This topic provides answers to some frequently asked questions about the basic configurations of Bastionhost.

How do I go to the management page of a bastion host?

  1. Log on to the Bastionhost console.
  2. In the top navigation bar, select the region in which your bastion host resides.
  3. In the left-side navigation pane, click Instances.
  4. On the Instances page, find the bastion host that you want to manage and click Manage.

Why am I unable to view a bastion host after it is purchased?

You may have selected an incorrect region. In the top navigation bar of the Bastionhost console, select the region in which your bastion host resides. Region

What are the configurations to allow access to an ECS instance only from a bastion host?

You can use the following method:

  • Create a security group rule for the Elastic Compute Service (ECS) instance to allow access only from the egress IP addresses of a bastion host. Alternatively, use Cloud Firewall to set limits on access.
    The following figure shows how to obtain the egress IP addresses of a bastion host in the Bastionhost console.Egress IP
  • For a server deployed on a cloud that is provided by a third-party cloud service provider or in a data center, you can configure policies on access control devices such as a firewall to allow access only from a bastion host.

Does a bastion host support only access by using a domain name?

To ensure the security of the Bastionhost console, a bastion host of V3.2.X supports only access by using a domain name. A bastion host of V3.1 or V2 supports access by using an IP address.

How do I allow access from the egress IP addresses of a bastion host in a security group of an ECS instance?

Before you use a bastion host to perform O&M operations on an ECS instance, you must create a security group rule for the ECS instance to allow access from the egress IP addresses of the bastion host. After you create a security group rule for the ECS instance to allow access from the egress IP addresses of the bastion host, the bastion host can communicate with the ECS instance. Then, you can use the bastion host to perform O&M operations on the ECS instance. You can perform the following steps to create the security group rule:
  1. Log on to the Bastionhost console.
  2. In the top navigation bar, select the region in which your bastion host resides.
  3. In the left-side navigation pane, click Instances.
  4. On the Instances page, find the bastion host that you want to use and move the pointer over Egress IP. Egress IP
  5. Copy and save the public and private IP addresses of the bastion host.
  6. Create a security group rule for the ECS instance to allow access from the public and private IP addresses. For more information, see Add a security group rule.

How do I disable public O&M for a bastion host?

  1. Log on to the Bastionhost console.
  2. In the top navigation bar, select the region in which your bastion host resides.
  3. In the left-side navigation pane, click Instances.
  4. On the Instances page, find the bastion host for which you want to disable public O&M and click the Disable icon. O&M

Can I directly connect to the IP address of an ECS instance after I purchase a bastion host?

By default, no control policies on IP addresses of ECS instances are configured on bastion hosts. If no access control policy is configured on the ECS instance, you can connect to the IP address of the ECS instance.
Note To ensure the compliance and integrity of server O&M, we recommend that you configure access control policies to allow only bastion host-based O&M operations on the ECS instance. For more information, see Create a control policy.

What ports are enabled for a bastion host? Can I change these ports?

By default, the following ports are enabled for a bastion host:
  • HTTPS port 443 for accessing the web console
  • Port 60022 for SSH-compliant O&M
  • Port 63389 for RDP-compliant O&M
  • Port 9443 for auditing
Note You cannot change these ports in Bastionhost V2 and V3.1. You can change these ports in Bastionhost V3.2. Ports 1 to 1024 are reserved for Bastionhost. Do not change the ports that are enabled for a bastion host by default to reserved ports.

How do I access an ECS instance from my bastion host by using a private IP address?

You can use one of the following methods:
  • Method 1: Import an ECS instance. By default, you access the ECS instance by using a private IP address. For more information, see Import ECS instances.
  • Method 2: Change the IP address type of the ECS instance to private. Perform the following steps:
    1. In the left-side navigation pane of the console of your bastion host, choose Assets > Hosts. On the Hosts page, select the host whose O&M IP address you want to change and choose Batch > Modify O&M IP Address.
    2. In the Modify O&M IP Address dialog box, set Host IP Address Type to Private IP Address and click OK.

How do I configure my bastion host if I want to access an ECS instance by using a port other than the SSH- or RDP-compliant standard port?

Bastionhost allows you to customize O&M ports. You can change the O&M port in the console of your bastion host. Perform the following steps:
  1. In the left-side navigation pane of the console of your bastion host, choose Assets > Hosts. On the Hosts page, select the host whose O&M port you want to change and choose Batch > Modify O&M Port.
  2. In the Modify O&M Port dialog box, configure the Protocol and Port parameters and click OK.