This topic describes how to create a host account for an ApsaraDB RDS for SQL Server instance. You can use the created host account in the Bastionhost console to connect to and manage the hosts on which the RDS instance and its secondary RDS instance run.

Prerequisites

  • The RDS instance runs one of the following SQL Server versions and RDS Editions:
    • SQL Server 2017 EE or 2019 EE on RDS Cluster Edition
    • SQL Server 2012 SE, 2012 EE, 2016 SE, 2016 EE, 2017 SE, or 2019 SE on RDS High-availability Edition
  • The RDS instance belongs to the general-purpose instance family or the dedicated instance family.
  • Your Alibaba Cloud account is used to log on to the ApsaraDB RDS console.
  • The RDS instance was created on or after January 1, 2021.
Note
  • Host accounts are available only to specific customers. If you want to use host accounts, you must submit a ticket or contact your customer manager.
  • You can view the Creation Time of the RDS instance in the Status section of the Basic Information page.

Precautions

Warning The host account of an RDS instance has the highest management permissions on the RDS instance. After you create a host account for an RDS instance, ApsaraDB RDS does not provide the service availability that is specified in Alibaba Cloud service level agreement (SLA) for the RDS instance.
  • RDS instances in CloudTmall system do not support host accounts.
  • The following usernames cannot be used for host accounts:
    root|admin|eagleye|master|aurora|sysadmin|administrator|mssqld|public|securityadmin|serveradmin|setupadmin|processadmin|diskadmin|dbcreator|bulkadmin|tempdb|msdb|model|distribution|mssqlsystemresource|guest|add|except|percent|all|exec|plan|alter|execute|precision|and|exists|primary|any|exit|print|as|fetch|proc|asc|file|procedure|authorization|fillfactor|public|backup|for|raiserror|begin|foreign|read|between|freetext|readtext|break|freetexttable|reconfigure|browse|from|references|bulk|full|replication|by|function|restore|cascade|goto|restrict|case|grant|return|check|group|revoke|checkpoint|having|right|close|holdlock|rollback|clustered|identity|rowcount|coalesce|identity_insert|rowguidcol|collate|identitycol|rule|column|if|save|commit|in|schema|compute|index|select|constraint|inner|session_user|contains|insert|set|containstable|intersect|setuser|continue|into|shutdown|convert|is|some|create|join|statistics|cross|key|system_user|current|kill|table|current_date|left|textsize|current_time|like|then|current_timestamp|lineno|to|current_user|load|top|cursor|national|tran|database|nocheck|transaction|dbcc|nonclustered|trigger|deallocate|not|truncate|declare|null|tsequal|default|nullif|union|delete|of|unique|deny|off|update|desc|offsets|updatetext|disk|on|use|distinct|open|user|distributed|opendatasource|values|double|openquery|varying|drop|openrowset|view|dummy|openxml|waitfor|dump|option|when|else|or|where|end|order|while|errlvl|outer|with|escape|over|writetext||dbo|login|sys|drc_rds

Procedure

Step 1: Create a host account

  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Accounts.
  3. On the Host Accounts tab, click Create Account and configure the following parameters.
    Parameter Description
    Host Account Name Enter the username of the account. The username must be 2 to 64 characters in length and can contain lowercase letters, digits, and underscores (_). The username must start with a lowercase letter and end with a lowercase letter or a digit.
    Account Type Select Standard Account.
    Password

    Enter the password of the account. The password must meet the following requirements:

    • The password must be 8 to 32 characters in length.
    • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • The password can contain any of the following special characters: ! @ # $ % ^ & * ( ) _ + - =
    Confirm Password Enter the password of the account again.
    Description Enter a description that helps identify the account. The description can be up to 256 characters in length.
  4. Select I have read and agree to the changes to the RDS Service Level Agreement caused by the creation of a host account.
  5. Click OK.
  6. Optional. Click Reset Password or Delete in the Actions column to reset the password of the host account or delete the host account.

Step 2: Configure a bastion host

After you create a host account, you must configure a bastion host in the Bastionhost console to connect to and manage the hosts on which the RDS instance and its secondary RDS instance run.

  1. Create a bastion host. For more information, see Purchase a bastion host.
    Note The bastion host needs to connect to the RDS instance over an internal network. Make sure that the bastion host resides in the same region as the RDS instance.
  2. Run the bastion host.
    1. Log on to the Bastionhost console.
    2. In the top navigation bar, select the region where the bastion host resides.
    3. Find the bastion host and click Run on the right. Run the bastion host
    4. Select a VPC and a vSwitch in the Select Network section, select a security group in the Select Security Group section, and then click Next.
      • Virtual private cloud (VPC): Select the VPC to which the RDS instance belongs. You can check the VPC of the RDS instance on the Database Connection page in the ApsaraDB RDS console.Check the VPC of the RDS instance
      • vSwitch: Select a vSwitch that is associated with the specified VPC.
      • Security group: Select the security group that you want to use to manage the connection between the bastion host and the Elastic Compute Service (ECS) instance. You cannot use this security group to manage the connections between the bastion host and the hosts of the RDS instance and its secondary RDS instance. You can select one of the available security groups.
  3. Import the hosts of the RDS instance and its secondary RDS instance into the bastion host.
    1. Find the bastion host and click Manage on the right side of the bastion host. Manage the bastion host
    2. Choose Assets > Hosts and select Import Hosts From Dedicated Clusters from the Import Other Hosts drop-down list. Import Host From Dedicated Cluster
    3. Enter the ID of the RDS instance in the search box, select the RDS instance and its secondary RDS instance, and then click Import. Import the hosts of the RDS instance and its secondary RDS instance
      Note In the search results, the hosts of the RDS instance are named rdsId_master and rdsId_slave. The rdsId_master host is the host of the primary RDS instance and the rdsId_slave host is the host of the secondary RDS instance.
  4. Create a bastion host user that is used to log on to the Bastionhost console.
    1. Choose Users > Users and select Create User from the Import Other Users drop-down list. Create a bastion host user
    2. Specify the information of the user. The user information includes Username and Password. Then, click Create.
      Note For more information, see Add a local user.
  5. Grant the permissions on the imported hosts to the bastion host user.
    1. Find the bastion host user and click Authorize Hosts in the Actions column. Grant the permissions on the imported hosts
    2. On the Authorized Hosts tab, click Authorized Hosts, select the imported hosts, and then click OK. Select the imported hosts
  6. Create host accounts for the imported hosts.
    1. Choose Assets > Hosts, find the imported hosts, and then click Create Host Account in the Actions column to add host accounts for the hosts of the RDS instance and its secondary RDS instance. Create Host Account
    2. In the Create Host Account dialog box, configure the following parameters. Create Host Account
      Parameter Description
      Protocol Select RDP.
      Logon Name Enter the username of the host account. The username must be the same as the username of the host account that you created in the "Step 1: Create a host account" section of this topic.
      Authentication Type Select Password.
      Password Enter the password of the host account. The password must be the same as the password that you specified in the "Step 1: Create a host account" section of this topic.
  7. Grant the permissions on the imported hosts to the host accounts that you created.
    1. Choose Users > Users, find the created bastion host user, and then click the username of the bastion host user to go to the Basic Information page.
    2. Click the Authorized Hosts tab. Then, click None. Authorize accounts in the Authorized accounts column to grant permissions on the imported hosts to the host accounts that are created in Step 6. Grant the permissions on the imported hosts to the host accounts

Step 3: Connect to the hosts of the RDS instance and its secondary RDS instance in the Bastionhost console

  1. Log on to the Bastionhost console.
  2. In the top navigation bar, select the region where the bastion host resides.
  3. Obtain the public endpoint of the bastion host. Public endpoint of the bastion host
  4. Log on to the bastion host.
    • If you use a Windows operating system, perform the following operations:
      1. Open Remote Desktop Connection, enter the public endpoint and port number 63389 of the bastion host for the Computer parameter. The value of this parameter must be in the following format: xxxx.bastionhost.aliyuncs.com:63389.
        Note You can press Ctrl+Q to open Remote Desktop Connection
        Remote Desktop Connection
      2. Enter the username and password of the bastion host user. Username and password
        Note The username and password must be the same as the username and password that you specified in the "Step 2: Configure a bastion host" section of this topic.
    • If you use a macOS operating system, perform the following operations:

      We recommend that you use the Microsoft Remote Desktop tool to connect to the bastion host. You must configure the following parameters: Connection name, PC name, User name, and Password.

      Connect to the bastion host in a macOS operating system
      Parameter Sample value Description
      Connection name ServerHostConnection The name of the connection. Enter a custom connection name.
      PC name xxxx.bastionhost.aliyuncs.com:63389 The public endpoint and port number of the bastion host.
      User name and Password User name: testuser The username and password of the bastion host user. For more information, see the "Step 2: Configure a bastion host" section of this topic.
  5. Double-click the host of the RDS instance or its secondary RDS instance. Then, the bastion host connects to the host. Connect to the host of the RDS instance or its secondary RDS instance