When you need to centrally manage and audit access to your cloud assets, Bastionhost provides a secure gateway between administrators and servers. This topic walks you through purchasing a Bastionhost Basic Edition instance, enabling it with the correct network settings, and accessing its console.
This topic covers the Basic Edition only. For other editions, see Enable a bastion host.
Prerequisites
Before you begin, ensure that you have:
Identified the region where your Elastic Compute Service (ECS) instances or ApsaraDB RDS instances reside — place the bastion host in the same region to allow internal network communication
A Virtual Private Cloud (VPC) and vSwitch available in that region, with the vSwitch having at least three available IP addresses (the Basic Edition uses three)
A basic security group in the VPC — advanced security groups and managed security groups cannot be used to enable a bastion host
Overview
| Step | What you do | Key constraint |
|---|---|---|
| 1. Purchase | Select a plan and complete payment | Region cannot be changed after purchase |
| 2. Enable | Configure the network and security group | VPC cannot be changed after the bastion host is enabled |
| 3. Log on | Open the bastion host console | Initialization takes 10–15 minutes |
Step 1: Purchase a bastion host
Go to the Bastionhost buy page.
Configure the following parameters, then click Buy Now and complete the payment.
Parameter Description Example Region The region where your assets reside. Select the same region as your ECS or RDS instances to allow internal network communication. If you need cross-region access, use Cloud Enterprise Network (CEN) or the network domain feature. Cannot be changed after purchase. Singapore Version The Bastionhost edition. For a comparison of editions, see Edition selection guide. Basic Edition Plan The maximum number of server assets the bastion host can manage. 50 Extra Bandwidth Additional public bandwidth beyond the default included in your plan. Valid values: 0–200 Mbit/s, in multiples of 10.
Valid values: 0 to 200. Unit: Mbit/s. The value must be a multiple of 10.
0 Extended Storage Plans Additional storage space beyond the default included in your plan. 0 Resource Group The resource group the bastion host belongs to. Default Resource Group Quantity The number of bastion host instances to purchase. 1 Duration The subscription period. Enable Auto-renewal to prevent service interruption when the instance expires. Auto-renewal charges your account monthly at the current price. 1 Month
For pricing details, see Billing.
Step 2: Enable the bastion host
After purchasing, enable the bastion host and connect it to your network. The VPC you select here cannot be changed after the bastion host is enabled, so confirm your network topology before proceeding.
Log on to the Bastionhost console. If this is your first time logging on, create the service-linked role as prompted. This role is required to enable Bastionhost features.
In the top navigation bar, select the region where your bastion host resides. In the bastion host list, find the instance and click Enable.
In the Enable panel, configure the following parameters:
Parameter Description Select Network Select a VPC and vSwitch. The VPC cannot be changed after the bastion host is enabled. Choose the VPC that contains the ECS or ApsaraDB RDS instances you want to manage. The vSwitch must have at least three available IP addresses. If the selected vSwitch lacks resources, select another vSwitch or create a new one. ECS Security Group Add the bastion host to at least one basic security group. A security group rule is automatically generated to allow the bastion host to access all ECS instances in that group. You cannot use an advanced security group or a managed security group. If your ECS instances belong to an advanced security group, create a basic security group to proceed. Click Next. After the parameters pass the check, click Enable. The bastion host status changes to Initializing. Initialization takes 10–15 minutes. When initialization completes, the status changes to Running.
After enabling the bastion host, you can change its security group. For details, see Configure a bastion host. If ECS instances in an advanced security group need to communicate with the bastion host, add the bastion host's egress IP addresses to that security group's inbound rules. To get the egress IP addresses, see Configure a bastion host. To add inbound rules, see Add a security group rule.
For the Basic Edition, you can manually switch the vSwitch zone after enabling the bastion host. See Configure a bastion host.
Step 3: Log on to the bastion host console
After the bastion host status shows Running, click Manage to open the bastion host console.
What's next
Now that your bastion host is running and its console is accessible, you can:
Add the assets (ECS instances, RDS instances) you want to manage through the bastion host
Create user accounts and assign permissions for accessing those assets
Configure session auditing and operation recordings