This topic describes the features supported by different Bastionhost editions and their differences to help you quickly understand the core capabilities, applicable scenarios, and rules of each edition. You can select an appropriate edition based on your business requirements, budget, and compliance requirements to prevent inefficient resource utilization or a lack of necessary features.
In the following table, a tick (
) indicates that a feature is supported and a cross (
) indicates that a feature is not supported.
Feature | Description | Basic Edition | Enterprise Edition | References |
Architecture | A stable architecture is used to ensure the stability of business and monitoring operations. | Cloud-based single-engine architecture | Cloud-based dual-engine architecture | |
Elastic scaling | You can upgrade bastion host configurations such as the number of assets, storage, and bandwidth. |
|
| |
Internationalization |
|
|
| Which countries and regions support the SMS-based two-factor authentication feature of Bastionhost? |
Multiple accounts | You can perform centralized O&M operations on assets by using a bastion host based on Resource Directory. |
|
| |
User management | Multiple user roles are supported, including administrators, O&M engineers, and auditors. |
|
| |
You can add a single user or import multiple users at a time by using a file. |
|
| ||
RAM users, AD-authenticated users, and LDAP-authenticated users can be automatically synchronized. |
|
| ||
You can import users from multiple authentication sources as Bastionhost users, such as Identity as a Service (IDaaS) users, DingTalk users, and Microsoft Entra ID users. |
|
| ||
You can change the states of user accounts. The states include expired, locked, and inactive. |
|
| ||
You can configure settings such as account lockout and the password validity period. |
|
| ||
Asset management |
|
|
| |
You can perform O&M operations on ApsaraDB RDS instances that run MySQL, SQL Server, and PostgreSQL, PolarDB for MySQL, PolarDB for PostgreSQL, and PolarDB for PostgreSQL (Compatible with Oracle) clusters, and self-managed MySQL, SQL Server, PostgreSQL, and Oracle databases. |
|
| ||
You can perform O&M operations on client applications and web applications. The following protocols are supported for O&M: HTTPS and HTTP. |
|
| ||
You can manually add assets and import Alibaba Cloud and third-party cloud assets with a few clicks. |
|
| ||
The logon information of assets, such as passwords and keys, can be managed on bastion hosts. This way, O&M engineers can access and perform O&M operations on assets without entering the asset passwords. |
|
| ||
You can check the status of Elastic Compute Service (ECS) and ApsaraDB RDS instances and the network connectivity of assets. You can configure scheduled or manual checks. |
|
| ||
Bastionhost can be connected to Security Center to monitor asset risks and notify you of the status and number of risks, including alerts, vulnerabilities, and baseline risks. You can be redirected to Security Center with a few clicks to handle the risks. |
|
| ||
You can perform centralized O&M operations on different types of assets. For example, you can manage assets in third-party clouds, assets on Alibaba Cloud, and assets in on-premises data centers in a centralized manner. |
|
| ||
You can perform O&M operations on the assets that reside in different network environments over an internal network by using the proxy mode of the network domain feature. |
|
| ||
Password change for assets | You can manually change the passwords of Linux and Windows servers or configure scheduled password change tasks. |
|
| |
Bastionhost can work with Key Management Service (KMS) to rotate the passwords or keys of ECS instances. |
|
| ||
O&M management | One-to-one fine-grained authorization is supported for users, user groups, asset accounts, and asset group accounts. |
|
| |
Two-factor authentication can be performed based on text messages, emails, Time-Based One-Time Passwords (TOTPs), and DingTalk notifications. |
|
| ||
Client tools such as Microsoft Terminal Services Client (MSTSC), Xshell, SecureCRT, and PuTTY can be used to log on to bastion hosts and access hosts. |
|
| ||
WinSCP, Xftp, SecureFX, and other Secure File Transfer Protocol (SFTP) client tools on your computer can be used to log on to bastion hosts for file transfer. |
|
| ||
You can perform O&M operations on assets based on single sign-on (SSO) from a browser. |
|
| ||
An independent O&M portal is provided. |
|
| None | |
You can perform O&M operations on assets by using the O&M portal of a bastion host on a web page. |
|
| ||
O&M sessions can be monitored in real time and can be blocked at any time. |
|
| ||
You can control operations during RDP-based O&M, such as uploading or downloading files from the clipboard and disk mapping. |
|
| ||
During SSH-based O&M, you can configure whitelists or blacklists for commands and configure command approval policies. This prevents the execution of high-risk and sensitive commands. |
|
| ||
You can manage the following operations during O&M: uploading, downloading, deleting, and renaming files, and creating and deleting folders. |
|
| ||
The O&M applicant review feature is supported. After the feature is enabled, an O&M engineer can log on to the assets only after the Bastionhost administrator approves the O&M application submitted by the O&M engineer. |
|
| ||
You can configure the users, source IP addresses, and time periods that are approved for logging on to a bastion host. |
|
| ||
You can configure the maximum duration of an idle O&M session and the maximum total duration of O&M sessions. |
|
| ||
O&M audit | You can audit all O&M operations based on logs and videos. O&M session videos can be played back to view the details. |
|
| |
You can audit the transfer of files. |
|
| ||
O&M reports can be generated. You can export reports in PDF, HTML, and Word formats. |
|
| View the O&M information on the O&M Reports page and export an O&M report | |
Audit logs of O&M sessions can be transferred to Simple Log Service and downloaded to your computer by using the log backup feature. |
|
| ||
API operation | You can call API operations. |
|
|