Before you access the Kibana service over the Internet or a virtual private cloud (VPC), you need to add the IP address of your device to a public or private IP address whitelist of Kibana.
Prerequisites
Your Elasticsearch cluster is in a normal state.
Configure a public IP address whitelist for Kibana
You can control access to Kibana over the Internet by directly managing IP addresses in whitelists for Kibana.
- Log on to the Alibaba Cloud Elasticsearch console.
- In the left-side navigation pane, click Elasticsearch Clusters.
- Navigate to the desired cluster.
- In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
- On the Elasticsearch Clusters page, find the cluster and click its ID.
In the left-side navigation pane of the page that appears, choose .
In the Kibana section of the page that appears, click Modify Configuration.
In the Network Access Configuration section of the page that appears, click Modify on the right side of Public IP Address Whitelist.
NoteIf the Public Network Access switch is turned off, you must turn on the switch first.
In the Modify Public IP Address Whitelist panel, click Add IP Address Whitelist, or click Configure on the right side of the name of the desired whitelist.
NoteAfter an IP address whitelist is created, the name of the IP address whitelist cannot be changed.
In the dialog box that appears, add the IP address of your device to the whitelist.
We recommend that you obtain the IP address of your device based on the instructions provided in the following table.
Scenario
IP address to be obtained
Method to obtain the IP address
Access to Kibana from an on-premises machine
Public IP address of the on-premises machine
NoteIf your on-premises machine is connected to a home network or to a LAN of an office, you must add the IP address of the Internet egress to the whitelist.
Visit www.cip.cc by using a browser on the on-premises machine or run the
curl cip.cc
command on the machine.Access to Kibana from a client
Public IP address of the client
For example, you want to use an Elastic Compute Service (ECS) instance that resides in a different VPC from Kibana to access Kibana over the Internet. In this case, you need to obtain the public IP address of the ECS instance.
The following operations provide an example on how to obtain the public IP address of an ECS instance:
Log on to the ECS console.
In the left-side navigation pane, click Instances.
In the top navigation bar, select the region where the ECS instance resides.
On the Instances page, find the ECS instance and view the private or public IP address of the ECS instance.
When you configure an IP address whitelist, you must follow the following rules:
You can specify IP addresses or CIDR blocks, such as 192.168.0.1 or 192.168.0.0/24, in a whitelist.
You can specify up to 300 IP addresses or CIDR blocks in a whitelist. Separate multiple IP addresses or CIDR blocks with commas (,).
You can specify
127.0.0.1
to prohibit access from all IPv4 addresses or specify0.0.0.0/0
to allow access from all IPv4 addresses. For security purposes, we recommend that you do not specify 0.0.0.0/0 in a whitelist.Access from public IPv6 addresses is supported only in the China (Hangzhou) region, and you can configure public IPv6 address whitelists in this region. For example, you can specify 2401:XXXX:1000:24::5 or 2401:XXXX:1000::/48 in a whitelist.
NoteIn a whitelist, you can specify
::1
to deny requests from all IPv6 addresses or specify::/0
to allow requests from all IPv6 addresses. For security purposes, we recommend that you do not specify ::/0.For clusters of some versions, you are not allowed to specify
::/0
in a whitelist. You can check whether you can perform this configuration in the console.
Click OK.
Optional. Click the icon in the upper-right corner of the panel to return to the Kibana Configuration page. Then, in the Network Access Configuration section, view the public IP address whitelist that you configured for Kibana.
If some IP addresses that you specified are not displayed, you can move the pointer over the IP addresses that are displayed to view all the specified IP addresses. If the IP addresses you specified appear in the whitelist, the whitelist configuration is successful.
Configure a private IP address whitelist for Kibana
By default, Private Network Access is turned off. Before you configure a private IP address whitelist, you must turn on Private Network Access.
Port 5601 used for access to Kibana over the Internet
After you turn on Private Network Access, you can configure a private IP address whitelist for Kibana by referring to the operations in Configure a public IP address whitelist for Kibana.
If you want to use a client, such as an ECS instance, to access Kibana over a VPC, you must add the private IP address of the client to a private IP address whitelist for Kibana.
Port 443 used for access to Kibana over the Internet
After you turn on Private Network Access, you can use PrivateLink to establish a private connection between your VPC and Kibana. You can control access to Kibana over VPCs by managing IP addresses specified in security group rules.
The fees for PrivateLink endpoints used by Elasticsearch are included in the bills of Elasticsearch. For more information about PrivateLink, see What is PrivateLink?
- Log on to the Alibaba Cloud Elasticsearch console.
- In the left-side navigation pane, click Elasticsearch Clusters.
- Navigate to the desired cluster.
- In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
- On the Elasticsearch Clusters page, find the cluster and click its ID.
In the left-side navigation pane of the page that appears, choose .
In the Kibana section of the page that appears, click Modify Configuration.
In the Network Access Configuration section of the page that appears, turn on Private Network Access.
In the Enable Private Network Access for Kibana panel, configure an endpoint and a security group, and click OK.
You can use PrivateLink to implement access to Kibana over VPCs. Each Kibana node must be associated with an independent endpoint.
NoteA service-linked role is required when you use PrivateLink to implement access to Kibana over VPCs. If you have not created the related service-linked role, the system automatically creates the role. For more information, see Elasticsearch service-linked roles.
Parameter
Description
Endpoint Name
The endpoint name is automatically generated and can be changed.
Endpoint Network Configuration
Same as Elasticsearch: The VPC and vSwitch used to create the endpoint are the same as those of the Elasticsearch cluster.
Custom: Select a VPC and a vSwitch to create the endpoint.
Security Group
You can use security group rules to control access to Kibana over VPCs.
Select an existing security group.
NotePort 5601 must be included in the port range of the security group because this port is used for access to Kibana over VPCs. To modify a security group rule, go to the Security Group page of the ECS console. For information about how to modify a security group rule, see Modify a security group rule.
Security groups are classified into basic security groups and advanced security groups. When you change the security group that is used to control access to Kibana, you can select only a security group that is of the same type as the original security group. For example, if you select a basic security group when you turn on the Private Network Access switch for Kibana, you can select only a basic security group when you change the security group that is used to control access to Kibana.
Use a new security group.
Click Create below the Security Group field.
In the dialog box that appears, enter a name for the security group.
The security group name is automatically generated and can be changed.
Enter an IP address in the Authorized IP Address field.
The IP address must be the private IP address of the device to be authorized. For example, if you want to use an ECS instance to access Kibana over a VPC, you must enter the private IP address of the ECS instance.
NoteAfter you click OK, wait for a period of time. If an endpoint list is displayed in the lower part of the Network Access Configuration section, the configuration is successful.
Endpoints are in a unified format. After an endpoint is created, you can only change the endpoint name.
In the Elasticsearch console, you can only change security groups. To query and manage security groups, go to the Security Group page of the ECS console.
After you turn off Private Network Access, endpoint resources are automatically released. If you turn on Private Network Access again, you need to create new endpoint resources. However, the access address of Kibana remains unchanged.
FAQ
Q: Will my Elasticsearch cluster be affected if I enable the Private Network Access or Public Network Access feature for Kibana?
A: No, your Elasticsearch cluster will not be affected. If you enable the Private Network Access or Public Network Access feature for Kibana, the system only triggers a change on the Server Load Balancer (SLB) instance that is connected to Kibana.
NoteThe first time you enable the Private Network Access feature for Kibana, the system restarts Kibana nodes but does not trigger a change on the Elasticsearch cluster.
Q: What do I do if I still fail to access Kibana after I add the IP address of my device to an IP address whitelist of Kibana?
A: Troubleshoot the issue based on the following instructions:
Your Elasticsearch cluster is unhealthy.
The IP address you add may be incorrect. If you access Kibana from an on-premises machine, visit www.cip.cc to obtain the IP address of the machine, and check whether the obtained IP address is added to a public IP address whitelist of Kibana.
You may add the IP address of your device to an IP address whitelist of your Elasticsearch cluster. You need to go to the cluster details page, choose
in the left-side navigation pane, and then click Modify Configuration in the Kibana section. On the Kibana Configuration page, add the IP address of your device to a private or public IP address whitelist of Kibana.Clear the cache of your browser and try again.
Restart Kibana nodes and try again.
Q: Why am I still unable to access Kibana after I configure a security group and add the correct IP address to a security group rule?
A: Port 5601 is used for access to Kibana over VPCs. Therefore, you must include this port in the port range of the security group rule. To modify the security group rule, go to the Security Group page of the ECS console. For more information, see Modify a security group rule.
Q: Why am I unable to modify security group rules in the Elasticsearch console?
A: After you modify a security group rule, the modification affects all access scenarios controlled by the security group rule. Therefore, you are not allowed to modify a security group rule in the Elasticsearch console. To modify a security group rule, go to the Security Group page of the ECS console.
Q: The specifications of my Kibana node are 1 vCPU and 2 GiB of memory. Why am I unable to enable the Private Network Access feature of Kibana?
A: The Kibana node with 1 vCPU and 2 GiB of memory is used for testing purposes and is not recommended in production environments. If you want to access Kibana over a VPC, we recommend that you first upgrade the specifications of the Kibana node to 2 vCPUs and 4 GiB of memory or higher. For more information, see Upgrade the configuration of a cluster.
Can I use the Kibana console to access Internet services such as Baidu Maps and AMAP?
References
API references:
API operation for enabling or disabling access to Kibana over the Internet or an internal network: TriggerNetwork
API operation for updating a public or private IP address whitelist for Kibana: ModifyWhiteIps
If issues occur when you log on to or use the Kibana console, see FAQ about the Kibana console.