot use the Kibana console to access Internet services such as Baidu Maps and AMAP.
You can turn on Private Network Access only if port 5601 is enabled for access to Kibana over the Internet. If port 443 is enabled for access to Kibana over the Internet, you cannot turn on Private Network Access. You can go to the console to check whether you can turn on Private Network Access.

Configure an IP address whitelist

Log on to the Alibaba Cloud Elasticsearch console.
In the left-side navigation pane, click Elasticsearch Clusters.
Navigate to the desired cluster.
1. In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
2. On the Elasticsearch Clusters page, find the cluster and click its ID.
In the left-side navigation pane of the page that appears, choose Configuration and Management > Data Visualization.
In the Kibana section of the page that appears, click Edit Configuration.
In the Network Access Configuration section of the page that appears, click Update on the right side of Kibana Whitelist or Private Network Whitelist to configure a public or private IP address whitelist.
Note
- If you turn on Kibana Whitelist or Public Network Access, changes may occur on the Server Load Balancer (SLB) instance that is connected to Kibana but not on the Elasticsearch cluster. Therefore, this operation does not affect the Elasticsearch cluster.
- By default, Private Network Access is turned off. Before you can configure a private IP address whitelist, you must turn on Private Network Access.
In the panel that appears, click Configure on the right side of default.
Note
- By default, requests from all public IP addresses are denied, and requests from all private IPv4 addresses are allowed.
- You can also click Add IP Address Whitelist to create a custom whitelist. For more information, see Manage an IP address whitelist.

In the dialog box that appears, add the IP address of your device to the whitelist.

The following table describes the methods that you can use to obtain the IP address of your device in different scenarios.

Scenario	IP address to be obtained	Method
You want to use a client to access the Kibana service over an internal network. For example, if your application is deployed on an Elastic Compute Service (ECS) instance that resides in the same VPC as your Elasticsearch cluster, you can use the ECS instance to access the Kibana service over the VPC.	Private IP address of the client	The following operations provide an example on how to obtain the private or public IP address of an ECS instance: Log on to the ECS console. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where the ECS instance resides. On the Instances page, find the ECS instance and view the private or public IP address of the ECS instance.
You want to use a client to access the Kibana service over the Internet. For example, if your application is deployed on an ECS instance that resides in a different VPC from your Elasticsearch cluster, you can use the ECS instance to access the Kibana service over the Internet.	Public IP address of the client
You want to use an on-premises machine to access the Kibana service.	Public IP address of the on-premises machine	If your on-premises machine is connected to a home network or to a LAN of an office, you must add the IP address of the Internet egress instead of the private or public IP address of the machine to the whitelist. We recommend that you visit myip.ipip.net to query the IP address of the Internet egress.

When you configure an IP address whitelist, you must follow the following rules:

You can enter IP addresses or CIDR blocks in the IP Addresses in Whitelist field. For example, you can enter 192.168.0.1 or 192.168.0.0/24. Separate multiple IP addresses or CIDR blocks with commas (,). You can enter 127.0.0.1 to deny requests from all IPv4 addresses or enter 0.0.0.0/0 to allow requests from all IPv4 addresses. For security purposes, we recommend that you do not enter 0.0.0.0/0.
Note
- A whitelist can contain a maximum of 50 IP addresses or CIDR blocks.
Access from public IPv6 addresses are supported in the China (Hangzhou) region, and you can configure public IPv6 address whitelists for clusters that reside in this region. For example, you can specify 2401:b180:1000:24::5 or 2401:b180:1000::/48 in a public IPv6 address whitelist. In the IP Addresses in Whitelist field, you can enter ::1 to deny requests from all IPv6 addresses or enter ::/0 to allow requests from all IPv6 addresses. For security purposes, we recommend that you do not enter ::/0.
Note
For clusters of some versions, you cannot specify ::/0 in an IPv6 address whitelist. If you specify ::/0 for such a cluster, the system displays an error message. If your IP address dynamically changes, we recommend that you specify a CIDR block in an IP address whitelist.

Click OK.
If the IP address that you added appears in the related whitelist after you click OK, the whitelist configuration is successful. Then, you can use the device whose IP address is added to the whitelist to access the Kibana service.

Manage an IP address whitelist

This section provides an example on how to manage a public IP address whitelist.

Add an IP address whitelist

In the Network Access Configuration section of the Kibana Configuration page, click Update on the right side of Kibana Whitelist.
In the Modify Public Network Whitelist panel, click Add IP Address Whitelist.

In the Add IP Address Whitelist dialog box, configure Name and IP Addresses in Whitelist.

Parameter	Description
Name	The name of the IP address whitelist. The name must be 2 to 120 characters in length and can contain lowercase letters, digits, and underscores (_). The name must start with a letter and end with a letter or digit.
IP Addresses in Whitelist	You can enter IP addresses or CIDR blocks in the IP Addresses in Whitelist field. For example, you can enter 192.168.0.1 or 192.168.0.0/24. Separate multiple IP addresses or CIDR blocks with commas (,). You can enter 127.0.0.1 to deny requests from all IPv4 addresses or enter 0.0.0.0/0 to allow requests from all IPv4 addresses. For security purposes, we recommend that you do not enter 0.0.0.0/0. Note A whitelist can contain a maximum of 50 IP addresses or CIDR blocks. Access from public IPv6 addresses are supported in the China (Hangzhou) region, and you can configure public IPv6 address whitelists for clusters that reside in this region. For example, you can specify 2401:b180:1000:24::5 or 2401:b180:1000::/48 in a public IPv6 address whitelist. In the IP Addresses in Whitelist field, you can enter ::1 to deny requests from all IPv6 addresses or enter ::/0 to allow requests from all IPv6 addresses. For security purposes, we recommend that you do not enter ::/0. Note For clusters of some versions, you cannot specify ::/0 in an IPv6 address whitelist. If you specify ::/0 for such a cluster, the system displays an error message. If your IP address dynamically changes, we recommend that you specify a CIDR block in an IP address whitelist.

Note

A default IP address whitelist named default is provided. The whitelist contains the default IP address or CIDR block. You can add IP addresses or CIDR blocks to the whitelist.

Click OK.
After you click OK, the system displays the IP address whitelist in the Edit VPC Whitelist panel. You can view, modify, or delete the whitelist.

View the IP addresses in an IP address whitelist

In the Network Access Configuration section of the Kibana Configuration page, click Update on the right side of Kibana Whitelist.
In the Modify Public Network Whitelist panel, click the name of an IP address whitelist.
View the IP addresses in the IP address whitelist.

Modify an IP address whitelist

In the Network Access Configuration section of the Kibana Configuration page, click Update on the right side of Kibana Whitelist.
In the Modify Public Network Whitelist panel, find the IP address whitelist that you want to modify and click Configure on the right side of the name of the whitelist.
In the dialog box that appears, change the value of IP Addresses in Whitelist.
Note
You cannot change the value of Name.
Click OK.

Delete an IP address whitelist

In the Network Access Configuration section of the Kibana Configuration page, click Update on the right side of Kibana Whitelist.
In the Modify Public Network Whitelist panel, find the IP address whitelist that you want to delete and click Delete on the right side of the name of the whitelist.
In the message that appears, click OK.

References

API operation for enabling or disabling access to Kibana over the Internet or an internal network: TriggerNetwork
API operation for updating a public or private IP address whitelist for Kibana: ModifyWhiteIps

FAQ

Can I use the Kibana console to access Internet services such as Baidu Maps and AMAP?
Why does the IP address that is resolved based on the internal domain name of the Kibana console for an Elasticsearch V7.16 cluster not belong to my VPC?
Q: I cannot see the Private Network Access switch on the Kibana Configuration page. Why?
A: You can turn on Private Network Access only if port 5601 is enabled for access to Kibana over the Internet. If port 443 is enabled for access to Kibana over the Internet, you cannot turn on Private Network Access.