Configure access to Kibana over the Internet or a VPC - Elasticsearch

Before you access the Kibana service over the Internet or a virtual private cloud (VPC), you need to add the IP address of your device to a public or private IP address whitelist of Kibana.

Prerequisites

Your Elasticsearch cluster is in a normal state.

Configure a public IP address whitelist for Kibana

You can control access to Kibana over the Internet by directly managing IP addresses in whitelists for Kibana.

Log on to the Alibaba Cloud Elasticsearch console.
In the left-side navigation pane, click Elasticsearch Clusters.
Navigate to the desired cluster.
1. In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
2. On the Elasticsearch Clusters page, find the cluster and click its ID.
In the left-side navigation pane of the page that appears, choose Configuration and Management > Data Visualization.
In the Kibana section of the page that appears, click Modify Configuration.
In the Network Access Configuration section of the page that appears, click Modify on the right side of Public IP Address Whitelist.
Note
If the Public Network Access switch is turned off, you must turn on the switch first.
In the Modify Public IP Address Whitelist panel, click Add IP Address Whitelist, or click Configure on the right side of the name of the desired whitelist.
Note
After an IP address whitelist is created, the name of the IP address whitelist cannot be changed.

In the dialog box that appears, add the IP address of your device to the whitelist.

We recommend that you obtain the IP address of your device based on the instructions provided in the following table.

Scenario

IP address to be obtained

Method to obtain the IP address

Access to Kibana from an on-premises machine

Public IP address of the on-premises machine

Note

If your on-premises machine is connected to a home network or to a LAN of an office, you must add the IP address of the Internet egress to the whitelist.

Visit www.cip.cc by using a browser on the on-premises machine or run the curl cip.cc command on the machine.

Access to Kibana from a client

Public IP address of the client

For example, you want to use an Elastic Compute Service (ECS) instance that resides in a different VPC from Kibana to access Kibana over the Internet. In this case, you need to obtain the public IP address of the ECS instance.

The following operations provide an example on how to obtain the public IP address of an ECS instance:

Log on to the ECS console.
In the left-side navigation pane, click Instances.
In the top navigation bar, select the region where the ECS instance resides.
On the Instances page, find the ECS instance and view the private or public IP address of the ECS instance.

When you configure an IP address whitelist, you must follow the following rules:

You can specify IP addresses or CIDR blocks, such as 192.168.0.1 or 192.168.0.0/24, in a whitelist.
You can specify up to 300 IP addresses or CIDR blocks in a whitelist. Separate multiple IP addresses or CIDR blocks with commas (,).
You can specify 127.0.0.1 to prohibit access from all IPv4 addresses or specify 0.0.0.0/0 to allow access from all IPv4 addresses. For security purposes, we recommend that you do not specify 0.0.0.0/0 in a whitelist.
Access from public IPv6 addresses is supported only in the China (Hangzhou) region, and you can configure public IPv6 address whitelists in this region. For example, you can specify 2401:XXXX:1000:24::5 or 2401:XXXX:1000::/48 in a whitelist.
Note
- In a whitelist, you can specify ::1 to deny requests from all IPv6 addresses or specify ::/0 to allow requests from all IPv6 addresses. For security purposes, we recommend that you do not specify ::/0.
- For clusters of some versions, you are not allowed to specify ::/0 in a whitelist. You can check whether you can perform this configuration in the console.

Click OK.
Optional. Click the icon in the upper-right corner of the panel to return to the Kibana Configuration page. Then, in the Network Access Configuration section, view the public IP address whitelist that you configured for Kibana.
If some IP addresses that you specified are not displayed, you can move the pointer over the IP addresses that are displayed to view all the specified IP addresses. If the IP addresses you specified appear in the whitelist, the whitelist configuration is successful.

Configure an authentication method for access to Kibana over the Internet

Log on to the Alibaba Cloud Elasticsearch console.
In the left-side navigation pane, click Elasticsearch Clusters.
Navigate to the desired cluster.
1. In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
2. On the Elasticsearch Clusters page, find the cluster and click its ID.
In the left-side navigation pane of the page that appears, choose Configuration and Management > Data Visualization.
In the Kibana section of the page that appears, click Modify Configuration.
In the Network Access Configuration section of the page that appears, click Modify on the right side of Authentication Method for Public Network Access.
In the Change Authentication Method for Public Network Access panel, select Alibaba Cloud Account Authentication + Elasticsearch Cluster Password or Elasticsearch Cluster Password based on your business requirements.
Note
If you select the Alibaba Cloud Account Authentication + Elasticsearch Cluster Password authentication method, when you access Kibana over the Internet, you must first log on to your Alibaba Cloud account. Then, specify the password that is used to access your Elasticsearch cluster.
Click OK.

Configure a private IP address whitelist for Kibana

By default, Private Network Access is turned off. Before you configure a private IP address whitelist, you must turn on Private Network Access.

Port 5601 used for access to Kibana over the Internet

After you turn on Private Network Access, you can configure a private IP address whitelist for Kibana by referring to the operations in Configure a public IP address whitelist for Kibana.

Note

If you want to use a client, such as an ECS instance, to access Kibana over a VPC, you must add the private IP address of the client to a private IP address whitelist for Kibana.

Port 443 used for access to Kibana over the Internet

After you turn on Private Network Access, you can use PrivateLink to establish a private connection between your VPC and Kibana. You can control access to Kibana over VPCs by managing IP addresses specified in security group rules.

Note

The fees for PrivateLink endpoints used by Elasticsearch are included in the bills of Elasticsearch. For more information about PrivateLink, see What is PrivateLink?

Log on to the Alibaba Cloud Elasticsearch console.
In the left-side navigation pane, click Elasticsearch Clusters.
Navigate to the desired cluster.
1. In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
2. On the Elasticsearch Clusters page, find the cluster and click its ID.
In the left-side navigation pane of the page that appears, choose Configuration and Management > Data Visualization.
In the Kibana section of the page that appears, click Modify Configuration.
In the Network Access Configuration section of the page that appears, turn on Private Network Access.

In the Enable Private Network Access for Kibana panel, configure the parameters and click OK.

You can use PrivateLink to implement access to Kibana over VPCs. Each Kibana node must be associated with an independent endpoint.

Note

A service-linked role is required when you use PrivateLink to implement access to Kibana over VPCs. If you have not created the related service-linked role, the system automatically creates the role. For more information, see Elasticsearch service-linked roles.

Parameter	Description
Endpoint Name	The endpoint name is automatically generated and can be changed.
Endpoint Network Configuration	Same as Elasticsearch: The VPC and vSwitch used to create the endpoint are the same as those of the Elasticsearch cluster. You can view the VPC ID and vSwitch ID on the Basic Information page of the cluster. Custom: Select a VPC and a vSwitch to create the endpoint. You can create a VPC and a vSwitch based on instructions.
Zone	You can view the zone ID on the Basic Information page of the cluster.
Security Group	You can use security group rules to control access to Kibana over VPCs. Select an existing security group. Note Port 5601 must be included in the port range of the security group because this port is used for access to Kibana over VPCs. To modify a security group rule, go to the Security Group page of the ECS console. For information about how to modify a security group rule, see Modify a security group rule. Security groups are classified into basic security groups and advanced security groups. When you change the security group that is used to control access to Kibana, you can select only a security group that is of the same type as the original security group. For example, if you select a basic security group when you turn on the Private Network Access switch for Kibana, you can select only a basic security group when you change the security group that is used to control access to Kibana. Use a new security group. Click Create below the Security Group field. In the dialog box that appears, enter a name for the security group. The security group name is automatically generated and can be changed. Enter an IP address in the Authorized IP Address field. The IP address must be the private IP address of the device to be authorized. For example, if you want to use an ECS instance to access Kibana over a VPC, you must enter the private IP address of the ECS instance.
Authentication Method for Private Network Access	Select Alibaba Cloud Account Authentication + Elasticsearch Cluster Password or Elasticsearch Cluster Password based on your business requirements. Note If you select the Alibaba Cloud Account Authentication + Elasticsearch Cluster Password authentication method, when you access Kibana over a VPC, you must first log on to your Alibaba Cloud account. Then, specify the password that is used to access your Elasticsearch cluster.

Note

After you click OK, wait for a period of time. If an endpoint list is displayed in the lower part of the Network Access Configuration section, the configuration is successful.
Endpoints are in a unified format. After an endpoint is created, you can change the endpoint name only.
In the Elasticsearch console, you can change only security groups. To query and manage security groups, go to the Security Group page of the ECS console.
After you turn off Private Network Access, endpoint resources are automatically released. If you turn on Private Network Access again, you need to create new endpoint resources. However, the access address of Kibana remains unchanged.

Use an NGINX proxy to access Kibana

If you want to use an NGINX proxy to access Kibana, we recommend that you disable Alibaba Cloud account authentication and modify the NGINX configuration file as needed.

Disable Alibaba Cloud account authentication

Go to the details page of your Elasticsearch cluster.
1. Log on to the Alibaba Cloud Elasticsearch console.
2. In the left-side navigation pane, click Elasticsearch Clusters.
1. In the top navigation bar, select the desired resource group and region. In the cluster list, find your cluster and click its ID.
Go to the Kibana Configuration page.
1. In the left-side navigation pane, choose Configuration and Management > Data Visualization.
2. In the Kibana section of the page that appears, click Modify Configuration.
Change the authentication method of the related network type to Elasticsearch Cluster Password. This indicates that Alibaba Cloud account authentication is disabled. The following figure shows an example on how to change the authentication method for access over the Internet.

Modify the NGINX configuration file

You can modify the NGINX configuration file based on your business requirements. The following code provides an example.

server{
      charset utf-8;  # The character encoding format. 
      listen  8081;   # The listening port of NGINX. Specify a port based on your business requirements. 
      server_name xxx.xxx.com;   # The domain name bound to the proxy. Specify a domain name based on your business requirements. 
      location  / {
           # Host is optional. If you configure it, you must set it to the original Kibana domain name. 
           # proxy_set_header Host es-cn-xxxxxxxx-kibana.internal.elasticsearch.aliyuncs.com;
           proxy_set_header X-Real-IP $remote_addr;  # Pass the real IP address of the client to Kibana. 
           proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;  # Record the proxy server link that is request goes through. The link is used for log analysis. 
           proxy_pass https://es-cn-xxxxxxxx-kibana.internal.elasticsearch.aliyuncs.com:5601;  # Forward the request to the Kibana address. 
      }
}

FAQ

Q: Will my Elasticsearch cluster be affected if I enable the Private Network Access or Public Network Access feature for Kibana?
A: No, your Elasticsearch cluster will not be affected. If you enable the Private Network Access or Public Network Access feature for Kibana, the system only triggers a change on the Server Load Balancer (SLB) instance that is connected to Kibana.
Note
The first time you enable the Private Network Access feature for Kibana, the system restarts Kibana nodes but does not trigger a change on the Elasticsearch cluster.
Q: What do I do if I still fail to access Kibana after I add the IP address of my device to an IP address whitelist of Kibana?
A: Troubleshoot the issue based on the following instructions:
- Your Elasticsearch cluster is unhealthy.
- The IP address you add may be incorrect. If you access Kibana from an on-premises machine, visit www.cip.cc to obtain the IP address of the machine, and check whether the obtained IP address is added to a public IP address whitelist of Kibana.
- You may add the IP address of your device to an IP address whitelist of your Elasticsearch cluster. You need to go to the cluster details page, choose Configuration and Management > Data Visualization in the left-side navigation pane, and then click Modify Configuration in the Kibana section. On the Kibana Configuration page, add the IP address of your device to a private or public IP address whitelist of Kibana.
- Clear the cache of your browser and try again.
- Restart Kibana nodes and try again.
Q: Why am I still unable to access Kibana after I configure a security group and add the correct IP address to a security group rule?
A: Port 5601 is used for access to Kibana over VPCs. Therefore, you must include this port in the port range of the security group rule. To modify the security group rule, go to the Security Group page of the ECS console. For more information, see Modify a security group rule.
Q: Why am I unable to modify security group rules in the Elasticsearch console?
A: After you modify a security group rule, the modification affects all access scenarios controlled by the security group rule. Therefore, you are not allowed to modify a security group rule in the Elasticsearch console. To modify a security group rule, go to the Security Group page of the ECS console.
Q: The specifications of my Kibana node are 1 vCPU and 2 GiB of memory. Why am I unable to enable the Private Network Access feature of Kibana?
A: The Kibana node with 1 vCPU and 2 GiB of memory is used for testing purposes and is not recommended in production environments. If you want to access Kibana over a VPC, we recommend that you first upgrade the specifications of the Kibana node to 2 vCPUs and 4 GiB of memory or higher. For more information, see Upgrade the configuration of a cluster.
Can I use the Kibana console to access Internet services such as Baidu Maps and AMAP?
Why does the IP address that is resolved based on the internal domain name of the Kibana console for an Elasticsearch V7.16 cluster not belong to my VPC?
What do I do if I fail to access the Kibana console through an NGINX proxy?
What do I do if I cannot use a custom domain name to access the Kibana console based on a CNAME record?

References

API references:
- API operation for enabling or disabling access to Kibana over the Internet or an internal network: TriggerNetwork
- API operation for updating a public or private IP address whitelist for Kibana: ModifyWhiteIps
Log on to the Kibana console
If issues occur when you log on to or use the Kibana console, see FAQ about the Kibana console.