All Products
Search

This Product

    Bastionhost:Limits

    Document Center

    Bastionhost:Limits

    Last Updated:Aug 12, 2025

    This topic describes important limits and considerations for using Bastionhost.

    Use domain names assigned by Bastionhost for O&M

    To ensure continuous O&M, Bastionhost provides fixed public or private domain names to connect to bastion hosts. Use the domain names assigned by Bastionhost for O&M connections to prevent connection failures that can occur if IP addresses change.

    Limits on concurrent sessions

    • If a session has multiple TCP connections, each connection consumes one concurrent session from your quota. A bastion host runs stably only when the number of concurrent sessions is within your quota. If the number of concurrent sessions exceeds the quota, service interruptions may occur. To view the concurrent session quota for your bastion host instance, see Billing Methods.

    • To ensure system stability, Bastionhost has an overload protection mechanism. If the system becomes overloaded due to high resource consumption, Bastionhost rejects new session connections or interrupts some active sessions. If this happens, join DingTalk group 33797269 and contact a product technical expert for assistance.

      Important

      For example, the system can become overloaded in scenarios such as using multiple sessions for complex graphical operations, watching videos in a remote desktop browser, or importing tables during SQL Server database O&M. These actions can trigger the overload protection mechanism.

      Assume you purchase a Basic Edition bastion host that can manage 50 assets. The following examples describe scenarios that can trigger the overload protection mechanism:

      • Assume you perform O&M on a Windows server with a 1080p screen resolution over an internal network. A GIF is open and switches to a new image every 5 seconds for 30 minutes. In this scenario, the overload protection mechanism may be triggered after 20 concurrent RDP sessions are established.

      • Assume you perform O&M on a Linux server over an internal network. A command is sent every 5 seconds for 30 minutes. In this scenario, the overload protection mechanism may be triggered after 50 concurrent SSH sessions are established.

      • Assume you connect to a database server and execute simple search statements. Each session contains more than 10 connections. In this scenario, the overload protection mechanism may be triggered after 50 concurrent database sessions are established.

    Limits on O&M client tools and versions

    A wide variety of remote connection clients and versions exist, and O&M scenarios can be complex. To prevent connection failures or system instability, you must use clients and versions that are compatible with Bastionhost. For a list of compatible clients and versions, see Client remote connection tools and versions.

    Two-factor authentication for RAM users

    For Resource Access Management (RAM) users, Bastionhost inherits settings from RAM. Bastionhost does not support any two-factor authentication method other than Multi-Factor Authentication (MFA).

      Note

      To configure two-factor authentication for a RAM user, log on to the RAM console to configure MFA. For more information, see Bind an MFA device to an Alibaba Cloud account.

      For non-RAM users, such as local users and AD/LDAP users, two-factor authentication is supported. Dynamic verification codes can be sent using text messages, emails, DingTalk notifications, or OTP tokens.

    Limit on the length of Bastionhost usernames

    Due to client limitations for O&M over RDP, a Bastionhost username cannot exceed 63 characters. If a username is longer than 63 characters, you can log on to the server only using web-based O&M. For more information, see Web-based O&M.

    Limits on text messages that contain O&M addresses

    Due to carrier restrictions, text messages that contain O&M addresses sent from Bastionhost on the international site (alibabacloud.com) to mobile numbers in the Chinese mainland (+86) may be blocked. In this scenario, use email authentication.

    Other features that send text messages, such as two-factor authentication and message notifications, are not restricted.

    SSH O&M audit support for Shell environments on Linux assets

    Bastionhost supports standard bash, zsh, ksh, and dash. If the shell environment of an asset is not one of these, O&M and audit commands might not be extracted correctly.