All Products
Search

This Product

    Bastionhost:Limits

    Document Center

    Bastionhost:Limits

    Last Updated:Oct 14, 2024

    This topic describes the limits that you must take note of before you use Bastionhost.

    Perform O&M operations by using the O&M addresses provided by a bastion host

    To ensure continuous O&M, Bastionhost allows you to connect to bastion hosts by using fixed public or private O&M addresses. If you use IP addresses to connect to bastion hosts, the connection can fail due to IP address changes. To avoid this issue, we recommend that you use the O&M addresses of bastion hosts to perform O&M operations.

    Limits on concurrent sessions

    • If a session contains multiple TCP connections, each TCP connection consumes a concurrent session quota. A bastion host can run stably only if the number of concurrent sessions stays below the upper limit. If the number of concurrent sessions reaches the upper limit, service interruption may occur. For information about the maximum number of concurrent sessions supported by a bastion host, see Billing.

    • To ensure system stability, Bastionhost adopts the overload protection mechanism. If the system is overloaded due to high resource consumption, Bastionhost blocks new sessions or interrupts some active sessions. In this case, join the DingTalk group 33797269 for technical support.

      Important

      For example, the system may be overloaded if you perform the following operations: establish multiple sessions to perform complex GUI-based operations or watch videos from a remote desktop tool, or import and export tables when you perform O&M operations on SQL Server databases. This triggers overload protection for your bastion host.

      Assume that you purchase a Basic Edition bastion host that can manage 50 assets. The following examples show the scenarios where overload protection may be triggered for the bastion host.

      • While you use the bastion host to perform O&M operations on a Windows server whose screen resolution is 1080 pixels over the internal network, a GIF image is opened on the server and changes a frame every 5 seconds for 30 minutes. In this scenario, overload protection may be triggered for the bastion host if the number of concurrent Remote Desktop Protocol (RDP)-based O&M sessions reaches 20.

      • While you use the bastion host to perform O&M operations on a Linux server over the internal network, a command is executed every 5 seconds for 30 minutes. In this scenario, overload protection may be triggered for the bastion host if the number of concurrent SSH-based O&M sessions reaches 50.

      • While you use the bastion host to perform O&M operations on a database server, simple query statements are executed. Each O&M session contains more than 10 connections. In this scenario, overload protection may be triggered for the bastion host if the number of concurrent database O&M sessions reaches 50.

    Limits on O&M clients and versions

    Actual O&M scenarios are complex and involve a large number of O&M clients and versions. We recommend that you use the O&M clients and versions that are supported by Bastionhost to prevent connection failures or system instability. For more information, see Database O&M tools and versions.

    Limits on accessing the O&M portal over an internal network

    Bastionhost local users, Active Directory (AD)-authenticated users, and Light Lightweight Directory Access Protocol (LDAP)-authenticated users cannot access the O&M portal over an internal network to perform O&M operations on web pages, apply for O&M tokens, or change passwords.

    Note

    You can log on to a bastion host or server over an internal network. For more information, see Best practices for secure O&M over an internal network.

    If you use a Resource Access Management (RAM) user, you can click Manage in the Bastionhost console to log on to the console of a specific bastion host. Then, you can perform web-based O&M and apply for O&M tokens. For more information, see Web-based O&M.

    Two-factor authentication for RAM users

    Multi-factor authentication (MFA) that is configured in the RAM console is the only two-factor authentication method supported for RAM users.

      Note

      To configure MFA for a RAM user, log on to the RAM console. For more information, see Bind an MFA device to an Alibaba Cloud account.

      For other users, such as local users, AD-authenticated users, and LDAP-authenticated users, two-factor authentication can be implemented by using text messages, emails, DingTalk notifications, and mobile OTP tokens.

    Limits on the length of Bastionhost usernames

    Due to the limits of clients, a Bastionhost username cannot exceed 63 characters in length during RDP-based O&M. If a username exceeds 63 characters in length, you can perform only web-based O&M on a server. For more information, see Web-based O&M.

    Limits on text messages that contain O&M addresses

    If text messages that contain O&M addresses are sent to mobile phone numbers in the Chinese mainland by bastion hosts on the international site (alibabacloud.com), the text messages may be blocked due to the limits of Internet service providers (ISPs). The mobile phone numbers in the Chinese mainland are prefixed with 86. In this case, we recommend that you use emails.

    Text messages that are sent for two-factor authentication or notifications are not affected.

    SSH-based O&M audit in shell environments on Linux assets

    Standard bash, standard zsh, standard ksh, and standard dash environments are supported. If your Linux asset does not use the preceding shell environments, O&M and audit commands may fail to be extracted as expected.