Back to Details

alibabacloud-elasticsearch-network-manage

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Elasticsearch Instance Network Management

Elasticsearch实例网络管理

A skill for managing Alibaba Cloud Elasticsearch instance network configurations, including network triggering, Kibana PVL network, white IP list, HTTPS settings, and Kibana SSO authentication.
一款用于管理阿里云Elasticsearch实例网络配置的Skill,包括触发网络、Kibana PVL网络、白名单IP列表、HTTPS设置以及Kibana SSO认证。

Architecture

架构

Alibaba Cloud Account → Elasticsearch Service → ES Instance(s) → Network Configuration
                                                        ├── Public Network Access
                                                        ├── Kibana PVL Network
                                                        ├── White IP List
                                                        ├── HTTPS Settings
                                                        └── Kibana SSO Authentication
Alibaba Cloud Account → Elasticsearch Service → ES Instance(s) → Network Configuration
                                                        ├── Public Network Access
                                                        ├── Kibana PVL Network
                                                        ├── White IP List
                                                        ├── HTTPS Settings
                                                        └── Kibana SSO Authentication

Installation

安装

Pre-check: Aliyun CLI >= 3.3.3 required Run 
aliyun version
to verify >= 3.3.3. If not installed or version too low, run 
curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash
to update, or see 
references/cli-installation-guide.md
for installation instructions.
[MUST] AI-Mode Configuration
Before executing any CLI commands, enable AI-Mode and set User-Agent. After the workflow completes, disable AI-Mode.
bash
undefined
预检查:需要Aliyun CLI >= 3.3.3 运行 
aliyun version
验证版本是否>=3.3.3。若未安装或版本过低, 运行 
curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash
进行更新, 或查看 
references/cli-installation-guide.md
获取安装说明。
[必须配置] AI模式设置
执行任何CLI命令前,需启用AI模式并设置User-Agent。工作流完成后,禁用AI模式。
bash
undefined

Step 1: Enable AI-Mode (before CLI operations)

步骤1:启用AI模式(CLI操作前)

aliyun configure ai-mode enable
aliyun configure ai-mode enable

Step 2: Set User-Agent for traceability

步骤2:设置User-Agent用于追踪

aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage"

After all CLI operations are complete:

```bash
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage"

所有CLI操作完成后:

```bash

Step 3: Disable AI-Mode (after workflow ends)

步骤3:禁用AI模式(工作流结束后)

aliyun configure ai-mode disable

**[MUST] Plugin Update**

```bash
aliyun configure set --auto-plugin-install true
aliyun plugin update
[MUST] CLI Installation (if not already installed or version < 3.3.3):
bash
curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash
aliyun version
aliyun configure ai-mode disable

**[必须操作] 插件更新**

```bash
aliyun configure set --auto-plugin-install true
aliyun plugin update
[必须操作] CLI安装(若未安装或版本<3.3.3):
bash
curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash
aliyun version

Environment Variables

环境变量

VariableRequiredDescription
ALIBABA_CLOUD_ACCESS_KEY_ID
YesAlibaba Cloud AccessKey ID
ALIBABA_CLOUD_ACCESS_KEY_SECRET
YesAlibaba Cloud AccessKey Secret
ALIBABA_CLOUD_REGION_ID
NoDefault Region ID (e.g., cn-hangzhou)
变量是否必填描述
ALIBABA_CLOUD_ACCESS_KEY_ID
阿里云AccessKey ID
ALIBABA_CLOUD_ACCESS_KEY_SECRET
阿里云AccessKey Secret
ALIBABA_CLOUD_REGION_ID
默认地域ID(例如:cn-hangzhou)

CLI User-Agent Requirement

CLI User-Agent要求

[MUST] CLI User-Agent — The user-agent is set globally via 
aliyun configure ai-mode set-user-agent
during installation. As a fallback, every 
aliyun
CLI command invocation must also include: 
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage
[必须配置] CLI User-Agent — 安装期间通过 
aliyun configure ai-mode set-user-agent
全局设置用户代理。 作为备选方案,每次调用 
aliyun
CLI命令时必须添加: 
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage

Parameter Confirmation

参数确认

IMPORTANT: Parameter Confirmation — Before executing any command or API call, ALL user-customizable parameters (e.g., RegionId, instance names, white IPs, VPC IDs, security groups, etc.) MUST be confirmed with the user. Do NOT assume or use default values without explicit user approval.
Parameter NameRequired/OptionalDescriptionDefault Value
InstanceId
Required (for all operations)Elasticsearch Instance ID-
RegionId
OptionalRegion IDcn-hangzhou
nodeType
Required (TriggerNetwork)Instance Type: KIBANA/WORKER-
networkType
Required (TriggerNetwork)Network Type: PUBLIC/PRIVATE-
actionType
Required (TriggerNetwork)Action Type: OPEN/CLOSE-
resourceGroupId
OptionalResource Group ID-
whiteIpGroup
Required (ModifyWhiteIps)White IP Group Configuration-
whiteIpType
Optional (ModifyWhiteIps)White IP Type: PRIVATE_ES/PUBLIC_KIBANAPRIVATE_ES
重要提示:参数确认 — 执行任何命令或API调用前, 所有用户可自定义参数(例如:RegionId、实例名称、白名单IP、 VPC ID、安全组等)必须与用户确认。 未经用户明确批准,不得假设或使用默认值。
参数名称必填/可选描述默认值
InstanceId
必填(所有操作)Elasticsearch实例ID-
RegionId
可选地域IDcn-hangzhou
nodeType
必填(触发网络操作)实例类型:KIBANA/WORKER-
networkType
必填(触发网络操作)网络类型:PUBLIC/PRIVATE-
actionType
必填(触发网络操作)操作类型:OPEN/CLOSE-
resourceGroupId
可选资源组ID-
whiteIpGroup
必填(修改白名单IP操作)白名单IP组配置-
whiteIpType
可选(修改白名单IP操作)白名单IP类型:PRIVATE_ES/PUBLIC_KIBANAPRIVATE_ES

Authentication

身份认证

Pre-check: Alibaba Cloud Credentials Required
Security Rules:
  • NEVER read, echo, or print AK/SK values
  • NEVER ask user to input AK/SK in conversation or command line
  • ONLY use 
    aliyun configure list
    to check credential status
bash
aliyun configure list
If no valid credentials, guide user to run 
aliyun configure
in terminal (never accept plaintext AK/SK in chat). Credential portal: Alibaba Cloud RAM Console
预检查:需要阿里云凭证
安全规则:
  • 绝对不要读取、回显或打印AK/SK值
  • 绝对不要要求用户在对话或命令行中输入AK/SK
  • 仅可使用 
    aliyun configure list
    检查凭证状态
bash
aliyun configure list
若无有效凭证,引导用户在终端运行 
aliyun configure
(绝不接受聊天中的明文AK/SK)。 凭证获取入口:阿里云RAM控制台

RAM Policy

RAM权限策略

RAM permissions required for Elasticsearch instance network configuration operations. See references/ram-policies.md for details.
Elasticsearch实例网络配置操作所需的RAM权限。详情请查看 references/ram-policies.md

Core Workflow

核心工作流

Prerequisite: Instance Status Check
Before executing any network configuration operation, verify that the instance status is 
active
. Network configuration changes cannot be executed when instance status is 
activating
, 
invalid
, or 
inactive
.
bash
# Check instance status with retry logic
max_retries=10
retry_count=0
while [ $retry_count -lt $max_retries ]; do
  status=$(aliyun elasticsearch describe-instance \
    --instance-id <InstanceId> \
    --read-timeout 30 \
    --user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage | jq -r '.Result.status')

  if [ "$status" == "active" ]; then
    echo "✅ Instance status is active, proceeding..."
    break
  else
    echo "⚠️ Instance status is $status, waiting 30s before retry..."
    sleep 30
    retry_count=$((retry_count + 1))
  fi
done

if [ $retry_count -eq $max_retries ]; then
  echo "❌ Instance did not become active after $max_retries retries, aborting"
  exit 1
fi
前提条件:实例状态检查
执行任何网络配置操作前,需验证实例状态为 
active
。 当实例状态为 
activating
invalid
inactive
时,无法执行网络配置变更。
bash
# 带重试逻辑检查实例状态
max_retries=10
retry_count=0
while [ $retry_count -lt $max_retries ]; do
  status=$(aliyun elasticsearch describe-instance \
    --instance-id <InstanceId> \
    --read-timeout 30 \
    --user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage | jq -r '.Result.status')

  if [ "$status" == "active" ]; then
    echo "✅ 实例状态为active,继续执行..."
    break
  else
    echo "⚠️ 实例状态为$status,等待30秒后重试..."
    sleep 30
    retry_count=$((retry_count + 1))
  fi
done

if [ $retry_count -eq $max_retries ]; then
  echo "❌ 经过$max_retries次重试后,实例仍未变为active,终止操作"
  exit 1
fi

Task 1: Trigger Network (Enable/Disable Public/Private Network Access)

任务1:触发网络(启用/禁用公网/私网访问)

Enable or disable public or private network access for Elasticsearch or Kibana clusters.
Scope: Supports all network types on basic management instances. On cloud-native instances, supports cluster public/private network and Kibana public network. For Kibana private network on cloud-native instances, use EnableKibanaPvlNetwork / DisableKibanaPvlNetwork instead.
Parameters:
ParameterTypeRequiredDescription
nodeType
StringYesInstance Type: KIBANA (Kibana cluster) / WORKER (Elasticsearch cluster)
networkType
StringYesNetwork Type: PUBLIC / PRIVATE
actionType
StringYesAction Type: OPEN (enable) / CLOSE (disable)
bash
undefined
启用或禁用Elasticsearch或Kibana集群的公网/私网访问权限。
适用范围:支持基础管理实例的所有网络类型。对于云原生实例,支持集群公网/私网和Kibana公网。对于云原生实例的Kibana私网,请使用EnableKibanaPvlNetwork / DisableKibanaPvlNetwork替代。
参数:
参数类型必填描述
nodeType
String实例类型:KIBANA(Kibana集群)/ WORKER(Elasticsearch集群)
networkType
String网络类型:PUBLIC / PRIVATE
actionType
String操作类型:OPEN(启用)/ CLOSE(禁用)
bash
undefined

Example: Enable Kibana public network access

示例:启用Kibana公网访问

aliyun elasticsearch trigger-network
--instance-id <InstanceId> --read-timeout 30
--body '{"nodeType":"KIBANA","networkType":"PUBLIC","actionType":"OPEN"}'
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage
aliyun elasticsearch trigger-network
--instance-id <InstanceId> --read-timeout 30
--body '{"nodeType":"KIBANA","networkType":"PUBLIC","actionType":"OPEN"}'
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage

Example: Disable Elasticsearch public network access

示例:禁用Elasticsearch公网访问

aliyun elasticsearch trigger-network
--instance-id <InstanceId> --read-timeout 30
--body '{"nodeType":"WORKER","networkType":"PUBLIC","actionType":"CLOSE"}'
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage

**Pre-check (Required):**

> **Network Status Fields** (via DescribeInstance):
> - `Result.enablePublic`: ES public network (private network is always on, cannot be disabled)
> - `Result.enableKibanaPublicNetwork`: Kibana public network
> - `Result.enableKibanaPrivateNetwork`: Kibana private network
>
> If the target network is already in the desired state, **skip the TriggerNetwork call** and inform the user.

```bash
aliyun elasticsearch trigger-network
--instance-id <InstanceId> --read-timeout 30
--body '{"nodeType":"WORKER","networkType":"PUBLIC","actionType":"CLOSE"}'
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage

**预检查(必填):**

> **网络状态字段**(通过DescribeInstance获取):
> - `Result.enablePublic`: ES公网(私网始终开启,无法禁用)
> - `Result.enableKibanaPublicNetwork`: Kibana公网
> - `Result.enableKibanaPrivateNetwork`: Kibana私网
>
> 若目标网络已处于期望状态,**跳过TriggerNetwork调用**并告知用户。

```bash

Pre-check: architecture + current network status

预检查:架构类型 + 当前网络状态

instance_info=$(aliyun elasticsearch describe-instance
--instance-id <InstanceId> --read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage)
arch_type=$(echo "$instance_info" | jq -r '.Result.archType')
instance_info=$(aliyun elasticsearch describe-instance
--instance-id <InstanceId> --read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage)
arch_type=$(echo "$instance_info" | jq -r '.Result.archType')

Cloud-native Kibana private network: use EnableKibanaPvlNetwork/DisableKibanaPvlNetwork instead

云原生Kibana私网:请使用EnableKibanaPvlNetwork/DisableKibanaPvlNetwork替代

if [ "$arch_type" == "public" ] && [ "$node_type" == "KIBANA" ] && [ "$network_type" == "PRIVATE" ]; then echo "❌ Use EnableKibanaPvlNetwork/DisableKibanaPvlNetwork for cloud-native Kibana private network" exit 1 fi
if [ "$arch_type" == "public" ] && [ "$node_type" == "KIBANA" ] && [ "$network_type" == "PRIVATE" ]; then echo "❌ 云原生Kibana私网请使用EnableKibanaPvlNetwork/DisableKibanaPvlNetwork" exit 1 fi

Check if target network already in desired state

检查目标网络是否已处于期望状态

enable_public=$(echo "$instance_info" | jq -r '.Result.enablePublic') enable_kibana_public=$(echo "$instance_info" | jq -r '.Result.enableKibanaPublicNetwork') enable_kibana_private=$(echo "$instance_info" | jq -r '.Result.enableKibanaPrivateNetwork')
enable_public=$(echo "$instance_info" | jq -r '.Result.enablePublic') enable_kibana_public=$(echo "$instance_info" | jq -r '.Result.enableKibanaPublicNetwork') enable_kibana_private=$(echo "$instance_info" | jq -r '.Result.enableKibanaPrivateNetwork')

Map nodeType+networkType to status field (ES private is always on)

将nodeType+networkType映射到状态字段(ES私网始终开启)

WORKER+PUBLIC -> enablePublic | KIBANA+PUBLIC -> enableKibanaPublicNetwork | KIBANA+PRIVATE -> enableKibanaPrivateNetwork

WORKER+PUBLIC -> enablePublic | KIBANA+PUBLIC -> enableKibanaPublicNetwork | KIBANA+PRIVATE -> enableKibanaPrivateNetwork

If actionType=OPEN and already true, or actionType=CLOSE and already false, skip

若actionType=OPEN且已为true,或actionType=CLOSE且已为false,则跳过操作


---

---

Task 2: Enable Kibana PVL Network (Enable Kibana Private Network Access)

任务2:启用Kibana PVL网络(启用Kibana私网访问)

Enable Kibana private network access (PrivateLink) for an Elasticsearch instance.
Prerequisites: Only supports cloud-native instances (archType=public), Kibana spec must be > 1 core 2GB. For basic management instances, use TriggerNetwork.
Request Parameters (Body):
ParameterTypeRequiredDescription
endpointName
StringYesEndpoint name, recommended format: 
{InstanceId}-kibana-endpoint
securityGroups
ArrayYesSecurity group ID array
vSwitchIdsZone
ArrayYesVSwitch and availability zone information
vSwitchIdsZone[].vswitchId
StringYesVirtual switch ID
vSwitchIdsZone[].zoneId
StringYesAvailability zone ID
vpcId
StringYesVPC instance ID
Pre-check: Call DescribeInstance first to check 
Result.enableKibanaPrivateNetwork
. If already enabled, compare current config (vpcId, vswitchId, securityGroups) with user requirements. If they match, skip and inform user config is already correct.
bash
undefined
为Elasticsearch实例启用Kibana私网访问(PrivateLink)。
前提条件:仅支持云原生实例(archType=public),Kibana规格必须大于1核2GB。对于基础管理实例,请使用TriggerNetwork。
请求参数(Body):
参数类型必填描述
endpointName
String端点名称,推荐格式:
{InstanceId}-kibana-endpoint
securityGroups
Array安全组ID数组
vSwitchIdsZone
Array虚拟交换机和可用区信息
vSwitchIdsZone[].vswitchId
String虚拟交换机ID
vSwitchIdsZone[].zoneId
String可用区ID
vpcId
StringVPC实例ID
预检查:先调用DescribeInstance检查 
Result.enableKibanaPrivateNetwork
。若已启用,对比当前配置(vpcId、vswitchId、securityGroups)与用户需求。若匹配,跳过操作并告知用户配置已正确。
bash
undefined

Check current Kibana PVL status and config

检查当前Kibana PVL状态和配置

instance_info=$(aliyun elasticsearch describe-instance
--instance-id <InstanceId>
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage)
pvl_enabled=$(echo "$instance_info" | jq -r '.Result.enableKibanaPrivateNetwork') current_vpc=$(echo "$instance_info" | jq -r '.Result.networkConfig.vpcId') current_vswitch=$(echo "$instance_info" | jq -r '.Result.networkConfig.vswitchId')
if [ "$pvl_enabled" == "true" ]; then

Check if current config matches user requirements

if [ "$current_vpc" == "<VpcId>" ] && [ "$current_vswitch" == "<VswitchId>" ]; then echo "✅ Kibana private network already enabled with matching config, no action needed" exit 0 fi fi
instance_info=$(aliyun elasticsearch describe-instance
--instance-id <InstanceId>
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage)
pvl_enabled=$(echo "$instance_info" | jq -r '.Result.enableKibanaPrivateNetwork') current_vpc=$(echo "$instance_info" | jq -r '.Result.networkConfig.vpcId') current_vswitch=$(echo "$instance_info" | jq -r '.Result.networkConfig.vswitchId')
if [ "$pvl_enabled" == "true" ]; then

检查当前配置是否符合用户需求

if [ "$current_vpc" == "<VpcId>" ] && [ "$current_vswitch" == "<VswitchId>" ]; then echo "✅ Kibana私网已启用且配置匹配,无需操作" exit 0 fi fi

Enable Kibana private network access

启用Kibana私网访问

aliyun elasticsearch enable-kibana-pvl-network
--instance-id <InstanceId>
--body '{ "endpointName": "<InstanceId>-kibana-endpoint", "securityGroups": ["<SecurityGroupId>"], "vSwitchIdsZone": [{"vswitchId": "<VswitchId>", "zoneId": "<ZoneId>"}], "vpcId": "<VpcId>" }'
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage
---
aliyun elasticsearch enable-kibana-pvl-network
--instance-id <InstanceId>
--body '{ "endpointName": "<InstanceId>-kibana-endpoint", "securityGroups": ["<SecurityGroupId>"], "vSwitchIdsZone": [{"vswitchId": "<VswitchId>", "zoneId": "<ZoneId>"}], "vpcId": "<VpcId>" }'
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage
---

Task 3: Disable Kibana PVL Network (Disable Kibana Private Network Access)

任务3:禁用Kibana PVL网络(禁用Kibana私网访问)

Disable Kibana private network access for an Elasticsearch instance.
Prerequisites: This API only supports cloud-native instances (archType=public). For basic management instances, use TriggerNetwork.
bash
aliyun elasticsearch disable-kibana-pvl-network \
  --instance-id <InstanceId> \
  --read-timeout 30 \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage
为Elasticsearch实例禁用Kibana私网访问。
前提条件:此API仅支持云原生实例(archType=public)。对于基础管理实例,请使用TriggerNetwork。
bash
aliyun elasticsearch disable-kibana-pvl-network \
  --instance-id <InstanceId> \
  --read-timeout 30 \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage

Task 4: Modify White IPs (Modify White IP List)

任务4:修改白名单IP(更新白名单IP列表)

Update the access white IP list for the specified instance. Two update methods are supported (cannot be used simultaneously):
  1. IP White List Method: Use 
    whiteIpList
    + 
    nodeType
    + 
    networkType
  2. IP White Group Method: Use 
    modifyMode
    + 
    whiteIpGroup
Notes:
  • Cannot update when instance status is activating, invalid, or inactive
  • Public network white list does not support private IPs; private network white list does not support public IPs
  • Kibana private network white list for cloud-native instances (archType=public) cannot be modified via this API. Use UpdateKibanaPvlNetwork API to modify security groups instead (see Task 7)
Method 1: IP White List (Update Default Group)
ParameterTypeRequiredDescription
whiteIpList
ArrayYesIP white list, will overwrite Default group
nodeType
StringYesNode Type: WORKER (ES cluster) / KIBANA
networkType
StringYesNetwork Type: PUBLIC / PRIVATE
bash
undefined
更新指定实例的访问白名单IP列表。支持两种更新方式(不可同时使用):
  1. IP白名单方式:使用 
    whiteIpList
    + 
    nodeType
    + 
    networkType
  2. IP白名单组方式:使用 
    modifyMode
    + 
    whiteIpGroup
注意事项
  • 实例状态为activating、invalid或inactive时无法更新
  • 公网白名单不支持私网IP;私网白名单不支持公网IP
  • 云原生实例(archType=public)的Kibana私网白名单无法通过此API修改。请使用UpdateKibanaPvlNetwork API修改安全组(见任务7)
方式1:IP白名单(更新默认组)
参数类型必填描述
whiteIpList
ArrayIP白名单,将覆盖默认组
nodeType
String节点类型:WORKER(ES集群)/ KIBANA
networkType
String网络类型:PUBLIC / PRIVATE
bash
undefined

Modify ES public network white list (overwrite Default group)

修改ES公网白名单(覆盖默认组)

aliyun elasticsearch modify-white-ips
--instance-id <InstanceId> --read-timeout 30
--body '{"nodeType":"WORKER","networkType":"PUBLIC","whiteIpList":["59.0.0.0/8","120.0.0.0/8"]}'
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage

**Method 2: IP White Group (Supports Incremental/Overwrite/Delete)**

| Parameter | Type | Required | Description |
|-----------|------|----------|-------------|
| `modifyMode` | String | No | Modify mode: Cover (overwrite, default) / Append / Delete |
| `whiteIpGroup.groupName` | String | Yes | White IP group name |
| `whiteIpGroup.ips` | Array | Yes | IP address list |
| `whiteIpGroup.whiteIpType` | String | No | White IP type (see table below) |

**whiteIpType Values:**

| Value | Description |
|-------|-------------|
| `PRIVATE_ES` | Elasticsearch private network white list |
| `PUBLIC_ES` | Elasticsearch public network white list |
| `PRIVATE_KIBANA` | Kibana private network white list |
| `PUBLIC_KIBANA` | Kibana public network white list |

```bash
aliyun elasticsearch modify-white-ips
--instance-id <InstanceId> --read-timeout 30
--body '{"nodeType":"WORKER","networkType":"PUBLIC","whiteIpList":["59.0.0.0/8","120.0.0.0/8"]}'
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage

**方式2:IP白名单组(支持增量/覆盖/删除)**

| 参数 | 类型 | 必填 | 描述 |
|-----------|------|----------|-------------|
| `modifyMode` | String | 否 | 修改模式:Cover(覆盖,默认)/ Append(增量添加)/ Delete(删除) |
| `whiteIpGroup.groupName` | String | 是 | 白名单IP组名称 |
| `whiteIpGroup.ips` | Array | 是 | IP地址列表 |
| `whiteIpGroup.whiteIpType` | String | 否 | 白名单IP类型(见下表) |

**whiteIpType取值:**

| 取值 | 描述 |
|-------|-------------|
| `PRIVATE_ES` | Elasticsearch私网白名单 |
| `PUBLIC_ES` | Elasticsearch公网白名单 |
| `PRIVATE_KIBANA` | Kibana私网白名单 |
| `PUBLIC_KIBANA` | Kibana公网白名单 |

```bash

Overwrite specified white group (Cover mode)

覆盖指定白名单组(Cover模式)

aliyun elasticsearch modify-white-ips
--instance-id <InstanceId> --read-timeout 30
--body '{"modifyMode":"Cover","whiteIpGroup":{"groupName":"default","ips":["59.0.0.0/8","120.0.0.0/8"],"whiteIpType":"PUBLIC_ES"}}'
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage
aliyun elasticsearch modify-white-ips
--instance-id <InstanceId> --read-timeout 30
--body '{"modifyMode":"Cover","whiteIpGroup":{"groupName":"default","ips":["59.0.0.0/8","120.0.0.0/8"],"whiteIpType":"PUBLIC_ES"}}'
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage

Append IPs to white group (Append mode, group must exist)

向白名单组增量添加IP(Append模式,组必须已存在)

aliyun elasticsearch modify-white-ips
--instance-id <InstanceId> --read-timeout 30
--body '{"modifyMode":"Append","whiteIpGroup":{"groupName":"default","ips":["172.16.0.0/12"],"whiteIpType":"PRIVATE_ES"}}'
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage

**modifyMode Description:**

| Mode | Description |
|------|-------------|
| `Cover` | Overwrite mode (default). Empty ips deletes group; non-existent groupName creates new |
| `Append` | Append mode. Group must exist, otherwise NotFound error |
| `Delete` | Delete mode. Remove specified IPs, at least one IP must remain |

> **IMPORTANT: modifyMode Selection Guidelines**
> - Use `Append` for incremental addition, `Cover` for full replacement, `Delete` for removal
> - **If user intent is unclear, MUST ask user** which mode to use before executing
> - If Append fails with NotFound: inform user, suggest Cover mode to create group. Do NOT silently switch modes.

---
aliyun elasticsearch modify-white-ips
--instance-id <InstanceId> --read-timeout 30
--body '{"modifyMode":"Append","whiteIpGroup":{"groupName":"default","ips":["172.16.0.0/12"],"whiteIpType":"PRIVATE_ES"}}'
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage

**modifyMode说明:**

| 模式 | 描述 |
|------|-------------|
| `Cover` | 覆盖模式(默认)。空ips将删除组;不存在的groupName将创建新组 |
| `Append` | 增量添加模式。组必须已存在,否则返回NotFound错误 |
| `Delete` | 删除模式。移除指定IP,组中至少需保留一个IP |

> **重要提示:modifyMode选择指南**
> - 增量添加使用`Append`,完全替换使用`Cover`,删除IP使用`Delete`
> - **若用户意图不明确,必须询问用户**使用哪种模式后再执行
> - 若Append模式返回NotFound错误:告知用户,建议使用Cover模式创建组。不得静默切换模式。

---

Task 5: Open HTTPS (Enable HTTPS)

任务5:开启HTTPS(启用HTTPS)

Enable HTTPS access for an Elasticsearch instance.
Pre-check: Call DescribeInstance first to check 
Result.protocol
. If already 
HTTPS
, skip OpenHttps and inform user HTTPS is already enabled.
bash
undefined
为Elasticsearch实例启用HTTPS访问。
预检查:先调用DescribeInstance检查 
Result.protocol
。若已为
HTTPS
,跳过OpenHttps操作并告知用户HTTPS已启用。
bash
undefined

Check current HTTPS status

检查当前HTTPS状态

protocol=$(aliyun elasticsearch describe-instance
--instance-id <InstanceId>
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage | jq -r '.Result.protocol')
if [ "$protocol" == "HTTPS" ]; then echo "✅ HTTPS is already enabled, no action needed" else

Enable HTTPS

aliyun elasticsearch open-https
--instance-id <InstanceId>
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage fi

---
protocol=$(aliyun elasticsearch describe-instance
--instance-id <InstanceId>
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage | jq -r '.Result.protocol')
if [ "$protocol" == "HTTPS" ]; then echo "✅ HTTPS已启用,无需操作" else

启用HTTPS

aliyun elasticsearch open-https
--instance-id <InstanceId>
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage fi

---

Task 6: Close HTTPS (Disable HTTPS)

任务6:关闭HTTPS(禁用HTTPS)

Disable HTTPS access for an Elasticsearch instance.
Pre-check: Call DescribeInstance first to check 
Result.protocol
. If already 
HTTP
, skip CloseHttps and inform user HTTPS is already disabled.
bash
undefined
为Elasticsearch实例禁用HTTPS访问。
预检查:先调用DescribeInstance检查 
Result.protocol
。若已为
HTTP
,跳过CloseHttps操作并告知用户HTTPS已禁用。
bash
undefined

Check current HTTPS status

检查当前HTTPS状态

protocol=$(aliyun elasticsearch describe-instance
--instance-id <InstanceId>
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage | jq -r '.Result.protocol')
if [ "$protocol" == "HTTP" ]; then echo "✅ HTTPS is already disabled, no action needed" else

Disable HTTPS

aliyun elasticsearch close-https
--instance-id <InstanceId>
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage fi

---
protocol=$(aliyun elasticsearch describe-instance
--instance-id <InstanceId>
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage | jq -r '.Result.protocol')
if [ "$protocol" == "HTTP" ]; then echo "✅ HTTPS已禁用,无需操作" else

禁用HTTPS

aliyun elasticsearch close-https
--instance-id <InstanceId>
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage fi

---

Task 7: Update Kibana PVL Network (Update Kibana Private Network Configuration)

任务7:更新Kibana PVL网络(更新Kibana私网配置)

Update Kibana private network access configuration, primarily used for modifying security groups.
Prerequisites:
  1. This API only supports cloud-native instances (archType=public). For basic management instances, use TriggerNetwork.
  2. Kibana specification must be greater than 1 core 2GB.
  3. Instance must have Kibana private network access enabled.
Use Case: Use this API when cloud-native instances need to modify Kibana private network access security groups (whitelist control).
Request Parameters:
ParameterTypeLocationRequiredDescription
InstanceId
StringPathYesInstance ID
pvlId
StringQueryYesKibana private link ID, format: 
{InstanceId}-kibana-internal-internal
endpointName
StringBodyNoEndpoint name
securityGroups
ArrayBodyNoSecurity group ID array
bash
undefined
更新Kibana私网访问配置,主要用于修改安全组。
前提条件
  1. 此API仅支持云原生实例(archType=public)。对于基础管理实例,请使用TriggerNetwork。
  2. Kibana规格必须大于1核2GB
  3. 实例必须已启用Kibana私网访问。
使用场景:云原生实例需要修改Kibana私网访问安全组(白名单控制)时使用此API。
请求参数:
参数类型位置必填描述
InstanceId
StringPath实例ID
pvlId
StringQueryKibana私网链接ID,格式:
{InstanceId}-kibana-internal-internal
endpointName
StringBody端点名称
securityGroups
ArrayBody安全组ID数组
bash
undefined

Update Kibana private network security group

更新Kibana私网安全组

aliyun elasticsearch update-kibana-pvl-network
--instance-id <InstanceId>
--pvl-id <InstanceId>-kibana-internal-internal
--body '{"securityGroups": ["<NewSecurityGroupId>"]}'
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage

---
aliyun elasticsearch update-kibana-pvl-network
--instance-id <InstanceId>
--pvl-id <InstanceId>-kibana-internal-internal
--body '{"securityGroups": ["<NewSecurityGroupId>"]}'
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage

---

Task 8: Update Kibana SSO (Enable/Disable Kibana Alibaba Cloud Account Authentication)

任务8:更新Kibana SSO(启用/禁用Kibana阿里云账号认证)

Enable or disable Kibana Alibaba Cloud account SSO authentication. When enabled, users must log in with their Alibaba Cloud account before using Kibana.
Prerequisites: This API only supports cloud-native instances (archType=public).
Pre-check: Call DescribeInstance to check 
Result.enableKibanaPublicSSO
/ 
Result.enableKibanaPrivateSSO
. If desired state already achieved, skip the call.
Parameters: See references/related-apis.md for full details.
bash
undefined
启用或禁用Kibana阿里云账号SSO认证。启用后,用户必须先使用阿里云账号登录才能使用Kibana。
前提条件:此API仅支持云原生实例(archType=public)。
预检查:调用DescribeInstance检查 
Result.enableKibanaPublicSSO
/ 
Result.enableKibanaPrivateSSO
。若已达到期望状态,跳过调用。
参数详情:请查看 references/related-apis.md 获取完整信息。
bash
undefined

Enable Kibana SSO for public network

启用Kibana公网SSO

aliyun elasticsearch update-kibana-sso
--instance-id <InstanceId>
--body '{"enable":true,"networkType":"PUBLIC"}'
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage
aliyun elasticsearch update-kibana-sso
--instance-id <InstanceId>
--body '{"enable":true,"networkType":"PUBLIC"}'
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage

Disable Kibana SSO for private network

禁用Kibana私网SSO

aliyun elasticsearch update-kibana-sso
--instance-id <InstanceId>
--body '{"enable":false,"networkType":"PRIVATE"}'
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage

---
aliyun elasticsearch update-kibana-sso
--instance-id <InstanceId>
--body '{"enable":false,"networkType":"PRIVATE"}'
--read-timeout 30
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage

---

Success Verification Method

成功验证方法

For detailed verification steps, see references/verification-method.md. After each operation, check 
RequestId
in response and call DescribeInstance to confirm changes.
详细验证步骤请查看 references/verification-method.md。每次操作后,检查响应中的
RequestId
并调用DescribeInstance确认变更。

Best Practices

最佳实践

  1. Cloud-native Kibana: Private network uses EnableKibanaPvlNetwork/DisableKibanaPvlNetwork. Whitelist via UpdateKibanaPvlNetwork. SSO via UpdateKibanaSso (archType=public only).
  2. Security: Use 0.0.0.0/0 with caution. Enable HTTPS in production.
  3. Reliability: Use clientToken for idempotency. Retry on 
    InstanceStatusNotSupportCurrentAction
    /
    ConcurrencyUpdateInstanceConflict
    (wait 30-60s). Check current state before changes, skip if desired state already achieved.
  1. 云原生Kibana:私网使用EnableKibanaPvlNetwork/DisableKibanaPvlNetwork。通过UpdateKibanaPvlNetwork配置白名单。通过UpdateKibanaSso配置SSO(仅支持archType=public)。
  2. 安全:谨慎使用0.0.0.0/0。生产环境中启用HTTPS。
  3. 可靠性:使用clientToken保证幂等性。遇到
    InstanceStatusNotSupportCurrentAction
    /
    ConcurrencyUpdateInstanceConflict
    时重试(等待30-60秒)。变更前检查当前状态,若已达到期望状态则跳过操作。

Reference Links

参考链接

ReferenceDescription
references/related-apis.mdAPI and CLI command reference table
references/ram-policies.mdRAM permission policies
references/cli-installation-guide.mdCLI installation guide
references/verification-method.mdVerification methods
references/acceptance-criteria.mdAcceptance criteria
参考文档描述
references/related-apis.mdAPI和CLI命令参考表
references/ram-policies.mdRAM权限策略
references/cli-installation-guide.mdCLI安装指南
references/verification-method.md验证方法
references/acceptance-criteria.md验收标准