All Products
Search

This Product

    Bastionhost:Best practices for using a bastion host to perform O&M operations on NAT gateway-protected assets

    Document Center

    Bastionhost:Best practices for using a bastion host to perform O&M operations on NAT gateway-protected assets

    Last Updated:Jul 01, 2024

    NAT Gateway is a common network service. In actual scenarios, users may use NAT Gateway to protect assets and then use a bastion host to manage O&M operations that are performed on the assets. This topic describes how to use a bastion host to perform secure O&M operations on assets that are protected by NAT Gateway.

    Background information

    To prevent external network attacks on public IP addresses or solve the issue of insufficient IP addresses, users may deploy NAT Gateway to achieve address translation to hide and protect assets. Bastionhost provides solutions to manage and audit O&M operations on assets that are protected by NAT Gateway.

    Solutions

    Bastionhost provides the following solutions:

    • Solution 1: Network domain mode

      Bastionhost Enterprise Edition supports the network domain feature. The administrator of a bastion host can map the elastic IP address (EIP) of an Internet NAT gateway to a proxy server and add the proxy server to the bastion host. Then, the administrator can import assets that are protected by the NAT gateway to the bastion host and use the bastion host to manage and audit the O&M operations on these assets.

    • Solution 2: Direct connection mode

      You can add multiple assets that use the same IP address to a bastion host and configure different ports for the assets to distinguish the assets. When you add an asset that is protected by a NAT gateway to a bastion host, you can set the endpoint of the asset to a combination of the EIP of the NAT gateway and a port number and specify remarks for the asset. This way, you can distinguish different assets and manage and audit O&M operations on the assets by using the bastion host.

    Different from the direct connection mode, the network domain mode allows you to directly import an asset by using the actual IP address of the asset after you configure the network domain feature. This facilitates asset management and O&M.

    Network domain mode

    Prerequisites

    Procedure

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. Add assets to the bastion host. For more information, see Add hosts.

    4. Configure the network domain feature.

      1. In the left-side navigation pane, choose Assets > Network Domain.

      2. On the Network Domain page, click Create Network Domain.

      3. In the Create Network Domain panel, set Connection Method to Proxy.

      4. Click Create Proxy Server in the Primary Proxy Server section. In the dialog box that appears, configure the following parameters.

        Parameter

        Description

        Proxy Type

        Select the type of the proxy. We recommend that you select SSH Proxy.

        Server Address

        Enter the IP address of the proxy server.

        Server Port

        Enter the port of the proxy server.

        Host Account

        Enter the username of the account for the proxy server.

        Password

        Enter the password of the account for the proxy server.

    5. Add the asset to the network domain.

      1. On the Network Domain page, find the network domain to which you want to add the assets. In the Actions column, click Add Host.

      2. In the Add Host dialog box, select the assets that you want to add to the network domain and click Add.

      3. In the message that appears, click Add.

    After the configuration is complete, you can use the bastion host to perform O&M operations on the assets. For more information, see O&M overview.

    Direct connection mode

    Prerequisites

    The DNAT feature of an Internet NAT gateway is used to provide Internet-facing services. For more information, see Configure DNAT on an Internet NAT gateway for an ECS instance.

    Procedure

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Assets > Host.

    4. On the Host page, choose Import Other Hosts > Create Host.

    5. In the Create Host panel, configure the following parameters and click Create.

      Parameter

      Description

      Operating System

      Select Linux.

      Host IP Address

      Enter the EIP that is associated with the Internet NAT gateway.

      Remarks

      Enter the remarks of the asset for subsequent identification.

    6. On the Hosts page, find the host that you create and click the hostname.

    7. On the Service Port tab, enter the port that is mapped by the DNAT feature of the Internet NAT gateway and click Update.

    After the configuration is complete, you can use the bastion host to perform O&M operations on the assets. For more information, see O&M overview.