Bastionhost enforces the following limits to ensure service stability and security. Review them before configuring your instance.
| Limit | Details |
|---|---|
| Domain name | Use the domain name assigned by Bastionhost, not the underlying IP address |
| Concurrency | Each TCP connection within a session consumes one concurrency slot; view your quota in Billing |
| O&M client tools | Use only the recommended client tools and versions; non-recommended tools are not covered by the Service-Level Agreement (SLA) |
| Two-factor authentication (RAM users) | Multi-Factor Authentication (MFA) only; set up in the RAM console |
| Username length (RDP) | Maximum 63 characters for Remote Desktop Protocol (RDP) O&M; longer usernames require web-based O&M |
| O&M address SMS (Chinese mainland) | Text messages sent from Alibaba Cloud International to Chinese mainland (+86) numbers may be blocked; use email authentication instead |
| SSH audit shell support | bash, zsh, ksh, and dash only |
Use the Bastionhost-assigned domain name
Bastionhost provides a fixed public or private domain name for O&M connections. Always use this domain name instead of the underlying IP address. IP addresses can change, which would break active connections.
Concurrency limits
Each TCP connection within a single session consumes one concurrency slot. The service runs stably within the concurrency limit; exceeding it may cause service interruptions. To view the concurrency quota for your instance, see Billing.
Overload protection
To maintain system stability, Bastionhost includes an overload protection mechanism. If high-resource scenarios cause a system overload, Bastionhost rejects new session connections or terminates some active sessions.
The following scenarios are known to trigger overload protection. The examples below apply to a Basic Edition instance with 50 assets.
Windows RDP over private network (1080p): 20 concurrent RDP sessions where an animated GIF refreshes every 5 seconds for 30 minutes may trigger overload protection.
Linux SSH over private network: 50 concurrent Secure Shell (SSH) sessions sending one command every 5 seconds for 30 minutes may trigger overload protection.
Database sessions: 50 concurrent database sessions running simple queries may trigger overload protection if each session contains more than 10 connections.
Other high-consumption scenarios include complex graphics operations in a remote desktop, video playback in a remote desktop browser, and table export operations during SQL Server database O&M.
If overload protection triggers, join the DingTalk group (ID: 33797269) and contact a product technical expert for help.
O&M client tool and version limits
Many client tools can connect to Bastionhost, but not all are compatible in production scenarios. Use only the tools and versions listed in Client remote connection tools and versions.
Connections made with non-recommended client tools are not covered by the SLA.
For example, tools such as iShell, Dartshell, and FinalShell create many exec sessions in a short time. This exhausts system resources and disrupts normal sessions and features.
Two-factor authentication for RAM users
MFA is the only supported two-factor authentication method for RAM users. To enable it, log on to the RAM console and bind an MFA device to the RAM user. For setup instructions, see Bind an MFA device to an Alibaba Cloud account.
For non-RAM users — including local users and Active Directory (AD)/LDAP users — two-factor authentication uses a dynamic verification code delivered by text message, email, DingTalk work message, or OTP token.
Username length limit for RDP
Due to client constraints, Bastionhost usernames cannot exceed 63 characters for O&M over RDP. If a username exceeds this limit, use web-based O&M instead.
O&M address SMS delivery to the Chinese mainland
Text messages containing the Bastionhost O&M address may be blocked by carriers when sent from the Alibaba Cloud International website to Chinese mainland (+86) mobile numbers. If this occurs, switch to email authentication.
Other SMS-based features — such as two-factor authentication and message notifications — are not affected.
SSH O&M audit: supported shell environments
Bastionhost audits SSH O&M sessions for assets running bash, zsh, ksh, or dash. Assets using a different shell environment may experience compatibility issues with O&M operations and command retrieval for auditing.