Bastionhost is available in the following editions: Basic and Enterprise. This topic describes the features supported by different Bastionhost editions and the differences in features between the editions.
The following section describes the scenarios in which different editions are used and the advantages of different editions:
Bastionhost Basic Edition is suitable for small and medium-sized enterprises who own 50 to 500 assets of different types and require professional O&M. This edition provides fine-grained O&M capabilities, such as client-based O&M, fine-grained access control and authorization for O&M users, automatic high-risk command blocking, and real-time O&M session monitoring and blocking. Resource Access Management (RAM) users, Active Directory (AD)-authenticated users, and Lightweight Directory Access Protocol (LDAP)-authenticated users can be added to Bastionhost Basic Edition for management. Bastionhost Basic Edition can help small and medium-sized enterprises ensure basic O&M security.
Bastionhost Enterprise Edition is suitable for the large-sized enterprises and enterprises in the sectors that have high requirements for O&M security, such as the public service, finance, gaming, online education, and information technology sectors. Bastionhost Enterprise Edition supports the O&M features provided by Bastionhost Basic Edition. Bastionhost Enterprise Edition also provides the following features to meet higher requirements for O&M security. Bastionhost Enterprise Edition provides the following advantages:
Database O&M: O&M and authorization management is supported for ApsaraDB RDS instances, and self-managed databases and third-party databases that run MySQL, SQL Server, PostgreSQL, and Oracle.
Hybrid O&M: centralized O&M is supported in scenarios that involve different types of assets, such as assets in data centers, assets in third-party clouds, and cross-account assets.
Higher business stability: Bastionhost Enterprise Edition uses a dual-engine architecture. Both engines are active, which offers a Service Level Agreement (SLA) of 99.95%.
Other value-added capabilities: O&M portal-based O&M is supported. Automatic password change is supported for Linux assets, which improves password security.
The following table describes the features supported by Bastionhost Basic Edition and Bastionhost Enterprise Edition, and the differences in features between the editions.
In the following table, a cross () indicates that a feature is not supported and a tick () indicates that a feature is supported.
Uses a dual-engine and high-availability architecture to ensure the business and monitoring stability.
You can manage assets across multiple virtual private clouds (VPCs) in multiple regions by using a single console.
Self-managed networks are supported.
Self-managed networks and network domain proxies are supported.
This edition divides system accounts into privileged accounts and standard accounts. You can grant permissions and manage accounts based on the account types.
You can upgrade configurations such as the number of assets and storage capacity based on your business requirements.
You can deploy a bastion host outside the Chinese Mainland. You can switch between simplified Chinese, traditional Chinese, and English based on your business requirements. Two-factor authentication supports the mobile phone numbers that are provided by telecom carriers outside China.
User and asset management
You can assign multiple roles to users.
You can synchronize users from RAM, AD, LDAP, and Azure Active Directory (Azure AD). You can also import multiple users from a file at a time.
You can manage Windows or Linux servers and use the following protocols for O&M: SSH, Remote Desktop Protocol (RDP), and SSH File Transfer Protocol (SFTP).
You can perform O&M and audit operations on ApsaraDB RDS for MySQL instances, ApsaraDB RDS for SQL Server instances, ApsaraDB RDS for PostgreSQL instances, and self-managed databases.
You can import multiple hosts at a time. You can import Alibaba Cloud Elastic Compute Service (ECS) instances by using a file or with a few clicks.
You can perform O&M operations on hosts of ApsaraDB MyBase dedicated clusters, servers that are deployed on the cloud, and servers in data centers.
You can implement two-factor authentication in multiple regions. Email- and SMS-based two-factor authentication is supported.
You can verify logons to your bastion host based on dynamic verification codes on apps.
You can manually change the password of a Linux host account or create an automatic password change task to change the password on a regular basis.
This feature allows you to log on to your bastion host by using a client, such as a Windows Remote Desktop, XShell, SecureCRT, or PuTTY client, to access graphical or character devices. This feature records O&M operations and allows you to play back the recordings.
This feature allows you to log on to your bastion host by using a local SFTP client, such as WinSCP, Xftp, and SecureFX, to perform O&M operations.
This feature allows you to log on to the O&M portal to maintain assets on which you have permissions on a web page. You can also use a one-time password (OTP) token to log on to the O&M as a local user.
This feature allows you to maintain servers on a web page.
This feature monitors O&M sessions in real time and can block O&M sessions.
This feature controls the upload and download operations in the RDP clipboard, and mapping operations in RDP.
This feature allows you to block and approve important command policies.
This feature controls the following operations when you perform O&M operations by using a local SFTP client: upload, download, delete, and rename files, and create and delete folders.
This feature records operations logs and allows you to audit and play back the recordings.
This feature allows you to audit the transfer of files.
This feature allows you to generate O&M reports and export O&M reports to PDF, HTML, or Word files.
This feature allows you to call API operations.