Bastionhost is available in the Basic edition and Enterprise edition. This topic describes the differences between these editions.

Background information

Bastionhost Basic Edition provides basic features, including two-factor authentication, O&M authorization, high-risk command blocking, and O&M audit. These features help small- and medium-sized enterprises ensure basic O&M security and meet the requirements of classified protection.

Bastionhost Enterprise Edition is suitable for large-sized enterprises or enterprises in the sectors that have high requirements for O&M security, such as the public service, finance, gaming, online education, and information technology sectors. Bastionhost Enterprise Edition supports the O&M features that are provided by Bastionhost Basic Edition. Bastionhost Enterprise Edition also provides the following features to meet higher requirements for business O&M security:

Bastionhost Enterprise Edition has the following advantages over Bastionhost Basic Edition:Enterprise
  • More O&M functionality. For example, Bastionhost Enterprise Edition allows you to perform O&M operations on databases by using a web terminal. Bastionhost Enterprise Edition also supports automatic password change. You can use automatic password change to rotate passwords at regular intervals, which improves password security.
  • Higher business stability. Bastionhost Enterprise Edition uses a dual-engine architecture. Both engines are active, which offers a Service Level Agreement (SLA) of 99.95%.
  • Higher processing performance. Bastionhost Enterprise Edition can maintain up to 10,000 hosts. Bastionhost Basic Edition can maintain only up to 500 hosts.
  • More bandwidth and storage. Bastionhost Enterprise Edition offers you better O&M experience.

Bastionhost features

Note In the following table, a cross (×) indicates that a feature is not supported and a tick (√) indicates that a feature is supported.
Feature Description Basic Enterprise References
Architecture The dual-engine and high-availability architecture ensures business and monitoring stability. × √ Benefits
Auto scaling You can increase bandwidth and storage based on your business requirements. √ √ Billing
Deployment You can deploy a bastion host outside China. You can switch between simplified Chinese, traditional Chinese, and English based on your business requirements. Two-factor authentication supports the mobile phone numbers that are provided by telecom carriers outside China. √ √ Which countries and regions support the SMS-based two-factor authentication feature of Bastionhost?
User and asset management You can assign multiple roles to users. √ √ None
You can synchronize users from Resource Access Management (RAM), Active Directory (AD), Lightweight Directory Access Protocol (LDAP), and Azure Active Directory (Azure AD). You can also import multiple users from a file at a time. √ √ Manage users
You can manage Windows or Linux servers and use the following protocols for O&M: SSH, Remote Desktop Protocol (RDP), and SSH File Transfer Protocol (SFTP). √ √ Add hosts
You can perform O&M and audit operations on ApsaraDB RDS for MySQL instances, ApsaraDB RDS for SQL Server instances, ApsaraDB RDS for PostgreSQL instances, and self-managed databases. × √ Use the database management feature
You can import multiple hosts at a time. You can import Alibaba Cloud Elastic Compute Service (ECS) instances by using a file or with a few clicks. √ √ Add hosts
You can perform O&M operations on hosts of ApsaraDB MyBase dedicated clusters, servers that are deployed on the cloud, and servers in data centers. √ √ None
You can implement two-factor authentication in multiple regions. Email- and SMS-based two-factor authentication is supported. √ √ Enable two-factor authentication
You can verify logons to your bastion host based on dynamic verification codes on apps. √ √ Enable two-factor authentication
You can manually change the password of a Linux host account or create an automatic password change task to change the password on a regular basis. × √ Use the automatic password change feature
O&M management This feature allows you to log on to your bastion host by using a client, such as a Windows Remote Desktop, XShell, SecureCRT, or PuTTY client, to access graphical or character devices. This feature records O&M operations and allows you to play back the recordings. √ √ RDP-based O&M and SSH-based O&M
This feature allows you to log on to your bastion host by using a local SFTP client, such as WinSCP, Xftp, and SecureFX, to perform O&M operations. √ √ Perform SFTP-based O&M
This feature allows you to log on to the O&M portal to maintain assets on which you have permissions on a web page. You can also use a one-time password (OTP) token to log on to the O&M as a local user. √ √ O&M overview
This feature allows you to maintain servers on a web page. × √ Use the host O&M feature
This feature monitors O&M sessions in real time and can block O&M sessions. √ √ Search for real-time monitoring sessions and view session details and Block sessions
This feature controls the upload and download operations in the RDP clipboard, and mapping operations in RDP. √ √ Create a control policy
This feature allows you to block and approve important command policies. √ √
This feature controls the following operations when you perform O&M operations by using a local SFTP client: upload, download, delete, and rename files, and create and delete folders. √ √
Operation audit This feature records operations logs and allows you to audit and play back the recordings. √ √ Search for sessions and view session details
This feature allows you to audit the transfer of files. √ √
This feature allows you to generate O&M reports and export O&M reports to PDF, HTML, or Word files. √ √ View the O&M information on the O&M Reports page and export an O&M report
API operation This feature allows you to call API operations. √ √ List of operations by function