If you want to manage the hosts that reside on different networks or the hosts that cannot communicate with bastion hosts in virtual private clouds (VPCs) in a centralized manner, we recommend that you use the network domain feature of Bastionhost. You can configure a proxy server for these hosts, create a network domain in the console of a bastion host, and then connect the network domain to the proxy server. This way, you can use the proxy server to perform O&M operations on other hosts. This topic describes how to use the network domain feature.

Background information

The network domain feature provides the optimal O&M solutions for hybrid cloud scenarios. For example, you can use the feature to perform O&M operations on hosts across data centers, heterogeneous clouds, and VPCs. In most cases, the hosts of an enterprise are deployed in different regions and may fail to communicate with a bastion host. To resolve this issue, you can use public IP addresses or leased lines to connect to the hosts. However, public IP addresses may pose security risks whereas leased lines cause high network costs. In this case, we recommend that you use the proxy mode of the network domain feature to perform O&M operations on the hosts that reside in different networks in a centralized manner. The proxy mode is supported by Bastionhost Enterprise Edition. The hosts include those that are deployed in a data center, a heterogeneous cloud, and different VPCs.

For more information about the best practices of O&M solutions by using the proxy mode of the network domain feature, see Best practices of hybrid O&M.

Prerequisites

A proxy server is configured for the hosts on the same network. For more information about the recommended configurations for proxy servers, see Recommended configurations for proxy servers.

Limits

  • Only Bastionhost Enterprise Edition supports the proxy mode of the network domain feature.
  • The network domain feature supports SSH, HTTP, and SOCKS5 proxies.

Recommended configurations for proxy servers

You can configure SSH, HTTP, or SOCKS5 hosts as the primary and secondary proxy servers. Then, you can use the proxy servers to perform O&M operations on other hosts. The following table describes the recommended configurations for proxy servers.

SSH proxy servers

Parameter Description
Operating system A Linux host for which SSH is enabled.
Configuration method You can use Linux hosts as SSH proxy servers without the need to install components or complete configurations on the Linux hosts.
CPU and memory specifications 2 cores and 4 GB of memory.
Bandwidth 10 Mbit/s.
Note The actual bandwidth usage varies based on the number of concurrent O&M sessions. If you initiate multiple sessions to perform complex GUI-based operations from a remote desktop, bandwidth usage may spike, and remote sessions may freeze. In this case, we recommend that you purchase extra bandwidth for your bastion host.

HTTP and SOCKS5 proxy servers

Parameter Description
Operating system A host that runs CentOS 6.9 or later.
Configuration method For more information, see How do I configure a server as an HTTP or SOCKS5 proxy server?.
CPU and memory specifications 2 cores and 4 GB of memory.
Bandwidth 10 Mbit/s.
Note The actual bandwidth usage varies based on the number of concurrent O&M sessions. If you initiate multiple sessions to perform complex GUI-based operations from a remote desktop, bandwidth usage may spike, and remote sessions may freeze. In this case, we recommend that you purchase extra bandwidth for your bastion host.

Create a network domain

To use your bastion host to perform O&M operations on multiple hosts in a network domain, you must create a network domain for the bastion host and connect the network domain to a proxy server.

  1. Log on to the Bastionhost console.
  2. In the left-side navigation pane, choose Assets > Network Domain.
  3. On the Network Domain page, click Create Network Domain. In the Create Network Domain panel, configure the Network Domain, Remarks, and Connection Mode parameters.
    You can select Direct Connection or Proxy for the Connection Mode parameter.
    Note Bastionhost Basic Edition and Enterprise Edition support different connection modes.
    • Bastionhost Basic Edition supports only the direct connection mode.
    • Bastionhost Enterprise Edition supports the direct connection mode and the proxy mode.
    If you select Proxy , you must configure at least one proxy server. The network domain feature allows you to configure a primary proxy server and a secondary proxy server. You can configure a secondary proxy server in the same manner in which you configure a primary proxy server. The following example shows how to configure a primary proxy server:
    1. Click Create Proxy Server in the Primary Proxy Server section. In the dialog box that appears, configure the following parameters.
      Parameter Description
      Proxy Type The type of the proxy. Valid values:
      • SSH Proxy
      • HTTP Proxy
      • SOCKS5 Proxy
      Server Address The address of the primary proxy server.
      Server Port The port of the primary proxy server.
      Host Account The account of the primary proxy server.
      Password The password of the account for the primary proxy server.
    2. Optional. Repeat the preceding steps to configure the secondary proxy server.
      Note The network domain feature supports the following proxy servers: primary proxy server and secondary proxy server. If an error occurs on the primary proxy server, the secondary proxy server is automatically connected to your bastion host. To ensure the stability of the network domain, we recommend that you configure a secondary proxy server.
    3. Click Test Connection. After the primary proxy server passes the connectivity test, click OK.
      Note If the connectivity test fails, check whether the parameters are correctly configured.
  4. Click Create Network Domain. The system displays the message "The network domain xx is created."
    You can click Add Host below the message to add the hosts on which you want to perform O&M operations to the network domain. For more information, see Add hosts.

Add hosts

After you create a network domain, you can add hosts to the network domain.

  1. Log on to the Bastionhost console.
  2. In the left-side navigation pane, choose Assets > Network Domain.
  3. On the Network Domain page, find the network domain to which you want to add hosts.
  4. Click Add Host in the Actions column. In the Add Host dialog box, find the host that you want to add to the network domain and click Add Host in the Actions column.
    You can also select multiple hosts that you want to add to the network domain and click Add Host below the host list to add the selected hosts at a time.

Edit a network domain

You can edit the basic information about a network domain. You can also add hosts to or remove hosts from a network domain.

  1. Log on to the Bastionhost console.
  2. In the left-side navigation pane, choose Assets > Network Domain.
  3. On the Network Domain page, find the network domain that you want to edit.
  4. Click Edit in the Actions column. On the Network Domain Details page, click the Basic Info or Host tab to modify the information on the tab.
    • On the Basic Info tab, you can change the values of Network Domain, Remarks, and Connection Mode. You can also edit and test the connectivity to the primary and secondary proxy servers.
    • On the Host tab, you can add or remove hosts.

What to do next

After you connect your bastion host to the hosts in a network domain by using the network domain feature, you must authorize users to manage the hosts in the network domain.