A skill for managing Alibaba Cloud Elasticsearch instance network configurations, including network triggering, Kibana PVL network, white IP list, HTTPS settings, and Kibana SSO authentication.
Architecture
text
Alibaba Cloud Account → Elasticsearch Service → ES Instance(s) → Network Configuration
├── Public Network Access
├── Kibana PVL Network
├── White IP List
├── HTTPS Settings
└── Kibana SSO Authentication
Installation
Pre-check: Aliyun CLI >= 3.3.3 required
Run aliyun version to verify >= 3.3.3. If not installed or version too low,
run curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash to update,
or see references/cli-installation-guide.md for installation instructions.
[MUST] AI-Mode Configuration
Before executing any CLI commands, enable AI-Mode and set User-Agent. After the workflow completes, disable AI-Mode.
aliyun configure set --auto-plugin-install true
aliyun plugin update
[MUST] CLI Installation (if not already installed or version < 3.3.3):
bash
curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash
aliyun version
Environment Variables
Variable
Required
Description
ALIBABA_CLOUD_ACCESS_KEY_ID
Yes
Alibaba Cloud AccessKey ID
ALIBABA_CLOUD_ACCESS_KEY_SECRET
Yes
Alibaba Cloud AccessKey Secret
ALIBABA_CLOUD_REGION_ID
No
Default Region ID (e.g., cn-hangzhou)
CLI User-Agent Requirement
[MUST] CLI User-Agent — The user-agent is set globally via aliyun configure ai-mode set-user-agent during installation.
As a fallback, every aliyun CLI command invocation must also include:
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage
Parameter Confirmation
IMPORTANT: Parameter Confirmation — Before executing any command or API call,
ALL user-customizable parameters (e.g., RegionId, instance names, white IPs,
VPC IDs, security groups, etc.) MUST be confirmed with the user.
Do NOT assume or use default values without explicit user approval.
Parameter Name
Required/Optional
Description
Default Value
InstanceId
Required (for all operations)
Elasticsearch Instance ID
-
RegionId
Optional
Region ID
cn-hangzhou
nodeType
Required (TriggerNetwork)
Instance Type: KIBANA/WORKER
-
networkType
Required (TriggerNetwork)
Network Type: PUBLIC/PRIVATE
-
actionType
Required (TriggerNetwork)
Action Type: OPEN/CLOSE
-
resourceGroupId
Optional
Resource Group ID
-
whiteIpGroup
Required (ModifyWhiteIps)
White IP Group Configuration
-
whiteIpType
Optional (ModifyWhiteIps)
White IP Type: PRIVATE_ES/PUBLIC_KIBANA
PRIVATE_ES
Authentication
Pre-check: Alibaba Cloud Credentials Required
Security Rules:
NEVER read, echo, or print AK/SK values
NEVER ask user to input AK/SK in conversation or command line
ONLY use aliyun configure list to check credential status
bash
aliyun configure list
If no valid credentials, guide user to run aliyun configure in terminal (never accept plaintext AK/SK in chat).
Credential portal: Alibaba Cloud RAM Console
RAM Policy
RAM permissions required for Elasticsearch instance network configuration operations. See references/ram-policies.md for details.
Core Workflow
Prerequisite: Instance Status Check
Before executing any network configuration operation, verify that the instance status is active.
Network configuration changes cannot be executed when instance status is activating, invalid, or inactive.
bash
# Check instance status with retry logic
max_retries=10
retry_count=0
while [ $retry_count -lt $max_retries ]; do
status=$(aliyun elasticsearch describe-instance \
--instance-id <InstanceId> \
--read-timeout 30 \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage | jq -r '.Result.status')
if [ "$status" == "active" ]; then
echo "✅ Instance status is active, proceeding..."
break
else
echo "⚠️ Instance status is $status, waiting 30s before retry..."
sleep 30
retry_count=$((retry_count + 1))
fi
done
if [ $retry_count -eq $max_retries ]; then
echo "❌ Instance did not become active after $max_retries retries, aborting"
exit 1
fi
Enable or disable public or private network access for Elasticsearch or Kibana clusters.
Scope: Supports all network types on basic management instances. On cloud-native instances, supports cluster public/private network and Kibana public network. For Kibana private network on cloud-native instances, use EnableKibanaPvlNetwork / DisableKibanaPvlNetwork instead.
Enable Kibana private network access (PrivateLink) for an Elasticsearch instance.
Prerequisites: Only supports cloud-native instances (archType=public), Kibana spec must be > 1 core 2GB. For basic management instances, use TriggerNetwork.
Pre-check: Call DescribeInstance first to check Result.enableKibanaPrivateNetwork. If already enabled, compare current config (vpcId, vswitchId, securityGroups) with user requirements. If they match, skip and inform user config is already correct.
bash
# Check current Kibana PVL status and config
instance_info=$(aliyun elasticsearch describe-instance \
--instance-id <InstanceId> \
--read-timeout 30 \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage)
pvl_enabled=$(echo "$instance_info" | jq -r '.Result.enableKibanaPrivateNetwork')
current_vpc=$(echo "$instance_info" | jq -r '.Result.networkConfig.vpcId')
current_vswitch=$(echo "$instance_info" | jq -r '.Result.networkConfig.vswitchId')
if [ "$pvl_enabled" == "true" ]; then
# Check if current config matches user requirements
if [ "$current_vpc" == "<VpcId>" ] && [ "$current_vswitch" == "<VswitchId>" ]; then
echo "✅ Kibana private network already enabled with matching config, no action needed"
exit 0
fi
fi
# Enable Kibana private network access
aliyun elasticsearch enable-kibana-pvl-network \
--instance-id <InstanceId> \
--body '{
"endpointName": "<InstanceId>-kibana-endpoint",
"securityGroups": ["<SecurityGroupId>"],
"vSwitchIdsZone": [{"vswitchId": "<VswitchId>", "zoneId": "<ZoneId>"}],
"vpcId": "<VpcId>"
}' \
--read-timeout 30 \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage
Update the access white IP list for the specified instance. Two update methods are supported (cannot be used simultaneously):
IP White List Method: Use whiteIpList + nodeType + networkType
IP White Group Method: Use modifyMode + whiteIpGroup
Notes:
Cannot update when instance status is activating, invalid, or inactive
Public network white list does not support private IPs; private network white list does not support public IPs
Kibana private network white list for cloud-native instances (archType=public) cannot be modified via this API. Use UpdateKibanaPvlNetwork API to modify security groups instead (see Task 7)
Method 1: IP White List (Update Default Group)
Parameter
Type
Required
Description
whiteIpList
Array
Yes
IP white list, will overwrite Default group
nodeType
String
Yes
Node Type: WORKER (ES cluster) / KIBANA
networkType
String
Yes
Network Type: PUBLIC / PRIVATE
bash
# Modify ES public network white list (overwrite Default group)
aliyun elasticsearch modify-white-ips \
--instance-id <InstanceId> --read-timeout 30 \
--body '{"nodeType":"WORKER","networkType":"PUBLIC","whiteIpList":["59.0.0.0/8","120.0.0.0/8"]}' \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-elasticsearch-network-manage
Method 2: IP White Group (Supports Incremental/Overwrite/Delete)
Enable or disable Kibana Alibaba Cloud account SSO authentication. When enabled, users must log in with their Alibaba Cloud account before using Kibana.
Prerequisites: This API only supports cloud-native instances (archType=public).
Pre-check: Call DescribeInstance to check Result.enableKibanaPublicSSO / Result.enableKibanaPrivateSSO. If desired state already achieved, skip the call.
For detailed verification steps, see references/verification-method.md. After each operation, check RequestId in response and call DescribeInstance to confirm changes.
Best Practices
Cloud-native Kibana: Private network uses EnableKibanaPvlNetwork/DisableKibanaPvlNetwork. Whitelist via UpdateKibanaPvlNetwork. SSO via UpdateKibanaSso (archType=public only).
Security: Use 0.0.0.0/0 with caution. Enable HTTPS in production.
Reliability: Use clientToken for idempotency. Retry on InstanceStatusNotSupportCurrentAction/ConcurrencyUpdateInstanceConflict (wait 30-60s). Check current state before changes, skip if desired state already achieved.