NAT Gateway hides the real IP addresses of your assets to block external attacks or work around IP address shortages. This guide shows two ways to configure Bastionhost so it can reach and audit those protected assets.
Choose a solution
| Solution | How it works | Bastionhost edition required |
|---|---|---|
| Network domain mode | Map the elastic IP address (EIP) of an Internet NAT gateway to a proxy server, then import assets by their actual IP addresses through the network domain feature. | Enterprise Edition |
| Direct connection mode | Add assets that share the same public IP address by specifying the EIP and a unique port for each asset. | Any edition |
Network domain mode simplifies asset management because you import assets by their actual IP addresses rather than by EIP-and-port combinations. If you are running Bastionhost Enterprise Edition and managing a large number of NAT-protected assets, use network domain mode. Otherwise, use direct connection mode.
Network domain mode
Prerequisites
Before you begin, make sure you have:
An Internet NAT gateway associated with an EIP. See Create and manage an Internet NAT gateway.
A DNAT entry that maps the EIP of the Internet NAT gateway to the server you plan to use as the proxy server. See Create and manage DNAT entries.
Bastionhost Enterprise Edition. To get Enterprise Edition, see Purchase a bastion host. To upgrade from a lower edition, see Upgrade a bastion host.
Configure network domain mode
Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find your bastion host and click Manage.
Add the NAT-protected assets to your bastion host. See Add hosts.
In the left-side navigation pane, choose Assets > Network Domain.
On the Network Domain page, click Create Network Domain.
In the Create Network Domain panel, set Connection Method to Proxy.
In the Primary Proxy Server section, click Create Proxy Server. In the dialog box that appears, configure the following parameters.
Parameter Description Proxy Type Select the proxy type. SSH Proxy is recommended for most scenarios. Server Address Enter the IP address of the proxy server. Server Port Enter the port of the proxy server. Host Account Enter the username for the proxy server account. Password Enter the password for the proxy server account. On the Network Domain page, find the network domain you just created. In the Actions column, click Add Host.
In the Add Host dialog box, select the assets to add and click Add.
In the confirmation message, click Add.
After configuration is complete, use Bastionhost to manage and audit operations on the assets. See O&M overview.
Direct connection mode
Prerequisites
Before you begin, make sure you have configured DNAT on your Internet NAT gateway to provide Internet-facing access to the target assets. See Configure DNAT on an Internet NAT gateway for an ECS instance.
Configure direct connection mode
Log on to the Bastionhost console. In the top navigation bar, select the region where your bastion host resides.
In the bastion host list, find your bastion host and click Manage.
In the left-side navigation pane, choose Assets > Host.
On the Host page, choose Import Other Hosts > Create Host.
In the Create Host panel, configure the following parameters and click Create.
Parameter Description Operating System Select Linux. Host IP Address Enter the EIP associated with your Internet NAT gateway. Remarks Enter a description to identify this asset later. On the Host page, find the host you created and click the hostname.
On the Service Port tab, enter the port mapped by the DNAT entry and click Update. Repeat steps 4–7 for each additional asset that shares the same EIP, specifying a different DNAT-mapped port for each one.
After configuration is complete, use Bastionhost to manage and audit operations on the assets. See O&M overview.
What's next
O&M overview: Start performing and auditing operations on the assets you just added.