Bastionhost:Enable a bastion host instance

Procedure

1. Log on to the Bastionhost console.

   When logging on to the Bastionhost console for the first time, you must create a service-linked role. This role allows Bastionhost to access other cloud resources to provide comprehensive security for your operations and maintenance (O&M) activities. Follow the on-screen instructions to create the role.

2. In the top menu bar, select the destination region. In the instance list, find the target instance and click Run.

3. In the Enable Bastion Host panel, configure the startup parameters.

   1. Basic Edition

      Parameter	Description
      Select Network	Select a virtual private cloud (VPC) and a vSwitch for the instance. Select a VPC: The VPC cannot be changed after the instance is enabled. To ensure private network connectivity, use the same VPC for the Bastionhost instance and the ECS instances that you want to manage. Select a vSwitch: Requires 3 available IPs. Ensure the vSwitch has sufficient capacity, or the instance will fail to enable. If enabling fails, try another vSwitch or create a new one. Note You can manually switch the zone of the vSwitch after it is selected. For instructions, see Configure a bastion host instance.
      ECS Security Groups	Select the security group of the ECS instances. A bastion host instance must be added to at least one basic security group before it can be enabled. After the instance is added to a basic security group, an access rule is automatically generated to allow the instance to access the ECS assets in the security group. An instance cannot be added to an advanced security group. You must manually configure access rules for the advanced security group to ensure network connectivity. An instance cannot be added to a security group managed by a cloud service. If you have only security groups managed by cloud services, create a basic security group. Note After enabling the bastion host instance, you can change the security group to which it belongs. For instructions, see Configure a bastion host instance. After you enable the bastion host instance, if its access to an asset is blocked by a security group, you can manually configure an access rule for the security group. To configure a security group rule, see Add a security group rule.

   2. Enterprise Edition

      Parameter	Description
      Select Network	Select a VPC for the bastion host instance. The VPC cannot be changed after the instance is enabled. To ensure private network connectivity, use the same VPC for the bastion host instance and the ECS instances that you want to manage.
      Select vSwitch And Primary Zone	Supports active-active deployment across a primary and a secondary zone. Select a vSwitch in the primary zone for the bastion host instance. An Enterprise Edition instance requires 4 available IPs. Ensure the vSwitch has sufficient capacity, or the instance will fail to enable. If enabling fails, try another vSwitch or create a new one for deployment.
      Select vSwitch And Secondary Zone	For disaster recovery, select a vSwitch in a secondary zone. If you do not select a secondary zone, a dual-engine deployment is used in the primary zone.
      ECS Security Groups	Select the security group of the ECS instances. A bastion host instance must be added to at least one basic security group before it can be enabled. After the instance is added to a basic security group, an access rule is automatically generated to allow the instance to access the ECS assets in the security group. An instance cannot be added to an advanced security group. You must manually configure access rules for the advanced security group to ensure network connectivity. An instance cannot be added to a security group managed by a cloud service. If you have only security groups managed by cloud services, create a new basic security group. Note After enabling the bastion host instance, you can change the security group to which it belongs. For instructions, see Configure a bastion host instance. After you enable the bastion host instance, if its access to an asset is blocked by a security group, you can manually configure an access rule for the security group. To configure a security group rule, see Add a security group rule.
      Private O&M Settings	Bastionhost works with Alibaba Cloud PrivateLink to establish a secure and stable private connection between a VPC and Bastionhost. This lets you access the O&M portal and perform web-based O&M over a private network, which improves connection security. After you enable this feature, select an endpoint security group for the PrivateLink connection. Note If you do not enable private O&M when enabling the bastion host instance, you can still enable it later for web-based O&M over a private network. For details, see Configure a bastion host instance.

4. Click Next. After the startup check is complete, click Enable.

   After the instance is enabled, it is being initialized, which typically takes 10 to 15 minutes. Once initialization is complete, the instance status will change to Running, indicating that the instance has been successfully enabled.