Best practices of protecting bastion hosts

Recommended configurations

• Configure Inbound policies for the Internet firewall to allow the Internet or a regional Internet (function to be provided soon) to access the open ports of a bastion host.
• Configure Outbound policies for the Internet firewall to allow a bastion host to access the Internet.
• Enable the Cloud Firewall service for the bastion host so that inbound and outbound traffic of the bastion host all pass Cloud Firewall.

Procedure

1. Log on to the Cloud Firewall console.
2. In the left-side navigation pane, choose Security Policies > Access Control > Internet Firewall.
3. Create an Inbound access control policy to allow the Internet or a regional Internet to access the open ports of the target bastion host.
   1. Click the Inbound Policies tab.
   2. Optional. Choose Address Books > Port Address Books > Create Address Book.
      Note You can add multiple IP addresses or ports to an address book for batch configuration, which simplifies the configuration. If you want to open only one port of the bastion host, you do not need to create an address book.
   3. In the Modify Address Book dialog box, specify the bastion host port that you want to open, set other parameters, and click Submit.

      In this example, ports 60022 (SSH), 63389 (RDP), and 443 (bastion host OAM) are opened. Add ports on the Port Address Books page based on your business needs. Separate multiple ports with commas (,). You can add up to 50 ports.

   4. Create an Inbound access control policy to allow the Internet to access specified ports of the bastion host.
      Parameters for creating an inbound access control policy are as follows:

      • Source Type: Select IP.
      • Source: To allow all public IP addresses to access the open ports of a bastion host, enter 0.0.0.0/0. To allow some public IP addresses to access the open ports, enter the CIDR blocks of these IP addresses.
      • Destination Type: Select IP.
      • Destination: Enter the IP address of the bastion host.
        Note You can choose Firewall Settings > Internet Firewall from the left-side navigation pane of the Cloud Firewall console and set Asset Type to check the IP address of the bastion host. You do not need to log on to the bastion host console.
      • Protocol: Select TCP.
      • Port Type: To open multiple ports of the bastion host, select Address Book and select the address book that contains the ports you want to open for Ports.
      • Application: Select ANY.
      • Policy Action: Select ALLOW, which indicates that public IP addresses are allowed to access opened ports of the bastion host.
   5. Create another Inbound access control policy that denies access to non-open ports of the bastion host from any public IP address.

      Ports: Enter 0/0, which indicates all ports of the bastion host.

      Policy Action: Select DENY, which indicates that access to non-open ports of the bastion host from any public IP address is not allowed.

4. Allow the bastion host to access the Internet.

   If a bastion host needs to access Alibaba Cloud from the Internet, an ECS instance in another VPC, or a host outside the cloud, you must allow the bastion host to access Alibaba Cloud services over the Internet.

   1. In the left-side navigation pane of the Cloud Firewall console, choose Security Policies > Access Control. On the Internet Firewall page, click the Outbound Policies tab.
   2. Click Create Policy and set the parameters.
5. Choose Firewall Settings > Internet Firewall, find the bastion host for which you want to enable the firewall service, and click Enable Firewall.
   Note A bastion host is synchronized to the Cloud Firewall console within 15 to 30 minutes after it is purchased.

References

• What is Cloud Firewall?
• Overview of access control policies
• Enable or disable the Cloud Firewall service