This topic describes important limits and considerations when using Bastionhost.
Use the domain name assigned by Bastionhost for O&M
To ensure continuous O&M, Bastionhost provides a fixed public or private domain name for connections. Use the domain name assigned by Bastionhost for O&M connections to prevent failures caused by IP address changes.
Concurrency limits
When you initiate multiple TCP connections within a single session, each connection consumes one concurrency slot. The Bastionhost service runs stably only when it operates within its concurrency limit. Exceeding this limit may cause service interruptions. To view the concurrency quota for your Bastionhost instance, see Billing methods.
To ensure system stability, Bastionhost includes an overload protection mechanism. If high-consumption scenarios cause a system overload, Bastionhost rejects new session connections or terminates some online sessions. If this occurs, join the DingTalk group (ID: 33797269) and contact a product technical expert for help.
ImportantFor example, scenarios that can cause high service loads include using a remote desktop for complex graphics operations across multiple sessions, watching videos in a remote desktop browser, or performing table export operations during SQL Server database O&M. These scenarios may trigger the Bastionhost overload protection mechanism.
The following examples show scenarios that may trigger the overload protection mechanism for a Basic Edition instance with 50 assets:
If you use Bastionhost to perform O&M on a Windows server over a private network with a screen resolution of 1080p, running 20 concurrent Remote Desktop Protocol (RDP) sessions while an animated GIF changes images every 5 seconds for 30 minutes may trigger the overload protection mechanism.
If you use Bastionhost to perform O&M on a Linux server over a private network and send one command every 5 seconds for 30 minutes, running 50 concurrent Secure Shell (SSH) sessions may trigger the overload protection mechanism.
If you use Bastionhost to connect to a database server and run simple query statements, running 50 concurrent database sessions may trigger the overload protection mechanism if each session contains more than 10 connections.
O&M client tool and version limits
Many client tools and versions can be used to remotely connect to Bastionhost. However, actual O&M scenarios are complex. To prevent connection failures or system instability, you must use a compatible remote connection client tool for O&M. For a list of compatible client tools and versions, see Client remote connection tools and versions.
To ensure the stability and security of the Bastionhost system, you must use the client tools recommended in Client Remote Connection Tools and Version Guide. This helps prevent connection failures or system instability. Using non-recommended client tools to connect to Bastionhost is not covered by the Service-Level Agreement (SLA).
For example, when you use client tools such as iShell, Dartshell, or FinalShell to connect to Bastionhost, many exec sessions are created in a short time. This consumes excessive system resources and affects normal sessions and features.
RAM user two-factor authentication
Currently, the only supported two-factor authentication method for RAM users is Multi-Factor Authentication (MFA).
To set up two-factor authentication for a RAM user, log on to the RAM console and enable MFA for the RAM user. For more information, see Bind an MFA device to an Alibaba Cloud account.
For non-RAM users, such as local users and AD/LDAP users, two-factor authentication is supported by sending a dynamic verification code. The code can be sent through a text message, email, DingTalk work message, or an OTP token.
Bastionhost username character length limit
Due to client limitations, the Bastionhost username cannot exceed 63 characters for O&M over RDP. If a username exceeds 63 characters, you can log on to the server only through web-based O&M. For more information, see Web-based O&M.
O&M address notification text message limits
Due to carrier restrictions, text messages that contain the Bastionhost O&M address may be blocked if they are sent from the Alibaba Cloud International website to mobile phone numbers in the Chinese mainland (+86). If this occurs, use email authentication instead.
Other features that send text messages, such as two-factor authentication and message notifications, are not affected.
SSH O&M audit support for Linux asset Shell environments
Supported Shell environments include standard bash, zsh, ksh, and dash. If an asset uses a different Shell environment, O&M operations and command retrieval for auditing may be incompatible.