All Products
Search

This Product

    Elasticsearch:Connect to a cluster by using Cerebro

    Document Center

    Elasticsearch:Connect to a cluster by using Cerebro

    Last Updated:Mar 03, 2026

    Cerebro is an open source management tool for Elasticsearch. It is lightweight and starts quickly. You can use it to view cluster health, manage index data, and run search queries. Developers and operations engineers use it to quickly check and manage Elasticsearch clusters.

    Preparations

    Get cluster endpoints

    You can connect to an ES cluster using either a private endpoint over a Virtual Private Cloud (VPC) or a public endpoint.

    • VPC private endpoint: Access the ES cluster over a private network for low latency and high stability. This endpoint is enabled by default after the cluster is created.

    • Public endpoint: Access the ES cluster over the internet. You must enable this endpoint manually.

    Enable public network access

    1. Log on to the ES console and go to the Basic Information page of the instance.

    2. In the navigation pane on the left, choose Configuration and Management > Security Settings, and then enable public network access. When the cluster status changes from Initializing to Valid, public network access is enabled.

      image

      Important

      A public endpoint reduces the security of your ES cluster. If you use a public endpoint, configure an IP address whitelist and disable public network access promptly after use.

    Set an IP address whitelist

    To ensure cluster security, add the IP address of the device that you want to use for access to the VPC private whitelist or public access whitelist of the ES cluster. Only devices whose IP addresses are in the whitelist can access the ES cluster.

    1. Obtain the IP address of the device.

      Obtain the IP address of the device based on the following scenarios.

      Scenario

      IP address to obtain

      Method

      Connect to the ES cluster from an on-premises device

      The public IP address of the on-premises device.

      If the device is in a local area network (LAN), such as a home or corporate network, add the public egress IP address of the LAN to the public access whitelist of the ES cluster.

      Run the curl ipinfo.io/ip command to query the public IP address of the on-premises device.

      Connect to the ES cluster from an ECS instance in a different VPC

      The public IP address of the ECS instance

      Log on to the ECS console and view it in the instance list.

      Connect to the ES cluster from an ECS instance in the same VPC

      The private IP address of the ECS instance

      Log on to the ECS console and view it in the instance list.

    2. Add the obtained IP address to a whitelist group.

      1. Log on to the ES console, go to the Basic Information page of the instance. In the navigation pane on the left, choose Configuration and Management > Security Settings. Click Modify to set the VPC private whitelist or public access whitelist in the dialog box that appears.

        image

      2. Click Configure to the right of the default group. In the dialog box that appears, add IP addresses to the VPC private whitelist or public access whitelist. You can configure a maximum of 300 IP addresses or CIDR blocks for a single cluster. Separate multiple IP addresses or CIDR blocks with commas (,). Do not add spaces before or after the commas.

        • You can also click Add IP Whitelist Group to create a custom group.

        • Whitelist groups are used only for IP address management and do not affect access permissions. All IP addresses within the groups have the same permissions.

        image

        Configuration type

        Format and example

        Important notes

        IPv4 address format

        • Single IP address: 192.168.0.1

        • CIDR block: 192.168.0.0/24

        • To deny access: 127.0.0.1

        • To allow access from all IP addresses: 0.0.0.0/0

          Important

          This configuration is high-risk. We strongly recommend that you do not set the whitelist to 0.0.0.0/0.

          Some cluster versions, such as 7.16 and 8.5, and regions do not support 0.0.0.0/0. The console interface or error messages prevail.

        IPv6 address format

        (Supported only by clusters that use the v2 deployment architecture and are in the China (Hangzhou) region)

        • Single IP address: 2401:XXXX:1000:24::5

        • CIDR block: 2401:XXXX:1000::/48

        • Deny all access: ::1

        • To allow access from all IP addresses: ::/0

          Important

          We strongly recommend that you do not configure ::/0 because it poses a high security risk.

          Some cluster versions do not support ::/0. The console interface or configuration prompts prevail.

      3. After the configuration is complete, click Confirm.

        image

    Connect to the cluster

    1. Install and configure Cerebro

    1. Connect to an ECS instance. This example uses a Linux system. For more information, see Connect to an ECS instance.

    2. Cerebro runs on the Java Virtual Machine (JVM). Install the JDK on the ECS instance. The JDK version must be 1.8 or later. For more information, see Manually deploy OpenJDK.

    3. Download and decompress the Cerebro installation package.

      # Download Cerebro v0.9.0
wget https://github.com/lmenezes/cerebro/releases/download/v0.9.0/cerebro-0.9.0.tgz

# Decompress the package
tar -zxvf cerebro-0.9.0.tgz

    4. Modify the Cerebro configuration file to associate Cerebro with your Elasticsearch cluster.

      1. Open the application.conf file.

        vim cerebro-0.9.0/conf/application.conf

      2. Configure the hosts parameter and save the file.

        配置cerebro

        Note

        You can associate multiple instances by separating them with commas.

        Parameter

        Description

        host

        The cluster endpoint that you obtained during preparations:

        • VPC private endpoint: Format is http://<Private endpoint of the Elasticsearch cluster>:9200.

        • Public endpoint: Format is http://<Public endpoint of the Elasticsearch cluster>:9200.

        ES clusters have HTTP enabled by default. We recommend that you enable and use HTTPS to ensure confidentiality, security, and integrity during data transmission. Log on to the ES console to go to the instance's Basic Information, and then click Configuration and Management > Security Settings in the navigation pane on the left to enable HTTPS.

        Important

        Before you enable HTTPS, update your application code to support HTTPS connections. Otherwise, existing code that uses HTTP fails to establish secure connections.

        name

        The ID of your Elasticsearch cluster. Log on to the Elasticsearch console. View the ID in the cluster list.

        username

        The default username is elastic. This user has full cluster permissions (like an administrator account).

        For security, do not use the elastic user directly in production environments. Use the role-based access control (RBAC) mechanism provided by Elasticsearch X-Pack to create custom roles, assign permissions, and then assign roles to users. This gives you fine-grained permission control. For more information, see Control user permissions using Elasticsearch X-Pack role management.

        password

        The password for the username.

    2. Start the Cerebro service

    Start Cerebro in the foreground or background, as needed.

    • Start in the foreground (for debugging)

      cd cerebro-0.9.0
bin/cerebro

      After Cerebro starts successfully, the result shown in the following figure appears.cerebro启动成功

    • Start in the background (recommended for production environments)

      cd cerebro-0.9.0
nohup bin/cerebro > cerebro.log 2>&1 &

      Run tail -f cerebro.log to view logs. Run pkill -f cerebro to stop the service.

    3. Access Cerebro and connect to the Elasticsearch cluster

    1. Configure the security group of your ECS instance. In the Inbound section, add the IP address of the device to be accessed and open port 9000. For detailed steps, see Add a security group rule.

      配置安全组

    2. In a browser, enter http://<Public IP address of the ECS instance>:9000.

    3. On the Cerebro login page, you will see the ES clusters configured in the configuration file. You can click them to connect.

      image

    4. After you connect successfully, view cluster status and manage indexes in the Cerebro console. For more information about how to use Cerebro, see Cerebro.

      image

    FAQ and troubleshooting

    Issue 1: Cerebro fails to start

    • Possible cause: The JDK is not installed or the JDK version is lower than 1.8. The port is occupied. The file permissions are insufficient.

    • Solution: Run java -version to verify that the JDK version is 1.8 or later. Change the port in application.conf by modifying the http.port parameter. Add execute permissions to the bin/cerebro script by running chmod +x bin/cerebro.

    Issue 2: Failed to connect to the Elasticsearch cluster

    • Possible cause: The IP address whitelist is not configured. The Elasticsearch endpoint or port is incorrect. The ECS security group does not allow traffic on the required ports. The username or password is incorrect.

    • Solution: Check the IP address whitelist configuration in the Alibaba Cloud Elasticsearch console. Verify that the application.conf file contains the correct host value. Check whether the ECS security group allows traffic on port 9200 (Elasticsearch) and port 9000 (Cerebro). Verify that the username and password are correct.