Before you access an Alibaba Cloud Elasticsearch cluster over the Internet or a virtual private cloud (VPC), you need to add the IP address of your device to a public or private IP address whitelist of the cluster. If your access to an Elasticsearch cluster fails, you can follow the instructions in this topic to check whether you add a correct IP address to an appropriate IP address whitelist of the cluster.
Prerequisites
An Alibaba Cloud Elasticsearch cluster is created. For more information, see Create an Alibaba Cloud Elasticsearch cluster.
Precautions
When you access an Elasticsearch cluster over the Internet, the network may be unstable, and network security may be compromised. If you require high network security and stability, we recommend that you use a VPC for access.
You can access an Elasticsearch cluster over the Internet free of charge. The default bandwidth is 5 Gbit/s.
Procedure
- Log on to the Alibaba Cloud Elasticsearch console.
- In the left-side navigation pane, click Elasticsearch Clusters.
- Navigate to the desired cluster.
- In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
- On the Elasticsearch Clusters page, find the cluster and click its ID.
In the left-side navigation pane of the page that appears, choose .
In the Network Settings section of the page that appears, click Modify on the right side of Private IP Address Whitelist or Public IP Address Whitelist to configure a private or public IP address whitelist.
NoteBy default, the Public Network Access switch is turned off. Before you can configure a public IP address whitelist, you must turn on the switch.
In the panel that appears, click Configure on the right side of default.
NoteYou can also click Add IP Address Whitelist to create a custom whitelist. For more information, see Manage an IP address whitelist.
In the dialog box that appears, add the IP address of your device to the whitelist.
We recommend that you obtain the IP address of your device based on the instructions provided in the following table.
Scenario
IP address to be obtained
Method to obtain the IP address
Access to an Elasticsearch cluster from an on-premises machine
Public IP address of the on-premises machine
NoteIf your on-premises machine is connected to a home network or to a LAN of an office, you must add the IP address of the Internet egress to the whitelist.
Visit www.cip.cc by using a browser on the on-premises machine or run the
curl cip.cccommand on the machine.Access to an Elasticsearch cluster from a client over the Internet
Public IP address of the client
For example, you want to use an Elastic Compute Service (ECS) instance that resides in a different VPC from your Elasticsearch cluster to access the cluster over the Internet. In this case, you need to obtain the public IP address of the ECS instance.
The following operations provide an example on how to obtain the private or public IP address of an ECS instance:
Log on to the ECS console.
In the left-side navigation pane, click Instances.
In the top navigation bar, select the region where the ECS instance resides.
On the Instances page, find the ECS instance and view the private or public IP address of the ECS instance.
Access to an Elasticsearch cluster from a client over a VPC
Private IP address of the client
For example, you want to use an ECS instance that resides in the same VPC as your Elasticsearch cluster to access the cluster over the VPC. In this case, you need to obtain the private IP address of the ECS instance.
When you configure an IP address whitelist, you must follow the following rules:
You can specify IP addresses or CIDR blocks, such as 192.168.0.1 or 192.168.0.0/24, in a whitelist.
NoteIf you specify CIDR blocks, make sure that the IP address that precedes the forward slash (/) in each CIDR block is the first IP address obtained based on subnet mask calculation.
You can specify up to 300 IP addresses or CIDR blocks in a whitelist. Separate multiple IP addresses or CIDR blocks with commas (,).
If your IP address dynamically changes, we recommend that you specify a CIDR block in a whitelist.
127.0.0.1 is specified in the default public IP address whitelist. This indicates that access from all IPv4 addresses is not allowed.
0.0.0.0/0 is specified in the default private IP address whitelist. This indicates that access from all IPv4 addresses is allowed. For security purposes, we recommend that you do not specify 0.0.0.0/0 in a private IP address whitelist.
NoteFor clusters in some regions and clusters of some versions, you are not allowed to specify
0.0.0.0/0in a whitelist. You can check whether you can perform this configuration in the console.Access from public IPv6 addresses is supported only in the China (Hangzhou) region, and you can configure public IPv6 address whitelists in this region. For example, you can specify 2401:XXXX:1000:24::5 or 2401:XXXX:1000::/48 in a whitelist.
NoteIn a whitelist, you can specify
::1to deny requests from all IPv6 addresses or specify::/0to allow requests from all IPv6 addresses. For security purposes, we recommend that you do not specify ::/0.For clusters of some versions, you are not allowed to specify
::/0in a whitelist. You can check whether you can perform this configuration in the console.
Click OK.
(Optional) Click the
icon in the upper-right corner of the panel to return to the Security page. Then, view the private or public IP address whitelist that you configured. If some IP addresses that you specified are not displayed, you can move the pointer over the IP addresses that are displayed to view all the specified IP addresses. If the IP addresses you specified appear in the whitelist, the whitelist configuration is successful.
Manage an IP address whitelist
This section provides an example on how to manage a public IP address whitelist.
Operation | Step |
Add an IP address whitelist |
|
View the IP addresses in an IP address whitelist | On the Security page, view the IP addresses in the IP address whitelist. If some IP addresses that you specified are not displayed, you can move the pointer over the IP addresses that are displayed to view all the specified IP addresses. |
Modify an IP address whitelist |
|
Delete an IP address whitelist |
|
FAQ
Q: I have configured a whitelist, but I still cannot access my Elasticsearch cluster. What do I do?
A: The IP addresses you add to the whitelist may be incorrect. Check whether the IP addresses you add to the whitelist are correct based on the preceding configuration instructions. You can also run a cURL command to check whether the Elasticsearch cluster can be accessed. For more information, see Access an Elasticsearch cluster.
Q: What do I do if the number of IP addresses I specify in a whitelist exceeds the upper limit?
A: You can merge the IP addresses into CIDR blocks to reduce the number of IP addresses.
References
API operations for enabling or disabling access to an Elasticsearch cluster over the Internet or a VPC:
API operations for updating a public or private IP address whitelist for an Elasticsearch cluster:
For more information about Logstash-related issues, see Logstash FAQ.