Before you access the Kibana service of an Alibaba Cloud Elasticsearch (ES) instance over the Internet or a virtual private cloud (VPC), you need to add the IP address of your device to a public or private IP address whitelist of Kibana.
Before you begin
Your Elasticsearch cluster is in a normal state.
Configure Kibana public IP address whitelist
You can control access to Kibana over the Internet by directly managing IP addresses in whitelists for Kibana.
Log on to the Alibaba Cloud Elasticsearch console.
In the left-side navigation pane, click Elasticsearch Clusters.
Navigate to the desired cluster.
In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
On the Elasticsearch Clusters page, find the cluster and click its ID.
In the left-side navigation pane, choose .
In the Kibana section, click Modify Configuration.
In the Access Configuration section, click Modify on the right side of Kibana Public Network Access Whitelist.
NoteIf the Public Network Access switch is turned off, you need to turn it on first.
In the Modify Whitelist panel, click Create IP Whitelist Group, or click Configure on the right side of a group name.
NoteAfter an IP address whitelist is created, the name of the IP address whitelist cannot be changed.
In the dialog box that appears, add the IP address of your device to the whitelist.
We recommend that you obtain the IP address of your device based on the instructions provided in the following table.
Scenario
IP address to obtain
Method
Access to Kibana from an on-premises machine.
Public IP address of the on-premises machine.
NoteIf your on-premises machine is connected to a home network or to a LAN of an office, you must add the IP address of the Internet egress to the whitelist.
Visit www.cip.cc by using a browser on the on-premises machine or run the
curl cip.cc
command on the machine.Access to Kibana from a client.
Public IP address of the client.
For example, you want to use an Elastic Compute Service (ECS) instance that resides in a different VPC from Kibana to access Kibana over the Internet. In this case, you need to obtain the public IP address of the ECS instance.
The following operations provide an example on how to obtain the public IP address of an ECS instance:
Log on to the ECS console.
In the left-side navigation pane, click Instances.
In the top navigation bar, select the region where the ECS instance resides.
On the Instances page, find the ECS instance and view the private or public IP address of the ECS instance.
When you configure an IP address whitelist, you must follow the following rules:
You can specify IP addresses or CIDR blocks, such as 192.168.0.1 or 192.168.0.0/24, in a whitelist.
You can specify up to 300 IP addresses or CIDR blocks in a whitelist. Separate multiple IP addresses or CIDR blocks with commas (,).
127.0.0.1
indicates that all IPv4 addresses are denied access.0.0.0.0/0
indicates that all private IPv4 addresses are allowed access. For security purposes, we recommend that you do not configure access for all IPv4 addresses.Access from public IPv6 addresses is supported only in the China (Hangzhou) region, and you can configure public IPv6 address whitelists in this region. For example, you can specify 2401:XXXX:1000:24::5 or 2401:XXXX:1000::/48 in a whitelist.
NoteIn a whitelist, you can specify
::1
to deny requests from all IPv6 addresses or specify::/0
to allow requests from all IPv6 addresses. For security purposes, we recommend that you do not specify ::/0.For clusters of some versions, you are not allowed to specify
::/0
in a whitelist. You can check whether you can perform this configuration in the console.
Click OK.
(Optional) Click the
icon in the upper-right corner of the panel to return to the Kibana Configuration page. In the Access Configuration section, view the Kibana public IP address whitelist or Kibana private IP address whitelist.
If some IP addresses that you specified are not displayed, you can move the pointer over the IP addresses that are displayed to view all the specified IP addresses. If the IP addresses you specified appear in the whitelist, the whitelist configuration is successful.
Configure Kibana public network access authentication method
Log on to the Alibaba Cloud Elasticsearch console.
In the left-side navigation pane, click Elasticsearch Clusters.
Navigate to the desired cluster.
In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
On the Elasticsearch Clusters page, find the cluster and click its ID.
In the left-side navigation pane, choose .
In the Kibana section, click Modify Configuration.
In the Access Configuration section, click Modify on the right side of Kibana Public Network Access Authentication Method.
On the Kibana Public Network Access Authentication Method page, select Alibaba Cloud Account Authentication + ES Instance Access Password or ES Instance Access Password based on your business requirements.
NoteThe Alibaba Cloud Account Authentication + ES Instance Access Password method uses dual authentication. When you access Kibana over the Internet, you need to log on to your Alibaba Cloud account first, and then use the ES instance access password for access.
Click OK.
Configure Kibana private IP address whitelist
By default, Private Network Access is turned off. Before you configure a private IP address whitelist, you must turn on Private Network Access.
Port 5601 used for access to Kibana over the Internet
After you turn on Private Network Access, you can configure a private IP address whitelist for Kibana by referring to the operations in Configure Kibana public IP address whitelist.
If you want to use a client, such as an ECS instance, to access Kibana over a VPC, you must add the private IP address of the client to a private IP address whitelist for Kibana.
Port 443 is used for access to Kibana over the Internet
After you turn on Private Network Access, you can use PrivateLink to establish a private connection between your VPC and Kibana. You can control access to Kibana over VPCs by managing IP addresses specified in security group rules.
The fees for PrivateLink endpoints used by Elasticsearch are included in the bills of Elasticsearch. For more information about PrivateLink, see What is PrivateLink.
Log on to the Alibaba Cloud Elasticsearch console.
In the left-side navigation pane, click Elasticsearch Clusters.
Navigate to the desired cluster.
In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
On the Elasticsearch Clusters page, find the cluster and click its ID.
In the left-side navigation pane, choose .
In the Kibana section, click Modify Configuration.
In the Access Configuration section, turn on the Kibana Private Network Access switch.
In the Enable Kibana Private Network Access panel, configure the related parameters and click OK.
You can use PrivateLink to implement access to Kibana over VPCs. Each Kibana node must be associated with an independent endpoint.
NoteA service-linked role is required when you use PrivateLink to implement access to Kibana over VPCs. If you have not created the related service-linked role, the system automatically creates the role. For more information, see Service-linked Role for Alibaba Cloud Elasticsearch.
Parameter
Description
Endpoint Name
The endpoint name is automatically generated and can be changed.
Endpoint Network Configuration
Same as Elasticsearch: The VPC and vSwitch for creating the endpoint are the same as those of the ES instance. You can view the VPC and VSwitch ID on the Basic Information page.
Custom: Select the VPC and vSwitch for creating the endpoint. You can create them based on the instructions in the console.
Zone
You can view the Zone of the instance on the Basic Information page of the instance management page.
Security Group
You can use security group rules to control access to Kibana over VPCs.
Select an existing security group.
NotePort 5601 must be included in the port range of the security group because this port is used for access to Kibana over VPCs. To modify security group rules, go to the ECS Security Group console. For more information, see Modify security group rules.
Security groups are classified into basic security groups and advanced security groups. When you change the security group that is used to control access to Kibana, you can select only a security group that is of the same type as the original security group. For example, if you select a basic security group when you turn on the Private Network Access switch for Kibana, you can select only a basic security group when you change the security group.
Use a new security group.
Click Quick Create below the Security Group text box.
In the dialog box that appears, enter a name for the security group.
The security group name is automatically generated and can be changed.
Enter an IP address in the Authorized IP Address field.
The IP address must be the private IP address of the device to be authorized. For example, if you want to use an ECS instance to access Kibana over a VPC, you must enter the private IP address of the ECS instance.
Private Network Access Authentication Method
You can select Alibaba Cloud Account Authentication + ES Instance Access Password or ES Instance Access Password. Select an appropriate method based on your business requirements.
NoteThe Alibaba Cloud Account Authentication + ES Instance Access Password method uses dual authentication. When you access Kibana over a VPC, you need to log on to your Alibaba Cloud account first, and then use the ES instance access password for access.
NoteAfter you click OK, you need to wait for a while. When the endpoint list appears below the Access Configuration section, the Kibana Private Network Access configuration is successful.
Endpoints are in a unified format. After an endpoint is created, you can only change the endpoint name.
In the Elasticsearch console, you can only change security groups. To query and manage security groups, go to the ECS Security Group console.
After you turn off the Kibana Private Network Access switch, the endpoint resources are automatically released. If you turn on Private Network Access again, you need to create new endpoint resources. However, the access address of Kibana remains unchanged.
FAQ
Q: Will my Elasticsearch cluster be affected if I enable the Private Network Access or Public Network Access feature for Kibana?
A: No, the primary RDS instance is not affected. If you enable the Private Network Access or Public Network Access feature for Kibana, the system only triggers a change on the Server Load Balancer (SLB) instance that is connected to Kibana.
NoteThe first time you enable the Private Network Access feature for Kibana, the system restarts Kibana nodes but does not trigger a change on the Elasticsearch cluster.
Q: What do I do if I still fail to access Kibana after I add the IP address of my device to an IP address whitelist of Kibana?
A: Troubleshoot the issue based on the following instructions:
Your Elasticsearch cluster is unhealthy.
The IP address configuration may be incorrect: If you access Kibana from an on-premises machine, visit www.cip.cc in your browser to check whether the obtained IP address is in the public IP address whitelist for Kibana.
You may have added the IP address to the access whitelist of the ES instance: To log on to Kibana, you need to configure a public or private IP address whitelist for Kibana. You can modify the Kibana whitelist configuration in
of the ES instance.Clear the cache of your browser and try again.
Restart Kibana nodes and try again.
Q: Why am I still unable to access Kibana after I configure a security group and add the correct IP address to a security group rule?
A: Port 5601 is used for access to Kibana over VPCs. Therefore, you must include this port in the port range of the security group rule. To modify security group rules, go to the ECS Security Group console, or see Modify security group rules.
Q: Why am I unable to modify security group rules in the Elasticsearch console?
A: After you modify a security group rule, the modification affects all access scenarios controlled by the security group rule. Therefore, you are not allowed to modify a security group rule in the Elasticsearch console. To modify security group rules, go to the ECS Security Group console.
Q: Why am I unable to enable Private Network Access for Kibana when the Kibana specification is 1 core 2 GB?
A: The 1 core 2 GB specification is for testing and is not recommended for production use. If you need to access Kibana over a VPC, we recommend that you first upgrade to a specification of 2 cores 4 GB or higher. For more information, see Upgrade the configuration of a cluster.
Can I access services on the Internet, such as Baidu Maps or AMAP, from the Kibana console?
Why is the IP address resolved from the private domain name of Kibana V7.16 not in my VPC network?
References
API references:
API for enabling or disabling Kibana public or private network access: TriggerNetwork
API for updating Kibana public or private network access whitelist: ModifyWhiteIps
If you encounter issues when logging on to or using Kibana, see Kibana FAQ.