All Products
Search
Document Center

Bastionhost:Best practices for secure O&M over an internal network

Last Updated:Jul 27, 2023

This topic describes how to use Bastionhost to perform secure O&M over an internal network.

Background information

With the increase of service security requirements, service access only over internal networks has become a key security requirement in enterprises. How to ensure O&M security by allowing O&M engineers who are working from office, on business trips, or working from home to access service only over internal networks has become a key issue.

Solution

To ensure secure O&M access over an internal network, Bastionhost allows you to disable Internet access. This way, O&M engineers can access a bastion host only over an internal network.

Bastionhost supports multiple types of internal network access.

  • If an O&M engineer works from office and the company uses a leased line is to connect to a bastion host to establish an internal network connection, the O&M engineer can use the leased line to access the bastion host to perform O&M over an internal network after you enable only the internal endpoint of the bastion host

  • If an O&M engineer is on a business trip or works from home, you can disable the public endpoint of a bastion host and enable only the internal endpoint, and use Secure Access Service Edge (SASE) to connect to the bastion host or establish an SSL-VPN connection with the bastion host. This way, the O&M engineer can access the bastion host to perform secure O&M over the internal network.

Step 1: Disable the public endpoint of a bastion host and enable only the internal endpoint

  1. Log on to the Bastionhost console.
  2. In the top navigation bar, select a region.

  3. In the bastion host list, find the bastion host that you want to manage and turn off the switch on the right side of the public endpoint of the bastion host.

Step 2: Perform secure O&M over an internal network

Scenario 1: Perform O&M over the internal network of a company

If a company uses a leased line to connect to the bastion host to establish an internal network connection, an O&M engineer can use an O&M client to access the internal network by using the internal endpoint of the bastion host after the service terminal is connected to the internal network. For more information, see Overview.

Scenario 2: Perform O&M over an SSL-VPN connection to the bastion host

The following example describes how to establish an SSL-VPN connection to achieve internal network access.

Prerequisites

  • The ID of the virtual private cloud (VPC) and the ID of the vSwitch with which the bastion host is associated are obtained.

    You can log on to the Bastionhost console to view the ID of the VPC and the ID of the vSwitch with which the bastion host is associated.

  • The CIDR blocks of the VPC and vSwitch with which the bastion host are associated are obtained.

    You can log on to the VPC console, find the VPC and vSwitch with which the bastion host is associated, and then view the CIDR blocks of the bastion host.

  • The SSL-VPN feature is purchased. For more information, see SSL-VPN billing overview.

Procedure

  1. When you create an SSL-VPN server, configure the CIDR blocks of the VPC and vSwitch with which the bastion host is associated. For more information, see SSL-VPN overview.

  2. Use the SSL-VPN client to access the bastion host to perform asset O&M over the internal network.

    After the configuration is complete and the service terminal is connected to the SSL-VPN client, an O&M engineer can use an O&M client to access the internal network by using the internal endpoint of the bastion host. For more information, see Overview.