Network domains let you perform O&M operations on assets—hosts and databases—that cannot reach your Bastionhost instance's virtual private cloud (VPC) directly. Instead of exposing assets through public IP addresses or purchasing leased lines, route traffic through a proxy server in a shared network between the proxy and the bastion host.
How it works
When an asset is in a different network segment—such as an on-premises data center, a heterogeneous cloud, or a cross-VPC deployment—it cannot communicate with your bastion host directly. A network domain solves this by associating the bastion host with a proxy server that sits in a network both can reach. All O&M traffic flows through the proxy, keeping assets off the public internet.
Each network domain uses one of two connection modes:
Direct connection: The bastion host connects to assets without a proxy. This is the default mode; every asset is placed into a direct-connection network domain when it is first imported.
Proxy: The bastion host routes O&M traffic through a proxy server. Use this mode for assets in data centers, heterogeneous clouds, or VPCs that cannot reach the bastion host.
Direct connection mode is available in all editions. Proxy mode is available in Enterprise Edition and SM Edition only. If you are on Basic Edition, upgrade your instance before proceeding.
Choose a proxy type
Four proxy types are supported. SSH proxy is the recommended choice because it encrypts transmitted content and eliminates the risk of plaintext data interception.
| Proxy type | When to use |
|---|---|
| SSH proxy (recommended) | Default choice for most environments. Requires a Linux host with SSH enabled; no additional software needed. |
| HTTP proxy | When an HTTP proxy is already deployed in the shared network. |
| HTTPS proxy | When you need TLS-encrypted proxy traffic and can supply a server certificate. |
| SOCKS5 proxy | When you need protocol-agnostic proxying and your environment runs a SOCKS5 server. |
Prerequisites
Before you begin, make sure that:
A proxy server is configured and accessible
The proxy server and the bastion host share the same network environment
Recommended proxy server specifications
All proxy types require the same hardware baseline: 2 CPU cores, 4 GB of memory, and 10 Mbit/s bandwidth.
Bandwidth usage scales with the number of concurrent O&M sessions. Remote desktop sessions with complex GUI operations can cause bandwidth spikes and session freezes. If that happens, purchase additional bandwidth for the bastion host. See Limits for session concurrency limits and Upgrade a bastion host for bandwidth upgrade instructions.
SSH proxy server
| Configuration | Requirement |
|---|---|
| OS | Any Linux host with SSH enabled |
| Software | None—no components to install or configure |
| CPU and memory | 2 cores, 4 GB |
| Bandwidth | 10 Mbit/s |
HTTP, HTTPS, and SOCKS5 proxy servers
| Configuration | Requirement |
|---|---|
| OS | CentOS 6.9 or later |
| Software | See the FAQ for HTTP/SOCKS5 setup and HTTPS setup |
| CPU and memory | 2 cores, 4 GB |
| Bandwidth | 10 Mbit/s |
Create a network domain
Log in to the Bastionhost console and select the target region.
In the bastion host list, find the target instance and click Manage.
In the left navigation pane, choose Assets > Network Domain.
Click Create Network Domain.
In the Create Network Domain panel, set Network Domain, Remarks, and Connection Mode. If you select Proxy, configure at least one proxy server. Click Create Proxy Server in the Primary Proxy Server section and fill in the parameters:
Configure both a primary and a secondary proxy server to ensure high availability. If the primary proxy server fails, the bastion host automatically switches to the secondary. Both are configured in the same way.
Parameter Description Proxy Type SSH Proxy, HTTP Proxy, HTTPS Proxy, or SOCKS5 Proxy Server Address IP address or hostname of the proxy server Server Port Port that the proxy server listens on Host Account Account used to authenticate to the proxy server Authentication Type Password: enter the account password. Private Key: available for SSH Proxy only; upload the private key and, optionally, an encryption password. ServerName (Optional, HTTPS Proxy only) Domain name or IP address bound to the server certificate Certificate (Optional, HTTPS Proxy only) CA certificate that corresponds to the server certificate Click Test Connection. After the connectivity test passes, click OK.
If the test fails, verify that the proxy server parameters are correct and that the proxy server is reachable from the bastion host.
Click Create Network Domain.
A confirmation message appears. Click Add Host or Add Database to add assets to the network domain now, or do it later from the Network Domain page.
What's next
Add hosts or databases
Log in to the Bastionhost console and select the target region.
In the bastion host list, find the target instance and click Manage.
In the left navigation pane, choose Assets > Network Domain.
Find the network domain and click Add Host or Add Database in the Actions column.
In the dialog box, find the asset and click Add in the Actions column. To add multiple assets at once, select them and click Add below the list.
Edit a network domain
Edit the name, connection mode, and proxy servers, or add and remove assets.
Log in to the Bastionhost console and select the target region.
In the bastion host list, find the target instance and click Manage.
In the left navigation pane, choose Assets > Network Domain.
Find the network domain and click Edit in the Actions column, or click the network domain name to open the Network Domain Details page.
Use the tabs to modify the corresponding information:
Basic Info: Change the name, remarks, and connection mode. Add a secondary proxy server or run connectivity tests.
Host: Add or remove hosts.
Database: Add or remove databases.