All Products
Search

This Product

    Bastionhost:Enable private O&M portal

    Document Center

    Bastionhost:Enable private O&M portal

    Last Updated:Nov 24, 2025

    To meet high security requirements for operations and maintenance (O&M), Bastionhost lets you perform web-based O&M over a private network from the O&M portal or host console. This topic describes how to enable private O&M to access Bastionhost from within an internal network.

    Background information

    Bastionhost integrates with PrivateLink to establish a secure and stable private connection between a virtual private cloud (VPC) and a bastion host. This lets you access the O&M portal and perform web-based O&M over a private network, which improves connection security.

    Limits on editions

    Only the Bastionhost Enterprise Edition support private O&M. For more information about how to purchase or upgrade an instance, see Purchase an instance and Upgrade an instance type.

    Impacts

    Enabling private O&M affects your bastion host instance in the following ways:

    • After you enable private O&M, the private O&M address resolves to a new IP address. You must use the O&M domain name that is provided in the console for O&M operations.

    • If you have access control policies, such as firewall rules, that are based on the resolved IP address of the private O&M address, you must update the policies with the new IP address after you enable private O&M.

    Procedure

    1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.

    2. On the Instances page, find the target instance and choose Configuration > Enable Private O&M.

    3. In the Enable Private O&M panel, select a PrivateLink endpoint security group and click OK.

      Important

      • If you change the vSwitch, the private egress IP address also changes. If you have access control policies, such as firewall rules, that are based on the private egress IP address, you must update the policies to use the new IP address.

      • During this process, the bastion host instance is in the Updating Configuration state and cannot be accessed. The process takes approximately 20 minutes. We recommend that you perform this operation during off-peak hours.

      • After you select an endpoint security group for the PrivateLink connection, you cannot change it.

    What to do next

    Allow rules for client access

    To perform web-based O&M over a private network, you must ensure that your client can connect to the VPC where the bastion host resides. You must also add rules to the PrivateLink endpoint security group to allow access from your client. Otherwise, your client cannot access the private O&M address of the bastion host. The following list describes common Bastionhost services and their required ports. You can configure security group rules for them as needed.

    • SSH-based O&M: 60022

    • RDP-based O&M: 63389

    • Session playback port: 9443

    • Host O&M port and O&M portal: 443

    • Bastionhost Assistant port: 20045

    For example, if your client IP address is 192.168.0.1, you can add a security group rule for SSH-based O&M as shown in the following figure. For more information about how to add a security group rule, see Add a security group rule.

    image

    References

    For more information about how to perform web-based O&M operations, see Web-based O&M.