All Products
Search
Document Center

Bastionhost:Use the network domain feature

Last Updated:Nov 14, 2023

If you want to manage the hosts that reside on different networks or the hosts that cannot communicate with bastion hosts in virtual private clouds (VPCs) in a centralized manner, we recommend that you use the network domain feature of Bastionhost. You can configure a proxy server for these hosts, create a network domain in the console of a bastion host, and then connect the network domain to the proxy server. This way, you can use the proxy server to perform O&M operations on other hosts. This topic describes how to use the network domain feature.

Background information

The network domain feature provides the optimal O&M solutions for hybrid cloud scenarios. For example, you can use the feature to perform O&M operations on hosts across data centers, heterogeneous clouds, and VPCs. In most cases, the hosts of an enterprise are deployed in different regions and may fail to communicate with a bastion host. To resolve this issue, you can use public IP addresses or leased lines to connect to the hosts. However, public IP addresses may pose security risks whereas leased lines cause high network costs. In this case, we recommend that you use the proxy mode of the network domain feature to perform O&M operations on the hosts that reside in different networks in a centralized manner. The proxy mode is supported by Bastionhost Enterprise Edition. The hosts include those that are deployed in a data center, a heterogeneous cloud, and different VPCs.

For more information about the best practices of O&M solutions by using the proxy mode of the network domain feature, see Best practices of hybrid O&M.

Prerequisites

A proxy server is configured for the hosts on the same network. For more information about the recommended configurations for proxy servers, see Recommended configurations for proxy servers.

Limits

  • Only Bastionhost Enterprise Edition supports the proxy mode of the network domain feature.

  • The network domain feature supports SSH, HTTP, and SOCKS5 proxies.

Recommended configurations for proxy servers

You can configure SSH, HTTP, or SOCKS5 hosts as the primary and secondary proxy servers. Then, you can use the proxy servers to perform O&M operations on other hosts. The following table describes the recommended configurations for proxy servers.

SSH proxy servers

Parameter

Description

Operating system

A Linux host for which SSH is enabled.

Configuration method

You can use Linux hosts as SSH proxy servers without the need to install components or complete configurations on the Linux hosts.

CPU and memory specifications

2 cores and 4 GB of memory.

Bandwidth

10 Mbit/s.

Note

The actual bandwidth usage varies based on the number of concurrent O&M sessions. If you initiate multiple sessions to perform complex GUI-based operations from a remote desktop, bandwidth usage may spike, and remote sessions may freeze. In this case, we recommend that you purchase extra bandwidth for your bastion host.

HTTP and SOCKS5 proxy servers

Parameter

Description

Operating system

A host that runs CentOS 6.9 or later.

Configuration method

For more information, see How do I configure a server as an HTTP or SOCKS5 proxy server?.

CPU and memory specifications

2 cores and 4 GB of memory.

Bandwidth

10 Mbit/s.

Note

The actual bandwidth usage varies based on the number of concurrent O&M sessions. If you initiate multiple sessions to perform complex GUI-based operations from a remote desktop, bandwidth usage may spike, and remote sessions may freeze. In this case, we recommend that you purchase extra bandwidth for your bastion host.

Create a network domain

To use your bastion host to perform O&M operations on multiple hosts in a network domain, you must create a network domain for the bastion host and connect the network domain to a proxy server.

  1. Log on to the Bastionhost console.

  2. In the left-side navigation pane, choose Assets > Network Domain.

  3. On the Network Domain page, click Create Network Domain. In the Create Network Domain panel, configure the Network Domain, Remarks, and Connection Mode parameters.

    You can select Direct Connection or Proxy for the Connection Mode parameter.

    Note

    Bastionhost Basic Edition and Enterprise Edition support different connection modes.

    • Bastionhost Basic Edition supports only the direct connection mode.

    • Bastionhost Enterprise Edition supports the direct connection mode and the proxy mode.

    If you select Proxy, you must configure at least one proxy server. The network domain feature allows you to configure a primary proxy server and a secondary proxy server. You can configure a secondary proxy server in the same manner in which you configure a primary proxy server. The following example shows how to configure a primary proxy server:

    1. Click Create Proxy Server in the Primary Proxy Server section. In the dialog box that appears, configure the following parameters.

      Parameter

      Description

      Proxy Type

      The type of the proxy. Valid values:

      • SSH Proxy

      • HTTP Proxy

      • SOCKS5 Proxy

      Server Address

      The address of the primary proxy server.

      Server Port

      The port of the primary proxy server.

      Host Account

      The account of the primary proxy server.

      Password

      The password of the account for the primary proxy server.

    2. Optional. Repeat the preceding steps to configure the secondary proxy server.

      Note

      The network domain feature supports the following proxy servers: primary proxy server and secondary proxy server. If an error occurs on the primary proxy server, the secondary proxy server is automatically connected to your bastion host. To ensure the stability of the network domain, we recommend that you configure a secondary proxy server.

    3. Click Test Connection. After the primary proxy server passes the connectivity test, click OK.

      Note

      If the connectivity test fails, check whether the parameters are correctly configured.

  4. Click Create Network Domain. The system displays the message "The network domain xx is created."

    You can click Add Host below the message to add the hosts on which you want to perform O&M operations to the network domain. For more information, see Add hosts.

Add hosts

After you create a network domain, you can add hosts to the network domain.

  1. Log on to the Bastionhost console.

  2. In the left-side navigation pane, choose Assets > Network Domain.

  3. On the Network Domain page, find the network domain to which you want to add hosts.

  4. Click Add Host in the Actions column. In the Add Host dialog box, find the host that you want to add to the network domain and click Add Host in the Actions column.

    You can also select multiple hosts that you want to add to the network domain and click Add Host below the host list to add the selected hosts at a time.

Edit a network domain

You can edit the basic information about a network domain. You can also add hosts to or remove hosts from a network domain.

  1. Log on to the Bastionhost console.

  2. In the left-side navigation pane, choose Assets > Network Domain.

  3. On the Network Domain page, find the network domain that you want to edit.

  4. Click Edit in the Actions column. On the Network Domain Details page, click the Basic Info or Host tab to modify the information on the tab.

    • On the Basic Info tab, you can change the values of Network Domain, Remarks, and Connection Mode. You can also edit and test the connectivity to the primary and secondary proxy servers.

    • On the Host tab, you can add or remove hosts.

What to do next

After you connect your bastion host to the hosts in a network domain by using the network domain feature, you must authorize users to manage the hosts in the network domain.