Bastionhost is available in the Basic edition and HA edition. This topic describes the differences between these editions.

Background information

Bastionhost Basic Edition provides basic features, including two-factor authentication, O&M authorization, high-risk command blocking, and O&M audit. These features help small- and medium-sized enterprises ensure basic O&M security and meet the requirements of classified protection.

Bastionhost HA Edition is suitable for large-sized enterprises or enterprises in the sectors that have high requirements for O&M security, such as the public service, finance, gaming, online education, and information technology sectors. Bastionhost HA Edition supports the O&M features that are provided by Bastionhost Basic Edition. Bastionhost Enterprise Edition also provides the following features to meet higher requirements for business O&M security:

Bastionhost HA Edition has the following advantages over Bastionhost Basic Edition:
  • More O&M functionality. For example, Bastionhost Enterprise Edition allows you to perform O&M operations on databases by using a web terminal. Bastionhost Enterprise Edition also supports automatic password change. You can use automatic password change to rotate passwords at regular intervals, which improves password security.
  • Higher business stability. Bastionhost Enterprise Edition uses a dual-engine architecture. Both engines are active, which offers a Service Level Agreement (SLA) of 99.95%.
  • Higher processing performance. Bastionhost Enterprise Edition can maintain up to 10,000 hosts. Bastionhost Basic Edition can maintain only up to 500 hosts.
  • More bandwidth and storage. Bastionhost Enterprise Edition offers you better O&M experience.

Bastionhost features

Note In the following table, a tick (√) indicates that a feature is supported and a cross (×) indicates that a feature is not supported.
Feature Description Basic HA References
Architecture The dual-engine and high-availability architecture ensures business and monitoring stability. Wrong Right Benefits
Auto scaling You can increase bandwidth and storage based on your business requirements. Right Right Billing
Deployment You can deploy a bastion host outside China. You can switch between simplified Chinese, traditional Chinese, and English based on your business requirements. Two-factor authentication supports the mobile phone numbers that are provided by telecom carriers outside China. Right Right Which countries and regions support the SMS-based two-factor authentication feature of Bastionhost?
User and asset management You can assign multiple roles to users. Right Right None
You can synchronize users from Resource Access Management (RAM), Active Directory (AD), Lightweight Directory Access Protocol (LDAP), and Azure Active Directory (Azure AD). You can also import multiple users from a file at a time. Right Right Manage users
You can manage Windows or Linux servers and use the following protocols for O&M: SSH, Remote Desktop Protocol (RDP), and SSH File Transfer Protocol (SFTP). Right Right Add hosts
You can perform O&M and audit operations on ApsaraDB RDS for MySQL instances, ApsaraDB RDS for SQL Server instances, ApsaraDB RDS for PostgreSQL instances, and self-managed databases. Wrong Right None
You can import multiple hosts at a time. You can import Alibaba Cloud Elastic Compute Service (ECS) instances by using a file or with a few clicks. Right Right Add hosts
You can maintain ApsaraDB MyBase dedicated clusters, servers that are deployed on the cloud, and servers in data centers. Right Right None
You can implement two-factor authentication in multiple regions. Email- and SMS-based two-factor authentication is supported. Right Right Enable two-factor authentication
You can verify logons to your bastion host based on dynamic verification codes on apps. Right Right None
You can manually change the password of a Linux host account or create an automatic password change task to change the password on a regular basis. Wrong Right Use the automatic password change feature
O&M management This feature allows you to log on to your bastion host by using a client, such as a Windows Remote Desktop, XShell, SecureCRT, or PuTTY client, to access graphical or character devices. This feature records O&M operations and allows you to play back the recordings. Right Right RDP-based O&M and SSH-based O&M
This feature allows you to log on to your bastion host by using a local SFTP client, such as WinSCP, Xftp, and SecureFX, to perform O&M operations. Right Right Perform SFTP-based O&M
This feature allows you to log on to the O&M portal to maintain assets on which you have permissions on a web page. You can also use a one-time password (OTP) token to log on to the O&M as a local user. Right Right None
This feature allows you to maintain servers on a web page. Wrong Right Use the host O&M feature
This feature monitors O&M sessions in real time and can block O&M sessions. Right Right Search for real-time monitoring sessions and view session details and Block sessions
This feature controls the upload and download operations in the RDP clipboard, and mapping operations in RDP. Right Right Create a control policy
This feature allows you to block and approve important command policies. Right Right
This feature controls the following operations when you perform O&M operations by using a local SFTP client: upload, download, delete, and rename files, and create and delete folders. Right Right
Operation audit This feature records operations logs and allows you to audit and play back the recordings. Right Right Search for sessions and view session details
This feature allows you to audit the transfer of files. Right Right
This feature allows you to generate O&M reports and export O&M reports to PDF, HTML, or Word files. Right Right O&M reports
API operation This feature allows you to call API operations. Right Right List of operations by function