All Products
Search
Document Center

Bastionhost:Enable a bastion host

Last Updated:Aug 20, 2024

A newly purchased bastion host is uninitialized. You must enable the bastion host to use its features. This topic describes how to enable a bastion host.

Prerequisites

A bastion host is purchased. For more information, see Purchase a bastion host.

Procedure

  1. Log on to the Bastionhost console.

    When you log on to the Bastionhost console for the first time, you must create a service-linked role that is used to enable the bastion host features. You can create the role as prompted.

  2. In the top navigation bar, select the region in which your bastion host resides. In the bastion host list, find the bastion host that you want to enable and click Enable.

  3. In the Enable panel, configure the parameters.

    1. Basic Edition

      Parameter

      Description

      Select Network

      Select a virtual private cloud (VPC) and a vSwitch for the bastion host.

      • Select a VPC:

        • After the bastion host is enabled, you cannot change the VPC.

        • To ensure that the bastion host can communicate with the Elastic Compute Service (ECS) instance on which you want to perform O&M operations over an internal network, we recommend that you select the VPC in which the ECS instance resides.

      • Select a vSwitch: A bastion host of the Basic Edition uses three available IP addresses of a vSwitch. When you select a vSwitch, make sure that the vSwitch has sufficient available IP addresses. If the selected vSwitch does not have available resources, the bastion host fails to be enabled. If the bastion host fails to be enabled because the selected vSwitch cannot provide the required resources, select another vSwitch and enable the bastion host again. You can also create a vSwitch to use before you enable the bastion host. For more information, see Create a vSwitch.

        Note

        After you select a vSwitch for a bastion host of the Basic Edition, you can manually switch the zone of the vSwitch. For more information, see Configure zones.

      ECS Security Groups

      Select the security group of the ECS instances on which you want to perform O&M operations.

      A bastion host must be added to at least one basic security group before the bastion host can be enabled. After the bastion host is added to a basic security group, a security group rule is automatically generated to allow the bastion host to access all ECS instances in the security group.

      • You cannot add a bastion host to an advanced security group. You must manually configure a rule for an advanced security group to ensure network connectivity between the bastion host and the ECS instances in the security group.

      • You cannot add a bastion host to the security groups managed by cloud services. If you have only security groups managed by cloud services, you must create a basic security group.

      Note
      • After your bastion host is enabled, you can change the security group to which the bastion host belongs. For more information, see Configure a security group.

      • After your bastion host is enabled, if access by the bastion host to assets in a security group is blocked, you can manually add a rule to the security group to allow access by your bastion host. For more information about how to add rules to a security group, see Add a security group rule.

    2. Enterprise Edition

      Parameter

      Description

      Select Network

      Select a VPC and a vSwitch for the bastion host.

      • After the bastion host is enabled, you cannot change the VPC.

      • To ensure that the bastion host can communicate with the Elastic Compute Service (ECS) instance on which you want to perform O&M operations over an internal network, we recommend that you select the VPC in which the ECS instance resides.

      Select vSwitch And Primary Zone

      You can deploy vSwitches in primary and secondary zones for a bastion host of the Enterprise Edition. This parameter specifies the vSwitch in the primary zone.

      A bastion host of the Enterprise Edition uses five available IP addresses of a vSwitch. When you select a vSwitch, make sure that the vSwitch has sufficient available IP addresses. If the selected vSwitch does not have available resources, the bastion host fails to be enabled. If the bastion host fails to be enabled because the selected vSwitch cannot provide the required resources, select another vSwitch and enable the bastion host again. You can also create a vSwitch to use before you enable the bastion host. For more information, see Create a vSwitch.

      Select vSwitch And Secondary Zone

      We recommend that you select a vSwitch in the secondary zone for geo-disaster recovery. If you do not select a secondary zone for a bastion host of the Enterprise Edition, the bastion host is deployed in the dual-engine architecture in the primary zone.

      ECS Security Groups

      Select the security group of the ECS instances on which you want to perform O&M operations.

      A bastion host must be added to at least one basic security group before the bastion host can be enabled. After the bastion host is added to a basic security group, a security group rule is automatically generated to allow the bastion host to access all ECS instances in the security group.

      • You cannot add a bastion host to an advanced security group. You must manually configure a rule for an advanced security group to ensure network connectivity between the bastion host and the ECS instances in the security group.

      • You cannot add a bastion host to the security groups managed by cloud services. If you have only security groups managed by cloud services, you must create a basic security group.

      Note
      • After your bastion host is enabled, you can change the security group to which the bastion host belongs. For more information, see Configure a security group.

      • After your bastion host is enabled, if access by the bastion host to assets in a security group is blocked, you can manually add a rule to the security group to allow access by your bastion host. For more information about how to add rules to a security group, see Add a security group rule.

      Private O&M Settings

      Bastionhost can be connected to PrivateLink to establish a secure and stable private connection between a VPC and a bastion host. In this case, you can access the O&M portal of your bastion host and perform web-based O&M operations over an internal network. This further improves O&M security.

      After you enable private O&M, you must select a PrivateLink endpoint security group.

      Note

      If you do not enable private O&M when you enable your bastion host, you can enable this feature before you perform web-based O&M operations over an internal network. For more information, see Enable private O&M.

  4. Click Next. After the parameters pass the check, click Enable.

    The bastion host is enabled and is being initialized. The initialization requires 10 to 15 minutes. After the initialization is complete, the status of the bastion host changes to Running. The bastion host is enabled.

What to do next

After the bastion host is enabled, you can find the bastion host in the bastion host list and click Manage to go to the console of the bastion host. For more information, see Log on to the console of a bastion host.