Create a network domain to perform O&M operations on assets that reside in different networks - Bastionhost

If you want to perform O&M operations on assets that reside in different networks or assets that cannot communicate with the virtual private cloud (VPC) of your bastion host in a centralized manner, we recommend that you use the network domain feature of Bastionhost. You can configure a proxy server for these assets, create a network domain for a bastion host, and then connect the network domain to the proxy server. This way, you can perform O&M operations on the assets by using the bastion host. This topic describes how to use the network domain feature.

Background information

The network domain feature provides the optimal O&M solutions for hybrid cloud scenarios. For example, you can use the feature to perform O&M operations on assets across data centers, heterogeneous clouds, and VPCs. In most cases, the assets of an enterprise are deployed in different regions and may fail to communicate with a bastion host. You can use public IP addresses or leased lines to connect to the assets. However, public IP addresses may pose security risks whereas leased lines cause high network costs. In this case, you can use the proxy mode of the network domain feature to perform O&M operations on assets that reside in different networks, including data centers, heterogeneous clouds, and VPCs. The proxy mode is supported by Bastionhost Enterprise Edition. For more information about the best practices of O&M in the proxy mode of the network domain feature, see Best practices of hybrid O&M.

Limits

Only Bastionhost Enterprise Edition supports the proxy mode of the network domain feature.
The network domain feature supports SSH, HTTP, and SOCKS5 proxies.

Prerequisites

A proxy server is configured for your assets and is connected to your bastion host if you want to use the proxy mode of the network domain feature. For more information about the recommended configurations for proxy servers, see the Recommended configurations for proxy servers section of this topic.

Recommended configurations for proxy servers

You can configure SSH, HTTP, or SOCKS5 proxy servers as the primary and secondary proxy servers. Then, you can use the proxy servers to perform O&M operations on assets. The following table describes the recommended configurations for proxy servers.

SSH proxy servers

Configuration	Description
OS	A Linux host for which SSH is enabled.
Configuration method	You can use Linux hosts as SSH proxy servers without the need to install components or complete configurations on the Linux hosts.
CPU and memory	2 cores and 4 GB of memory.
Bandwidth	10 Mbit/s. Note The actual bandwidth usage varies based on the number of concurrent O&M sessions. If you initiate multiple sessions to perform complex GUI-based operations from a remote desktop, bandwidth usage may spike and remote sessions may freeze. In this case, we recommend that you purchase extra bandwidth for your bastion host. For more information about limits on the number of concurrent O&M sessions, see Limits. For more information about how to purchase extra bandwidth for your bastion host, see Upgrade a bastion host.

HTTP and SOCKS5 proxy servers

Configuration	Description
OS	A host that runs CentOS 6.9 or later.
Configuration method	For more information, see the How do I configure a server as an HTTP or SOCKS5 proxy server? section of the FAQ related to scenarios topic.
CPU and memory	2 cores and 4 GB of memory.
Bandwidth	10 Mbit/s. Note The actual bandwidth usage varies based on the number of concurrent O&M sessions. If you initiate multiple sessions to perform complex GUI-based operations from a remote desktop, bandwidth usage may spike and remote sessions may freeze. In this case, we recommend that you purchase extra bandwidth for your bastion host. For more information about limits on the number of concurrent O&M sessions, see Limits. For more information about how to purchase extra bandwidth for your bastion host, see Upgrade a bastion host.

Create a network domain

To use your bastion host to perform O&M operations on multiple assets in a network domain, you must create a network domain for the bastion host and connect the network domain to a proxy server. To do this, perform the following steps.

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose Assets > Network Domain

On the Network Domain page, click Create Network Domain. In the Create Network Domain panel, configure the Network Domain, Remarks, and Connection Mode parameters.

Direct Connection: Your bastion host is connected to the assets without proxy servers. By default, an asset is automatically added to the direct network when the asset is imported to your bastion host for the first time. The direct network is the network domain for the Direct Connection mode.

Proxy: If the assets cannot communicate with your bastion host, you can configure a proxy server to forward network requests. This way, you can use the bastion host to perform O&M operations on assets in different networks by using the proxy server.

Note

Bastionhost Basic Edition supports only the direct connection mode.
Bastionhost Enterprise Edition supports both the direct connection and proxy modes.

If you select Proxy, you must configure at least one proxy server. The following example shows how to configure a primary proxy server:

Click Create Proxy Server in the Primary Proxy Server section. In the dialog box that appears, configure the following parameters.

Parameter	Description
Proxy Type	The type of the proxy. Valid values: SSH Proxy HTTP Proxy SOCKS5 Proxy
Server Address	The address of the primary proxy server.
Server Port	The port of the primary proxy server.
Host Account	The account of the primary proxy server.
Authentication Type	Password: If you select this value, you must specify the password of the account for the primary proxy server. Private Key: You can select this value only if the Proxy Type parameter is set to SSH Proxy. If you select this value, you must specify the private key of the account for the primary proxy server. You can also specify the encryption password.

Note

The network domain feature allows you to configure a primary proxy server and a secondary proxy server. You can configure a secondary proxy server in the same manner in which you configure a primary proxy server. If an error occurs on the primary proxy server, the secondary proxy server is automatically connected to your bastion host. To ensure the stability of the network domain, we recommend that you configure a secondary proxy server.

Click Test Connection. After the primary proxy server passes the connectivity test, click OK.
Note
If the connectivity test fails, check whether the parameters are correctly configured.

Click Create Network Domain. A message appears to indicate that the network domain is created. You can click Add Host or Add Database to add the hosts or databases on which you want to perform O&M operations to the network domain.
You can perform this step after you determine the hosts or databases that you want to add to the network domain. For more information, see the Add hosts or databases section of this topic.

What to do next

Add hosts or databases

After you create a network domain, you can add hosts or databases to the network domain.

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose Assets > Network Domain
On the Network Domain page, find the network domain that you want to manage and click Add Host or Add Database in the Actions column.
In the dialog box that appears, find the host or database that you want to add to the network domain and click Add in the Actions column.
You can also select multiple assets that you want to add to the network domain and then click Add below the asset list. This way, you can add multiple assets to the network domain at a time.

Edit a network domain

You can edit the basic information about a network domain, including the name, connection mode, and primary and secondary proxy servers. You can also remove assets from a network domain. To do this, perform the following steps.

Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, choose Assets > Network Domain
On the Network Domain page, find the network domain that you want to edit and click Edit in the Actions column.
You can also click the name of a network domain to go to the Network Domain Details page.
On the Network Domain Details page, click a tab to modify the corresponding information.
- On the Basic Info tab, you can change the name, remarks, and connection mode of the network domain. You can also add a secondary proxy server and test the connectivity to proxy servers.
- On the Host tab, you can add or remove hosts.
- On the Database tab, you can add or remove databases.

Bastionhost:Use the network domain feature