Split docs on IP whitelist for monitoring accessdocs/update-health-check

3 files changed, 52 insertions, 34 deletions

diff --git a/doc/administration/monitoring/ip_whitelist.md b/doc/administration/monitoring/ip_whitelist.md
new file mode 100644
index 00000000000..ad2773de132
--- /dev/null
+++ b/doc/administration/monitoring/ip_whitelist.md
@@ -0,0 +1,39 @@
+# IP whitelist
+
+> Introduced in GitLab 9.4.
+
+GitLab provides some [monitoring endpoints] that provide health check information
+when probed.
+
+To control access to those endpoints via IP whitelisting, you can add single
+hosts or use IP ranges:
+
+**For Omnibus installations**
+
+1. Open `/etc/gitlab/gitlab.rb` and add or uncomment the following:
+
+    ```ruby
+    gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '192.168.0.1']
+    ```
+
+1. Save the file and [reconfigure] GitLab for the changes to take effect.
+
+---
+
+**For installations from source**
+
+1. Edit `config/gitlab.yml`:
+
+    ```yaml
+    monitoring:
+      # by default only local IPs are allowed to access monitoring resources
+      ip_whitelist:
+        - 127.0.0.0/8
+        - 192.168.0.1
+    ```
+
+1. Save the file and [restart] GitLab for the changes to take effect.
+
+[reconfigure]: ../restart_gitlab.md#omnibus-gitlab-reconfigure
+[restart]: ../restart_gitlab.md#installations-from-source
+[monitoring endpoints]: ../../user/admin_area/monitoring/health_check.md
diff --git a/doc/administration/monitoring/prometheus/gitlab_metrics.md b/doc/administration/monitoring/prometheus/gitlab_metrics.md
index edb2dff3e48..7c5505de8a2 100644
--- a/doc/administration/monitoring/prometheus/gitlab_metrics.md
+++ b/doc/administration/monitoring/prometheus/gitlab_metrics.md
@@ -1,10 +1,8 @@
 # GitLab Prometheus metrics
 
 >**Note:**
-Available since [Omnibus GitLab 9.3][29118]. Currently experimental. For installations from source
-you'll have to configure it yourself.
-
-GitLab monitors its own internal service metrics, and makes them available at the `/-/metrics` endpoint. Unlike other [Prometheus] exporters, this endpoint requires authentication as it is available on the same URL and port as user traffic.
+Available since [Omnibus GitLab 9.3][29118]. Currently experimental. For
+installations from source you'll have to configure it yourself.
 
 To enable the GitLab Prometheus metrics:
 
@@ -15,9 +13,14 @@ To enable the GitLab Prometheus metrics:
 
 ## Collecting the metrics
 
-Since the metrics endpoint is available on the same host and port as other traffic, it requires authentication. The token and URL to access is displayed on the [Health Check][health-check] page.
+GitLab monitors its own internal service metrics, and makes them available at the
+`/-/metrics` endpoint. Unlike other [Prometheus] exporters, in order to access
+it, the client IP needs to be [included in a whitelist][whitelist].
 
-Currently the embedded Prometheus server is not automatically configured to collect metrics from this endpoint. We recommend setting up another Prometheus server, because the embedded server configuration is overwritten one every reconfigure of GitLab. In the future this will not be required.
+Currently the embedded Prometheus server is not automatically configured to
+collect metrics from this endpoint. We recommend setting up another Prometheus
+server, because the embedded server configuration is overwritten once every
+[reconfigure of GitLab][reconfigure]. In the future this will not be required.
 
 ## Metrics available
 
@@ -47,4 +50,5 @@ In this experimental phase, only a few metrics are available:
 [29118]: https://gitlab.com/gitlab-org/gitlab-ce/issues/29118
 [Prometheus]: https://prometheus.io
 [restart]: ../../restart_gitlab.md#omnibus-gitlab-restart
-[health-check]: ../../../user/admin_area/monitoring/health_check.md
+[whitelist]: ../ip_whitelist.md
+[reconfigure]: ../../restart_gitlab.md#omnibus-gitlab-reconfigure
diff --git a/doc/user/admin_area/monitoring/health_check.md b/doc/user/admin_area/monitoring/health_check.md
index ffc6f98a110..70934f9960a 100644
--- a/doc/user/admin_area/monitoring/health_check.md
+++ b/doc/user/admin_area/monitoring/health_check.md
@@ -17,34 +17,8 @@ traffic until the system is ready or restart the container as needed.
 ## IP whitelist
 
 To access monitoring resources, the client IP needs to be included in a whitelist.
-You can add single hosts or use IP ranges.
 
-**For Omnibus installations**
-
-1. Open `/etc/gitlab/gitlab.rb` and add or uncomment the following:
-
-    ```ruby
-    gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8']
-    ```
-
-1. Save the file and [reconfigure] GitLab for the changes to take effect.
-
----
-
-**For installations from source**
-
-1. Edit `config/gitlab.yml`:
-
-    ```yaml
-    monitoring:
-      ip_whitelist:
-        - 127.0.0.0/8 # by default only local IPs are allowed to access monitoring resources
-    ```
-
-1. Save the file and [restart] GitLab for the changes to take effect.
-
-[reconfigure]: ../../../administration/gitlab_restart.md#omnibus-gitlab-reconfigure
-[restart]: ../../../administration/gitlab_restart.md#installations-from-source
+[Read how to add IPs to a whitelist for the monitoring endpoints.][admin].
 
 ## Using the endpoint
 
@@ -137,3 +111,4 @@ https://gitlab.example.com/-/readiness?token=ACCESS_TOKEN
 [nagios-health]: https://nagios-plugins.org/doc/man/check_http.html
 [newrelic-health]: https://docs.newrelic.com/docs/alerts/alert-policies/downtime-alerts/availability-monitoring
 [kubernetes]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+[admin]: ../../../administration/monitoring/ip_whitelist.md