Bastionhost version selection guide - Bastionhost - Alibaba Cloud Documentation Center

Bastionhost offers multiple editions to accommodate different business scenarios. This topic helps you understand the differences between editions and compare parameters of different types in the edition selection reference table to help you make informed decisions quickly.

This topic explains only some core differences. For more information about features in different editions, see Feature comparison.

Overview

When you select an edition based on your business scenario, focus on the following key factors:

Note

The following are only basic classification items. You can refer to them in combination with your business situation and product features.

Compliance and security requirements
The Basic Edition, Enterprise Dual-Engine Edition, and Chinese Cryptographic Algorithm Edition all have capabilities to help with compliance with security regulations, with slight differences in specific scenarios:
- If you have Chinese cryptographic compliance requirements, choose the Chinese Cryptographic Algorithm Edition.
- If you want to configure higher O&M security protection for core business assets, such as disaster recovery for single point of failure and password key rotation, choose the Enterprise Dual-Engine Edition.
- If you only have basic O&M security requirements, such as O&M approval, command whitelist and blacklist, and behavior audit, choose the Basic Edition.
Asset types
- If you have database, web application, and other types of assets in addition to host type (Linux and Windows) assets, choose the Enterprise Dual-Engine Edition.
- If you only have host type (Linux and Windows) assets and only need basic O&M security capabilities, choose the Basic Edition.
Asset distribution
- If your assets are distributed across Alibaba Cloud, other public clouds, or on-premises data centers with physical isolation of network domains (such as VPC networks that are not connected or cross-network environments), choose the Enterprise Dual-Engine Edition. This edition supports cross-network communication through network domain proxy server configuration, meeting the unified access and O&M management requirements for distributed assets in multicloud and hybrid deployment scenarios.
- If your assets are concentrated in internal network environments with network connectivity, such as Alibaba Cloud, and you only need to meet basic O&M audit and access control requirements (such as basic permission management and operation log retention), choose the Basic Edition.

Edition selection reference

The following table provides recommendations for product selection from the perspectives of applicable scenarios, non-functional scenario dimensions, and functional scenario dimensions:

Edition	Basic Edition	Enterprise Dual-Engine Edition	Chinese Cryptographic Algorithm Edition	References
Scenarios	Suitable for O&M security requirements of small and medium-sized enterprises (50-500 hybrid assets), providing fine-grained O&M access control, O&M behavior management, and full O&M audit, which can meet basic O&M security management requirements.	Suitable for enterprises with higher O&M business security requirements or larger business scale (more than 500 assets), such as government and enterprise, finance, game, online education, information technology, etc. The Enterprise Dual-Engine Edition has more sufficient performance and enterprise-level scenario configurations to meet higher business O&M security requirements.	Suitable for industries that require compliance with Chinese cryptographic standards (such as government, education, etc.), meeting the requirements for Chinese cryptographic algorithm substitution.	Version feature comparison
Non-functional scenarios	Cloud architecture with single-engine deployment. Domain name access mode to avoid exposing the originating IP address, reducing the risk of direct attacks or scans. Integration with Server Load Balancer (SLB) to intelligently improve business traffic processing efficiency.	In addition to Basic Edition capabilities: High business stability guarantee: Uses dual-engine architecture with active-active operation, with a Service-Level Agreement (SLA) of up to 99.95%. Configuration of primary and secondary zones to avoid single point of failure.	In addition to Enterprise Dual-Engine Edition capabilities: Chinese cryptographic algorithm encryption, combined with Chinese cryptographic two-factor authentication to enhance O&M security	Benefits
Functional scenarios	Access control: Fine-grained O&M user access and behavior authorization. O&M management: Automatic interception of important commands, approval of risky commands, and real-time O&M monitoring and blocking. Integration with RAM, Active Directory, or self-managed LDAP user management, etc.	Combined with Resource Directory (RD) to support unified management of assets across multiple accounts. Multiple identity source integration: Support for integrating with DingTalk, Lark, Azure AD, and other authentication sources through IDaaS. Database O&M scenarios: Support for O&M authorization and control of RDS, self-managed databases, and third-party databases, with protocol support including MySQL, SQL Server, PostgreSQL, and Oracle. Hybrid O&M scenarios: Unified O&M management of assets in on-premises data centers, other clouds, and across accounts through network domain proxy mode. Other value-added capabilities: Web O&M method for convenience and efficiency. Automatic rotation of host account passwords and keys to effectively improve password security. Automated O&M: You can create O&M jobs to batch distribute scripts to multiple hosts, improving O&M efficiency. Application O&M: Support for web application and client tool application O&M, with configurable O&M access whitelist and blacklist restrictions, such as limiting access to only URLs with the same target IP address/domain name.		Functional scenarios