API bind host to allow connection from icinga2 Master alone


A newbie require your help to configuring icinga2 securely.
Having bit of a trouble with binding the host to master icinga2 server(For security reasons).
Consider aa.aaa.aaa.aa is the IP address of Master icinga2 server and
bb.bbb.bbb.bb is the node endpoint to monitor.

In node server, I want to allow connections only from Master icinga2 server, i.e., from IP aa.aaa.aaa.aa only. (Similar to allowed_hosts option in NRPE)

So in node wizard configuration in node service, I defined the API bind host to Master icinga server IP address.

  1. Getting - critical/ApiListener: Cannot add listener on host ‘’ for port ‘5665’ Error.
  2. When I define instead, All checks are passing. Shouldn’t my connection from Master server fail, Since the port is opened locally only?

Does API bind host is meant for someother purpose that I am missing?
Master and node icinga versions: r2.13.3-1
OS: Ubuntu 20.04

Bind host is the local address the service should listen on. I recommend agents connect to the master (or a satellite) so there is no load on the master for trying to connect to agents which are down. In this case you can bind Icinga 2 to the localhost and only master and satellite are exposing the API.

1 Like