Use a bastion host to establish a secure SSH connection to an ApsaraDB for MyBase dedicated cluster host. The bastion host records all operations and routes all traffic, keeping the database host off the public internet.
Prerequisites
Before you begin, make sure you have:
A dedicated cluster running MySQL or PostgreSQL
Grant OS Permissions set to Enabled when the dedicated cluster was created. For more information, see Create a dedicated cluster
A host account already created. For more information, see Create a host account
How it works
The bastion host acts as a secure gateway between your local machine and the ApsaraDB for MyBase host. All requests pass through the bastion host, so the database host never connects to the internet. You create a bastion host account, authorize it to access a specific host, then SSH into the bastion host, which routes you to the target host.
Log on to a host
Step 1: Associate the bastion host with your cluster
Log on to the ApsaraDB for MyBase console.
In the upper-left corner of the page, select a region.
Find the cluster you want to manage and click Details in the Actions column.
In the left-side navigation pane, click Bastion Hosts. Find the bastion host you want to use and click Associate with Bastion Host in the Actions column.
Select the ApsaraDB for MyBase host you want to log on to and click Next.
Step 2: Create a bastion host account
Click Create Bastion Host Account. In the Create Bastion Host Account dialog box, configure the following parameters.
Parameter Description Username The username for the bastion host account. Requirements: up to 50 characters; contains at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters. Special characters: underscores ( _), hyphens (-), commas (.), and percent signs (%).Password The password for the bastion host account. Requirements: 8–64 characters; contains letters, digits, and special characters. Special characters: at signs ( @), number signs (#), and dollar signs ($).Confirm Password Re-enter the password to confirm. Name Your name. Up to 100 characters. Email Address (Optional) Your email address. Phone Number (Optional) Your phone number. 
Click Create.
Step 3: Authorize the account to access the host
Find the bastion host account and click Authorize Host in the Actions column. This opens the Bastionhost console.
On the Users page, find the account and click Authorize Hosts in the Actions column.
On the Authorized Hosts tab, click Authorize Hosts.
In the Authorize Hosts panel, select the ApsaraDB for MyBase host and click OK.
After authorization is complete, return to the Authorize Host wizard and click View Authorized Hosts in the Authorized Host column to confirm the hosts accessible with this account.
Step 4: SSH into the bastion host
Run the following command in your terminal to connect to the bastion host:
ssh <Username>@<Bastion host O&M address> -p<Bastion host port>| Placeholder | Description | Example |
|---|---|---|
<Username> | The username of the bastion host account | test |
<Bastion host O&M address> | The public endpoint of the bastion host, found on the Bastion Hosts page | wdd*****-public.bastionhost.aliyuncs.com |
<Bastion host port> | The port number of the bastion host. Default: 60022 | 60022 |
Example:
ssh test@wdd*****-public.bastionhost.aliyuncs.com -p60022When prompted, enter the password of the bastion host account.
The first time you connect, you may see a fingerprint verification prompt similar to the following. This is expected. Enter yes to continue.The authenticity of host 'wdd*****-public.bastionhost.aliyuncs.com' can't be established.
ECDSA key fingerprint is SHA256:...
Are you sure you want to continue connecting (yes/no)?After you authenticate, move the pointer over the ApsaraDB for MyBase host and press Enter to connect.