How can I access Kibana from outside of a VPC using Amazon Cognito authentication?

Last updated: 2019-07-12

My Amazon Elasticsearch Service cluster is in a virtual private cloud (VPC). How can I access the Kibana endpoint from outside the VPC using Amazon Cognito authentication?

Resolution

Use one of the following methods to access Kibana from outside of a VPC with Amazon Cognito authentication:

Use an SSH tunnel

For more information, see How can I use an SSH tunnel to access Kibana from outside of a VPC with Amazon Cognito authentication?

  • Advantages: Provides a secure connection over the SSH protocol. All connections use the SSH port.
  • Disadvantages: Requires client-side configuration and a proxy server.

Use an NGINX proxy

For more information, see How can I use an NGINX proxy to access Kibana from outside of a VPC with Amazon Cognito authentication?

  • Advantages: Setup is easier, because only server-side configuration is required. Uses standard HTTP (port 80) and HTTPS (port 443).
  • Disadvantages: Requires a proxy server. The security level of the connection depends on how the proxy server is configured.

Use Client VPN

For more information, see Getting Started with Client VPN.

  • Advantages: No additional server required. Uses standard TCP and UDP for TLS VPN.
  • Disadvantages: Requires Client VPN setup and client-side configuration.

Note: To allow or restrict access to resources, you must modify the VPC network configuration and the security groups associated with the Elasticsearch domain. For more information, see Testing VPC Domains.