All Products
Search

This Product

    Bastionhost:Best practices for using Bastionhost to perform O&M operations on NAT Gateway-protected assets

    Document Center

    Bastionhost:Best practices for using Bastionhost to perform O&M operations on NAT Gateway-protected assets

    Last Updated:Jan 15, 2024

    NAT Gateway is a common network service. In actual scenarios, users may use NAT Gateway to protect assets and then use Bastionhost to manage O&M operations that are performed on the assets. This topic describes how to use Bastionhost to ensure secure O&M on the assets that are protected by NAT Gateway.

    Background information

    To prevent external network attacks on your public IP addresses or to solve the issue of insufficient IP addresses, users may deploy NAT Gateway to achieve address translation to hide and protect assets. Bastionhost provides solutions to manage and audit O&M operations on assets that are protected by NAT Gateway.

    Solutions

    Bastionhost provides the following solutions:

    • Solution 1: Network domain mode

      Bastionhost Enterprise Edition supports the network domain feature. You can use the IP address of your Internet NAT gateway as the address of the proxy server, add the proxy server to Bastionhost, and then import assets into Bastionhost. This way, you can manage and audit O&M operations on the assets that are protected by NAT Gateway.

    • Solution 2: Direct connection mode

      You can add multiple assets that use the same IP address to a bastion host and configure different ports for the assets to distinguish the assets. If assets are protected by NAT Gateway, users distinguish the assets based on the IP address and ports of the Internet NAT gateway when the users perform O&M operations on the assets. When you add assets, you can configure the IP address of the Internet NAT gateway and a specific port for each asset and specify different description for each asset. This way, you can manage and audit O&M operations on the assets that are protected by NAT Gateway.

    Compared with the direct connection mode, the network domain mode allows you to directly import an asset by using the actual IP address of the asset after you configure the network domain feature. This facilitates asset management and O&M.

    Network domain mode

    Prerequisites

    Procedure

    1. Add an asset to the bastion host. For more information, see Add hosts.

    2. Configure the network domain feature.

      1. In the left-side navigation pane, choose Assets > Network Domain.

      2. On the Network Domain page, click Create Network Domain.

      3. In the Create Network Domain panel, set Connection Method to Proxy.

      4. Click Create Proxy Server in the Primary Proxy Server section. In the dialog box that appears, configure the following parameters.

        Parameter

        Description

        Proxy Type

        Select the type of the proxy. We recommend that you select SSH Proxy.

        Server Address

        Enter the IP address of the proxy server.

        Server Port

        Enter the port of the proxy server.

        Host Account

        Enter the username of the account for the proxy server.

        Password

        Enter the password of the account for the proxy server.

    3. Add the asset to the network domain.

      1. On the Network Domain page, find the network domain that you want to manage. In the Actions column, click Add Host.

      2. In the Add Host dialog box, select the assets that you want to add and click Add.

      3. In the message that appears, click Add.

    After the configuration is complete, users can use the bastion host to access the asset and perform O&M operations. For more information, see O&M overview.

    Direct connection mode

    Prerequisites

    The DNAT feature of an Internet NAT gateway is used to provide Internet-facing services. For more information, see Configure DNAT on an Internet NAT gateway for an ECS instance.

    Procedure

    1. In the left-side navigation pane, choose Assets > Host.

    2. On the Host page, choose Import Other Hosts > Create Host.

    3. In the Create Host panel, configure the following parameters and click Create.

      Parameter

      Description

      Operating System

      Select Linux.

      Host IP Address

      Enter the EIP that is associated with the Internet NAT gateway.

      Remarks

      Enter the remarks of the asset for subsequent identification.

    4. In the host list, find the host that you create and click the hostname.

    5. On the Service Port tab, enter the port that is mapped by the DNAT feature of the Internet NAT gateway and click Update.

    After the configuration is complete, users can use the bastion host to access the asset and perform O&M operations. For more information, see O&M overview.