Bastionhost is available in the Basic edition and HA edition. This topic describes the differences between these editions.
Background information
Bastionhost Basic Edition provides basic features, including two-factor authentication, O&M authorization, high-risk command blocking, and O&M audit. These features help small- and medium-sized enterprises ensure basic O&M security and meet the requirements of classified protection.
Bastionhost HA Edition is suitable for large-sized enterprises or enterprises in the sectors that have high requirements for O&M security, such as the public service, finance, gaming, online education, and information technology sectors. Bastionhost HA Edition supports the O&M features that are provided by Bastionhost Basic Edition. Bastionhost Enterprise Edition also provides the following features to meet higher requirements for business O&M security:
Bastionhost HA Edition has the following advantages over Bastionhost Basic Edition:
- More O&M functionality. For example, Bastionhost Enterprise Edition allows you to perform O&M operations on databases by using a web terminal. Bastionhost Enterprise Edition also supports automatic password change. You can use automatic password change to rotate passwords at regular intervals, which improves password security.
- Higher business stability. Bastionhost Enterprise Edition uses a dual-engine architecture. Both engines are active, which offers a Service Level Agreement (SLA) of 99.95%.
- Higher processing performance. Bastionhost Enterprise Edition can maintain up to 10,000 hosts. Bastionhost Basic Edition can maintain only up to 500 hosts.
- More bandwidth and storage. Bastionhost Enterprise Edition offers you better O&M experience.
Bastionhost features
Note In the following table, a tick (√) indicates that a feature is supported and a cross
(×) indicates that a feature is not supported.
| Feature | Description | Basic | HA | References |
|---|---|---|---|---|
| Architecture | The dual-engine and high-availability architecture ensures business and monitoring stability. |  |
 |
Benefits |
| Auto scaling | You can increase bandwidth and storage based on your business requirements. | |
|
Billing |
| Deployment | You can deploy a bastion host outside China. You can switch between simplified Chinese, traditional Chinese, and English based on your business requirements. Two-factor authentication supports the mobile phone numbers that are provided by telecom carriers outside China. | |
|
Which countries and regions support the SMS-based two-factor authentication feature of Bastionhost? |
| User and asset management | You can assign multiple roles to users. | |
|
None |
| You can synchronize users from Resource Access Management (RAM), Active Directory (AD), Lightweight Directory Access Protocol (LDAP), and Azure Active Directory (Azure AD). You can also import multiple users from a file at a time. | |
|
Manage users | |
| You can manage Windows or Linux servers and use the following protocols for O&M: SSH, Remote Desktop Protocol (RDP), and SSH File Transfer Protocol (SFTP). | |
|
Add hosts | |
| You can perform O&M and audit operations on ApsaraDB RDS for MySQL instances, ApsaraDB RDS for SQL Server instances, ApsaraDB RDS for PostgreSQL instances, and self-managed databases. | |
|
None | |
| You can import multiple hosts at a time. You can import Alibaba Cloud Elastic Compute Service (ECS) instances by using a file or with a few clicks. | |
|
Add hosts | |
| You can maintain ApsaraDB MyBase dedicated clusters, servers that are deployed on the cloud, and servers in data centers. | |
|
None | |
| You can implement two-factor authentication in multiple regions. Email- and SMS-based two-factor authentication is supported. | |
|
Enable two-factor authentication | |
| You can verify logons to your bastion host based on dynamic verification codes on apps. | |
|
None | |
| You can manually change the password of a Linux host account or create an automatic password change task to change the password on a regular basis. | |
|
Use the automatic password change feature | |
| O&M management | This feature allows you to log on to your bastion host by using a client, such as a Windows Remote Desktop, XShell, SecureCRT, or PuTTY client, to access graphical or character devices. This feature records O&M operations and allows you to play back the recordings. | |
|
RDP-based O&M and SSH-based O&M |
| This feature allows you to log on to your bastion host by using a local SFTP client, such as WinSCP, Xftp, and SecureFX, to perform O&M operations. | |
|
Perform SFTP-based O&M | |
| This feature allows you to log on to the O&M portal to maintain assets on which you have permissions on a web page. You can also use a one-time password (OTP) token to log on to the O&M as a local user. | |
|
None | |
| This feature allows you to maintain servers on a web page. | |
|
Use the host O&M feature | |
| This feature monitors O&M sessions in real time and can block O&M sessions. | |
|
Search for real-time monitoring sessions and view session details and Block sessions | |
| This feature controls the upload and download operations in the RDP clipboard, and mapping operations in RDP. | |
|
Create a control policy | |
| This feature allows you to block and approve important command policies. | |
|
||
| This feature controls the following operations when you perform O&M operations by using a local SFTP client: upload, download, delete, and rename files, and create and delete folders. | |
|
||
| Operation audit | This feature records operations logs and allows you to audit and play back the recordings. | |
|
Search for sessions and view session details |
| This feature allows you to audit the transfer of files. | |
|
||
| This feature allows you to generate O&M reports and export O&M reports to PDF, HTML, or Word files. | |
|
O&M reports | |
| API operation | This feature allows you to call API operations. | |
|
List of operations by function |