After you enable a bastion host, you can refer to this topic to modify basic network settings of the bastion host. You can modify the security group to which the bastion is added and the default O&M port of the bastion host, restrict specific IP addresses from accessing the bastion host, change the zones of vSwitches, and obtain the egress IP address of the bastion host.
Configure a security group
You can configure a security group to allow a bastion host to access Elastic Compute Service (ECS) instances within the security group.
Log on to the Bastionhost console.
In the left-side navigation pane, click Basic Edition & Enterprise Edition.
On the Instances page, find the bastion host that you want to manage and choose .
In the Network Settings panel, select the required security group and click Next.
NoteYou can select more than one security group.
After the selected security groups pass a precheck by the system, click Modify.
After you select a security group, the bastion host can access ECS instances within the security group.
Configure a whitelist
By default, all public IP addresses can be used to log on to a bastion host for O&M. If you want to deny the logon requests from specific public IP addresses, you can add trusted IP addresses to the whitelist of the bastion host. Only the public IP addresses that are added to the whitelist can access Bastionhost.
Log on to the Bastionhost console.
In the left-side navigation pane, click Basic Edition & Enterprise Edition.
On the Instances page, find the bastion host that you want to manage and choose .
In the Network Settings panel, configure Public IP Address Whitelist.
After the configuration is complete, click OK.
The public IP addresses that can be used to log on to the bastion host are added to the whitelist.
Configure a port number
If you want to change the O&M port of a bastion host, perform the following steps:
Log on to the Bastionhost console.
In the left-side navigation pane, click Basic Edition & Enterprise Edition.
On the Instances page, find the bastion host that you want to manage and choose .
In the Port Settings panel, specify Ports.
NoteThe port numbers that range from 1 to 1024 are reserved for Bastionhost. We recommend that you do not specify a port number in this range.
After the configuration is complete, click OK.
The O&M port of the bastion host is configured.
Obtain the egress IP address of the bastion host
Obtain the egress IP address of the bastion host
The egress IP address of a bastion host is the source IP address from which the bastion host accesses servers. Egress IP addresses are divided into egress public IP addresses and egress private IP addresses.
Log on to the Bastionhost console.
In the left-side navigation pane, click Basic Edition & Enterprise Edition.
On the Instances page, find the bastion host that you want to manage and click Egress IP to view the egress IP addresses.
Related settings
We recommend that you allow the egress IP addresses of the bastion host in your Elastic Compute Service (ECS) security group, firewall, and database whitelist to prevent connection failure. For more information about database whitelists, see Configure an IP address whitelist for an ApsaraDB RDS for MySQL instance.
If you added your bastion host to a basic security group of ECS, a rule is automatically added to the security group to allow the egress IP addresses of the bastion host. If you added your ECS instances to an advanced security group, you need to manually add a rule to the security group to allow the egress IP addresses of the bastion host. For more information, see Add a security group rule.
Configure privately used public IP addresses
If your servers use privately used public IP addresses, perform the following steps to configure the privately used public IP addresses. This way, your bastion host can access the servers as normal.
After you configure the privately used public IP addresses, the current O&M sessions are disconnected. We recommend that you configure the privately used public IP addresses during off-peak hours.
Log on to the Bastionhost console.
In the left-side navigation pane, click Basic Edition & Enterprise Edition.
On the Instances page, find the bastion host that you want to manage and choose .
In the Network Settings panel, specify Public IP Address for VPC.
Specify a value for the Public IP Address for VPC parameter in the
IP address/Subnet mask
format. Separate multiple IP addresses or subnet masks with commas (,). You can specify up to 50 IP addresses or subnet masks. Example:192.168.XX.XX/32,172.16.XX.XX/32
.After the configuration is complete, click OK.
Configure zones
If you use Bastionhost Enterprise Edition, you can perform the following steps to configure different zones for the vSwitches in your virtual private cloud (VPC) to ensure high network availability.
After you configure primary and secondary zones, the current O&M connections are disconnected. We recommend that you configure primary and secondary zones during off-peak hours.
Log on to the Bastionhost console.
In the left-side navigation pane, click Basic Edition & Enterprise Edition.
On the Instances page, find the bastion host that you want to manage and choose .
In the Network Settings panel, specify the Select vSwitch of Primary Zone and Select vSwitch of Secondary Zone parameters.
ImportantAfter you configure the zones, the IP address to which the private O&M address of the bastion host is resolved is changed. We recommend that you use the private O&M address that is displayed in the console of the bastion host to perform O&M operations.
The private egress IP address of your bastion host is also changed. If your security group rules are configured based on IP addresses, O&M may fail. Reconfigure the security group rules.
If other access control policies are configured based on the private O&M address, we recommend that you reconfigure the policies, such as the policies for your firewall.
If you configure different zones for the vSwitches, the private O&M address is resolved to two IP addresses.
After the configuration is complete, click OK.
Switch to a different zone
If you use Bastionhost Basic Edition, you can perform the following steps to switch a vSwitch in your VPC to a different zone. This prevents the bastion host from being inaccessible if the current zone becomes unavailable.
After you switch the vSwitch to a different zone, current O&M connections may be terminated. We recommend that you switch the vSwitch to a different zone during off-peak hours.
Log on to the Bastionhost console.
In the left-side navigation pane, click Basic Edition & Enterprise Edition.
On the Instances page, find the bastion host that you want to manage and choose
.In the Network Settings panel, configure
After the configuration is complete, click OK.
After you configure the zones, the IP address to which the private O&M address of the bastion host is resolved is changed. We recommend that you use the private O&M address that is displayed in the console of the bastion host to perform O&M operations.
The private egress IP address of your bastion host is also changed. If your security group rules are configured based on IP addresses, O&M may fail. Reconfigure the security group rules.
If other access control policies are configured based on the private O&M address, we recommend that you reconfigure the policies, such as the policies for your firewall.