All Products
Search

This Product

    Bastionhost:Use the network domain feature

    Document Center

    Bastionhost:Use the network domain feature

    Last Updated:Jul 04, 2025

    The network domain feature of Bastionhost enables centralized O&M operations on assets across different networks or assets that cannot directly communicate with your bastion host's virtual private cloud (VPC). You can configure a proxy server for these assets, create a network domain for a bastion host, and connect the network domain to the proxy server. Then, you can perform O&M operations on the assets by using the bastion host. This topic describes how to use the network domain feature.

    Background information

    The network domain feature provides the optimal O&M solutions for hybrid cloud scenarios. For example, you can use the feature to perform O&M operations on assets across data centers, heterogeneous clouds, and VPCs. In most cases, the assets of an enterprise are deployed in different regions and may fail to communicate with a bastion host. You can use public IP addresses or leased lines to connect to the assets. However, public IP addresses may pose security risks, and leased lines cause high network costs. In such cases, you can use the proxy mode of the network domain feature to perform O&M operations on assets that reside in different networks, including data centers, heterogeneous clouds, and VPCs. The proxy mode is supported by Bastionhost Enterprise Edition. For more information about the best practices of O&M in the proxy mode of the network domain feature, see Best practices of hybrid O&M.

    Supported versions

    Enterprise Edition and SM Edition.

    Note

    If your Bastionhost instance is Basic Edition, upgrade to the corresponding version. For more information, see Upgrade instance type.

    Proxy methods

    Network proxy methods support SSH proxy, HTTP proxy, HTTPS proxy, and SOCKS5 proxy.

    We recommend selecting SSH proxy mode, because the protocol features support encryption of transmitted content. This mitigates security risks associated with plaintext data transmission.

    Prerequisites

    If proxy connection is selected for the network domain, ensure that:

    • A proxy server is configured.

    • The proxy server and bastion host share the same network environment.

    Recommended configurations for proxy servers

    You can configure SSH, HTTP, HTTPS, or SOCKS5 proxy servers as the primary and secondary proxy servers. Then, use the proxy servers to perform O&M operations on assets. The following table describes the recommended configurations for proxy servers.

    (Recommended) SSH proxy servers

    Configuration

    Description

    OS

    A Linux host for which SSH is enabled.

    Configuration method

    You can use Linux hosts as SSH proxy servers without the need to install components or complete configurations on the Linux hosts.

    CPU and memory

    2 cores and 4 GB of memory.

    Bandwidth

    10 Mbit/s.

    Note

    The actual bandwidth usage varies based on the number of concurrent O&M sessions. If you initiate multiple sessions to perform complex GUI-based operations from a remote desktop, bandwidth usage may spike and remote sessions may freeze. In such cases, we recommend that you purchase extra bandwidth for your bastion host. For more information about limits on the number of concurrent O&M sessions, see Limits. For more information about how to purchase extra bandwidth for your bastion host, see Upgrade a bastion host.

    HTTP, HTTPS, and SOCKS5 proxy servers

    Configuration

    Description

    OS

    A host that runs CentOS 6.9 or later.

    Configuration method

    For more information, see the How do I configure a server as an HTTP or SOCKS5 proxy server? or How do I configure a server as an HTTPS proxy server?

    CPU and memory

    2 cores and 4 GB of memory.

    Bandwidth

    10 Mbit/s.

    Note

    The actual bandwidth usage varies based on the number of concurrent O&M sessions. If you initiate multiple sessions to perform complex GUI-based operations from a remote desktop, bandwidth usage may spike and remote sessions may freeze. In such cases, we recommend that you purchase extra bandwidth for your bastion host. For more information about limits on the number of concurrent O&M sessions, see Limits. For more information about how to purchase extra bandwidth for your bastion host, see Upgrade a bastion host.

    Create a network domain

    To use your bastion host to perform O&M operations on multiple assets in a network domain, create a network domain for the bastion host and connect the network domain to a proxy server. To do this, perform the following steps.

    1. Log on to the Bastionhost console and select the target region in the top navigation bar.

    2. In the bastion host list, find the target instance and click Manage.

    3. In the navigation pane on the left, choose Assets > Network Domain

    4. On the Network Domain page, click Create Network Domain. In the Create Network Domain panel, configure the Network Domain, Remarks, and Connection Mode parameters.

      • Direct Connection: Your bastion host is connected to the assets without proxy servers. By default, an asset is automatically added to the direct network when the asset is imported to your bastion host for the first time. The direct network is the network domain for the Direct Connection mode.

      • Proxy: If the assets cannot communicate with your bastion host, configure a proxy server to forward network requests. You can use the bastion host to perform O&M operations on assets in different networks by using the proxy server.

        Note

        • Bastionhost Basic Edition supports only the direct connection mode.

        • Bastionhost Enterprise Edition supports both the direct connection and proxy modes.

        If you select Proxy, configure at least one proxy server. The following example shows how to configure a primary proxy server:

        1. Click Create Proxy Server in the Primary Proxy Server section. In the dialog box that appears, configure the following parameters.

          Parameter

          Description

          Proxy Type

          The type of the proxy. Valid values:

          • SSH Proxy

          • HTTP Proxy

          • HTTPS Proxy

          • SOCKS5 Proxy

          Server Address

          The address of the primary proxy server.

          Server Port

          The port of the primary proxy server.

          Host Account

          The account of the primary proxy server.

          Authentication Type

          • Password: Specify the password of the account for the primary proxy server.

          • Private Key: Select this value only if the Proxy Type parameter is set to SSH Proxy. If you select this value, specify the private key of the account for the primary proxy server. You can also specify the encryption password.

          ServerName

          Optional. The domain name or IP address bound to the server certificate. If you set the Proxy Type parameter to HTTPS Proxy, specify this parameter.

          Certificate

          Optional. The CA certificate that corresponds to the server certificate. If you set the Proxy Type parameter to HTTPS Proxy, specify this parameter.

          Note

          The network domain feature lets you configure a primary proxy server and a secondary proxy server. Both are configured in the same way. If an error occurs on the primary proxy server, the secondary one is automatically connected to your bastion host. To ensure the stability of the network domain, we recommend that you configure a secondary proxy server.

        2. Click Test Connection. After the primary proxy server passes the connectivity test, click OK.

          Note

          If the connectivity test fails, check whether the parameters are correctly configured.

    5. Click Create Network Domain.

      A message appears to indicate that the network domain is created. You can click Add Host or Add Database to add the hosts or databases under O&M into the network domain.

      If you haven't yet decided which hosts or databases to transfer, you can perform the transfer later. For instructions, see Add hosts or databases.

    What to do next

    Add hosts or databases

    After creating a network domain, you can add hosts or databases to it.

    1. Log on to the Bastionhost console and select the target region in the top navigation bar.

    2. In the bastion host list, find the target instance and click Manage.

    3. In the navigation pane on the left, choose Assets > Network Domain

    4. On the Network Domain page, find the network domain that you want to manage and click Add Host or Add Database in the Actions column.

    5. In the dialog box that appears, find the host or database that you want to add to the network domain. Then, click Add in the Actions column.

      You can also select multiple assets that you want to add to the network domain, then click Add below the asset list. You can add multiple assets to the network domain at a time.

    Edit a network domain

    Edit the basic information about a network domain, including the name, connection mode, and primary and secondary proxy servers. You can also remove assets from a network domain. To do this, perform the following steps.

    1. Log on to the Bastionhost console and select the target region in the top navigation bar.

    2. In the bastion host list, find the target instance and click Manage.

    3. In the navigation pane on the left, choose Assets > Network Domain

    4. On the Network Domain page, find the network domain that you want and click Edit in the Actions column.

      You can also click the name of a network domain to go to the Network Domain Details page.

    5. On the Network Domain Details page, click a tab to modify the corresponding information.

      • On the Basic Info tab, change the name, remarks, and connection mode of the network domain. You can also add a secondary proxy server and test the connectivity to proxy servers.

      • On the Host tab, add or remove hosts.

      • On the Database tab, add or remove databases.

    References