All Products
Search

This Product

    Bastionhost:Enable a bastion host

    Document Center

    Bastionhost:Enable a bastion host

    Last Updated:Feb 02, 2024

    After you purchase a bastion host, you must enable the bastion host to use its features. This topic describes how to enable a bastion host.

    Background information

    The newly purchased bastion host is uninitialized. You must enable the bastion host to use its features.

    Note

    If you do not purchase a bastion host, see Purchase a bastion host.

    Procedure

    1. Log on to the console of the bastion host.

      When you log on to the Bastionhost console for the first time, you must create a service-linked role that is used to enable the bastion host features. You can create the role as prompted.

    2. In the top navigation bar, select a region.

    3. In the bastion host list, find the bastion host that you want to enable and click Enable.

    4. In the Enable panel, configure the parameters.

      Parameter

      Description

      Select Network

      Select a virtual private cloud (VPC) and vSwitch for the bastion host. Take note of the following items:

      • After the bastion host is enabled, you cannot change the VPC.

      • If the bastion host runs the Basic edition, you can manually change the zone of the vSwitch for the bastion host. If the bastion host runs the Enterprise edition, you can configure a vSwitch in a primary zone and a vSwitch in a secondary zone for the bastion host.

        Important

        When you select a vSwitch, make sure that the vSwitch has sufficient available IP addresses. A bastion host of the Basic edition occupies three available IP addresses of a vSwitch. A bastion host of the Enterprise edition occupies five available IP addresses of a vSwitch.

      • To ensure that the bastion host can communicate with the Elastic Compute Service (ECS) instance that you want to maintain over an internal network, we recommend that you select the VPC in which the ECS instance resides.

      • If the selected vSwitch does not have available resources, the bastion host fails to be enabled. If the bastion host fails to be enabled because the selected vSwitch cannot provide the required resources, select another vSwitch and enable the bastion host again. You can also create a vSwitch to use before you enable the bastion host. For more information, see Create a vSwitch.

      Select Security Group

      Select the security group of the required ECS instances. Take note of the following items:

      • A bastion host must be added to at least one basic security group before the bastion host can be enabled. After the bastion host is enabled, you can modify security groups to which the bastion host belongs. After a bastion host is added to a basic security group, a security group rule is automatically generated to allow the bastion host to access all ECS instances in the security group.

      • You can also manually configure a security group rule for a bastion host. After you configure a security group rule for the bastion host, you do not need to add the bastion host to a security group.

      • You cannot add a bastion host to an advanced security group. You must manually configure a rule for an advanced security group to implement network communication.

      • You cannot add a bastion host to the security groups managed by cloud services. If you have only security groups managed by cloud services, you must create a basic security group.

      Note

      For more information, see Add a security group rule.

    5. Click Next. After the parameters pass the check, click Enable.

      The bastion host is enabled and is being initialized. The initialization requires 10 to 15 minutes. After the initialization is complete, the status of the bastion host changes to Running. The bastion host is enabled.

    What to do next

    After the bastion host is enabled, you can click Manage to go to the console of the bastion host. For more information, see Log on to the console of a bastion host.