All Products
Search
Document Center

Bastionhost:Enable private O&M

Last Updated:Jul 15, 2024

Bastionhost allows you to perform web-based O&M operations on hosts over an internal network by using the O&M portal or console of a bastion host. This meets higher requirements for business O&M security. This topic describes how to enable private O&M to access a bastion host over an internal network.

Background information

Bastionhost can be connected to PrivateLink to establish a secure and stable private connection between a virtual private cloud (VPC) and a bastion host. In this case, you can access the O&M portal of your bastion host and perform web-based O&M operations over an internal network. This further improves O&M security.

Impacts

If you enable private O&M, your bastion host will be affected in the following ways:

  • After you enable private O&M, the IP address to which the private O&M address of the bastion host is resolved is changed. We recommend that you use the private O&M address that is displayed in the console of the bastion host to perform O&M operations.

  • If you have configured access control policies, such as firewall policies, based on the IP address to which the private O&M address of the bastion host is resolved, we recommend that you reconfigure the policies by using the new IP address after you enable private O&M.

Prerequisites

Your client is connected to the VPC where your bastion host resides. Rules are added to the PrivateLink endpoint security group to allow requests from your client. Otherwise, you cannot use the client to access the private O&M address of the bastion host. For more information about how to add rules to a security group, see Add a security group rule.

Procedure

  1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

  2. On the Instances page in the Bastionhost console, find the bastion host that you want to manage and choose Configuration > Enable Private O&M.

  3. In the Enable Private O&M panel, select a PrivateLink endpoint security group and click OK.

    Important
    • If the vSwitch is changed, the egress private IP address changes. If you have configured access control policies, such as firewall policies, based on the egress private IP address, we recommend that you reconfigure the policies by using the new egress private IP address.

    • During the configuration change, the bastion host is in the Updating Configuration state and cannot be accessed. The process is approximately 20 minutes. We recommend that you enable private O&M during off-peak hours.