NAT Gateway is a common network service. In actual scenarios, users may use NAT Gateway to protect assets and then use a bastion host to manage O&M operations that are performed on the assets. This topic describes how to use a bastion host to perform secure O&M operations on assets that are protected by NAT Gateway.
Background information
To prevent external network attacks on public IP addresses or solve the issue of insufficient IP addresses, users may deploy NAT Gateway to achieve address translation to hide and protect assets. Bastionhost provides solutions to manage and audit O&M operations on assets that are protected by NAT Gateway.
Solutions
Bastionhost provides the following solutions:
Solution 1: Network domain mode
Bastionhost Enterprise Edition supports the network domain feature. The administrator of a bastion host can map the elastic IP address (EIP) of an Internet NAT gateway to a proxy server and add the proxy server to the bastion host. Then, the administrator can import assets that are protected by the NAT gateway to the bastion host and use the bastion host to manage and audit the O&M operations on these assets.
Solution 2: Direct connection mode
You can add multiple assets that use the same IP address to a bastion host and configure different ports for the assets to distinguish the assets. When you add an asset that is protected by a NAT gateway to a bastion host, you can set the endpoint of the asset to a combination of the EIP of the NAT gateway and a port number and specify remarks for the asset. This way, you can distinguish different assets and manage and audit O&M operations on the assets by using the bastion host.
Different from the direct connection mode, the network domain mode allows you to directly import an asset by using the actual IP address of the asset after you configure the network domain feature. This facilitates asset management and O&M.
Network domain mode
Prerequisites
An Internet NAT gateway is created and is associated with an EIP. For more information, see Create and manage an Internet NAT gateway.
A DNAT entry is created for the Internet NAT gateway. For more information, see Create and manage DNAT entries.
The DNAT entry maps the EIP of the Internet NAT gateway to the server to be used as the proxy server.
A bastion host of the Enterprise edition is purchased, or your bastion host is upgraded to the Enterprise edition. For more information, see Purchase a bastion host and Upgrade a bastion host.
Procedure
Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
Add assets to the bastion host. For more information, see Add hosts.
Configure the network domain feature.
In the left-side navigation pane, choose Assets > Network Domain.
On the Network Domain page, click Create Network Domain.
In the Create Network Domain panel, set Connection Method to Proxy.
Click Create Proxy Server in the Primary Proxy Server section. In the dialog box that appears, configure the following parameters.
Parameter
Description
Proxy Type
Select the type of the proxy. We recommend that you select SSH Proxy.
Server Address
Enter the IP address of the proxy server.
Server Port
Enter the port of the proxy server.
Host Account
Enter the username of the account for the proxy server.
Password
Enter the password of the account for the proxy server.
Add the asset to the network domain.
On the Network Domain page, find the network domain to which you want to add the assets. In the Actions column, click Add Host.
In the Add Host dialog box, select the assets that you want to add to the network domain and click Add.
In the message that appears, click Add.
After the configuration is complete, you can use the bastion host to perform O&M operations on the assets. For more information, see O&M overview.
Direct connection mode
Prerequisites
The DNAT feature of an Internet NAT gateway is used to provide Internet-facing services. For more information, see Configure DNAT on an Internet NAT gateway for an ECS instance.
Procedure
Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose Assets > Host.
On the Host page, choose Import Other Hosts > Create Host.
In the Create Host panel, configure the following parameters and click Create.
Parameter
Description
Operating System
Select Linux.
Host IP Address
Enter the EIP that is associated with the Internet NAT gateway.
Remarks
Enter the remarks of the asset for subsequent identification.
On the Hosts page, find the host that you create and click the hostname.
On the Service Port tab, enter the port that is mapped by the DNAT feature of the Internet NAT gateway and click Update.
After the configuration is complete, you can use the bastion host to perform O&M operations on the assets. For more information, see O&M overview.