All Products
Search

This Product

    Bastionhost:Best practices for secure O&M over an internal network

    Document Center

    Bastionhost:Best practices for secure O&M over an internal network

    Last Updated:Nov 24, 2025

    This topic describes how to use Bastionhost to perform secure O&M in an environment that is restricted to an internal network.

    Background information

    As service security requirements increase, restricting service access to internal networks has become a key security measure for enterprises. A critical challenge is ensuring secure O&M access over an internal network, regardless of whether engineers are in the office, on a business trip, or working from home.

    Solution

    To meet the demand for secure O&M in an environment restricted to an internal network, Bastionhost provides an option to control access through public and internal endpoints. You can disable the public O&M endpoint and enable only the internal O&M endpoint. This configuration ensures that users can connect to Bastionhost for O&M only over an internal network and not from the Internet.

    Bastionhost supports multiple types of internal network access for O&M.

    • If O&M engineers are in the office and the company has a leased line connected to the bastion host, they can directly access it for internal O&M after you configure Bastionhost to allow access only from the internal endpoint.

    • For remote work scenarios, such as when O&M engineers are on a business trip or working from home, you can disable the public endpoint and enable only the internal endpoint. Then, use Secure Access Service Edge (SASE) or an SSL-VPN connection to connect to the Bastionhost service for secure internal O&M.

    Step 1: Disable the public endpoint and enable only the internal endpoint

    1. Log on to the Bastionhost console.

    2. In the top menu bar, select the region where the bastion host is located.

    3. In the list of bastion host instances, find the target instance and turn off the switch in the Public Endpoint column.

      image

      Note

      To access the O&M portal using an internal domain name, you must first enable the internal O&M portal. For more information, see Enable the internal O&M portal.

    Step 2: Connect for internal network O&M

    Scenario 1: Perform O&M directly from the company's internal network

    If your company has a leased line connected to the bastion host, connect your terminal to the company's internal network. Then, use an O&M client to access the bastion host using its internal endpoint. For more information, see O&M overview.

    Scenario 2: Use an SSL-VPN connection to connect to the bastion host for O&M

    This section uses Alibaba Cloud SSL-VPN as an example to describe how to use SSL-VPN for internal network access.

    Prerequisites

    • You have obtained the instance IDs of the VPC and vSwitch where the bastion host is located.

      You can log on to the Bastionhost console to view the VPC and vSwitch instance IDs for the target bastion host.

    • You have obtained the CIDR blocks of the VPC and vSwitch where the bastion host is located.

      You can log on to the VPC console or the vSwitch console and use the VPC or vSwitch instance ID to obtain the CIDR block information.

    • You have purchased SSL-VPN. For more information, see SSL-VPN billing.

    Procedure

    1. In the SSL-VPN policy settings, configure the CIDR blocks of the VPC and vSwitch where the bastion host is located. For more information, see SSL-VPN overview.

    2. Use an SSL-VPN client to access the bastion host for internal O&M.

      After you complete the configuration and establish an SSL-VPN connection on your terminal, you can use an O&M client to access the bastion host over the internal network using its internal endpoint. For more information, see O&M overview.