Bastionhost allows you to perform web-based O&M operations on hosts over an internal network by using the O&M portal or console of a bastion host. This meets higher requirements for business O&M security. This topic describes how to enable private O&M to access a bastion host over an internal network.
Background information
Bastionhost can be connected to PrivateLink to establish a secure and stable private connection between a virtual private cloud (VPC) and a bastion host. In this case, you can access the O&M portal of your bastion host and perform web-based O&M operations over an internal network. This further improves O&M security.
Impacts
If you enable private O&M, your bastion host will be affected in the following ways:
After you enable private O&M, the IP address to which the private O&M address of the bastion host is resolved is changed. We recommend that you use the private O&M address that is displayed in the console of the bastion host to perform O&M operations.
If you have configured access control policies, such as firewall policies, based on the IP address to which the private O&M address of the bastion host is resolved, we recommend that you reconfigure the policies by using the new IP address after you enable private O&M.
Prerequisites
Your client is connected to the VPC where your bastion host resides. Rules are added to the PrivateLink endpoint security group to allow requests from your client. Otherwise, you cannot use the client to access the private O&M address of the bastion host. For more information about how to add rules to a security group, see Add a security group rule.
Procedure
Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
On the Instances page in the Bastionhost console, find the bastion host that you want to manage and choose
.In the Enable Private O&M panel, select a PrivateLink endpoint security group and click OK.
ImportantIf the vSwitch is changed, the egress private IP address changes. If you have configured access control policies, such as firewall policies, based on the egress private IP address, we recommend that you reconfigure the policies by using the new egress private IP address.
During the configuration change, the bastion host is in the Updating Configuration state and cannot be accessed. The process is approximately 20 minutes. We recommend that you enable private O&M during off-peak hours.