Community Blog FAQ: Ops and Security - Friday Blog, Week 62

FAQ: Ops and Security - Friday Blog, Week 62

Another week, another Friday Q&A. See what the "hot" questions were in Alibaba Cloud trainings this week...you might learn something!

By: Jeremy Pedersen

A Quick Friday Q&A

Today will be a very short blog post. I just want to take some time to address a few questions that have come up during recent Alibaba Cloud Academy training sessions. Let's go!


Q: Does Alibaba Cloud's Bastionhost support connecting to ECS instances in multiple VPCs?

Not directly: the Bastionhost itself can only be attached to a single VPC group. However, you can use Alibaba Cloud's CEN to peer VPCs together, allowing Bastionhost to connect to ECS instances that are not directly attached to the Bastionhost VPC group.

Q: Does Bastionhost allow you to connect to ECS instances that are not in the same Alibaba Cloud account as the Bastionhost instance?

Not at present, but this feature may be added soon! Stay tuned.

Q: Can I ship ActionTrail logs directly to a queue (like Apache Kafka) or a third-party SIEM system?

Unfortunately no, but you can ship your ActionTrail logs to Log Service, which can then ship them to other systems. Shipping logs to third-party services is covered in the documentation here.


Q: Do I need to use Function Compute to have Cloud Config automatically fix non-compliance issues it discovers?

No, in many cases the built-in "remediation" actions are built right into Cloud Config. You only need to write Function Compute code to deal with special cases.

Simple things like deleting a security group rule can be done via automatic, built-in remediation.

Q: What's the difference between Bastionhost, the ECS "Workbench" tool, and the ECS "VNC Connection" tool?

While all three of these tools can be used to log into an ECS instance even if it does not have its own public IP address, each tool is designed for a different job.

  • The VNC connection tool allows you to connect to an instance's virtual "display". This is a bit like walking up to a physical server and plugging a display into an HDMI port. The VNC connection tool will work even on instances that have failed to boot (you'll be able to see any error messages thrown by the Linux kernel at boot time, for instance), or on instances where the network interface is not functioning properly or security group rules are blocking all inbound connections. In short, the VNC tool is your connection of last resort.
  • The "Workbench" tool is just a convenient web interface for logging into multiple ECS instances at once. It gives you a convenient way to SSH into multiple servers from a tab in your web browser. This means it does not have some of these features (which are standard in Bastionhost):

    • Allow access to different hosts for different users
    • Log commands that are entered over SSH or RDP sessions
    • Control which commands are and are not allowed to be executed by a given user
    • Allow users who do not have permissions in the Alibaba Cloud console to access ECS instances
  • Bastionhost includes user permission control, logging, and auditing features not included in the ECS "Workbench" tool, and is better suited for managing large sets of users who need to connect to large sets of ECS instances. One key feature here is built-in SSH key and password management, something the "Workbench" tool does not have strong support for.

The End!

I said it would be quick, didn't I? See you next week! ^_^

0 1 0
Share on


71 posts | 155 followers

You may also like



71 posts | 155 followers

Related Products