DocsICP FilingConsole
官方文档
首页

Administrator Quick Start

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic describes how administrators can quickly start using Bastionhost.

Administrator configuration workflow

Operation

Description

Documentation

Import assets that require O&M into Bastionhost

Add assets (hosts, databases, and applications) to manage in your Bastionhost instance and create asset accounts.

Create a Bastionhost user

After an administrator creates a Bastionhost user, O&M personnel can log on to Bastionhost using this user account to manage assets.

Bastionhost supports creating local users or synchronizing RAM users, AD/LDAP users, or IDaaS users as Bastionhost users.

Create a Bastionhost user

Grant asset and asset account permissions to Bastionhost users

Grant specific Bastionhost users permission to manage designated hosts and host accounts.

Grant asset and account permissions to users

Enable access to the O&M portal

After you create a Bastionhost instance, both public and private network access to the O&M portal (Bastionhost web console) are disabled by default. Administrators must enable the appropriate access method in network settings and configure an access whitelist before O&M personnel can successfully reach the O&M portal.

Step 4 in this topic

Obtain the Bastionhost O&M address and share it with O&M personnel

Administrators must obtain the O&M address from the Bastionhost management page. After receiving the address, O&M personnel can perform operations through the web portal or a client.

Obtain the Bastionhost O&M address

Audit O&M sessions

View audit information such as O&M logs and session recordings. Block high-risk session operations if needed.

Audit O&M sessions

Bastionhost usage example

The following example uses Alibaba Cloud ECS assets and a Bastionhost local user.

Step 1: Import Alibaba Cloud ECS instances and manage ECS accounts

  1. Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.

  2. In the list of Bastionhost instances, find the target instance and click Manage.

  3. In the navigation pane on the left, choose Assets > Hosts.

  4. Choose Import ECS Instances > Import Instances of Current Account. In the Select Region dialog box, select the regions where your ECS instances reside and click Next.

  5. In the Import ECS Instances dialog box, select the ECS instances you want to import and click Import.

  6. In the Actions column for your target asset, click Create Host Account.

  7. On the Create Host Account page, configure login parameters for your ECS instance and click Create.

    The following table describes each configuration item in the Host Account Configuration dialog box:

    Configuration Item

    Description

    Protocol

    SSH is used by default for Linux. RDP is used by default for Windows.

    Logon Name

    Enter the username for logging on to the ECS instance.

    Authentication Type

    Select Password.

    Note

    • If your ECS instance uses key-based authentication, select Private Key and enter the corresponding private key.

    • A shared key lets you create a private key and associate it with multiple host accounts at once, improving management efficiency. For more information, see Shared key.

    Password

    Enter the password for logging on to the ECS instance.

    Click Verify to test whether the login name and password are correct. For solutions to validation errors, see What do I do if password validation fails when creating a host account in Bastionhost?.

    Enable Only SFTP Permission

    Disabled by default.

    If enabled, this account cannot log on using SSH.

Step 2: Create a Bastionhost user

  1. In the navigation pane on the left, choose Users > Users.

  2. Choose Import Other Users > Create User.

  3. In the Create User panel, configure user information and click Create.

Step 3: Grant asset and asset account permissions to the Bastionhost user

  1. On the User page, in the Actions column for your target user, click Permission on Host.

  2. On the Managed Hosts tab, click Permission on Host.

  3. In the Permission on Host panel, select your target asset and click OK.

  4. In the Authorized Accounts column, click No accounts found. Click here to authorize the user to manage the accounts of the asset group..

  5. In the Select Account panel, select your target account and click Update.

Step 4: Enable access to the O&M portal

After completing this step, O&M personnel can use a browser to access the provided O&M portal address and log on to Bastionhost to perform operations. By default, both public and private network access to the O&M portal are disabled after you create a Bastionhost instance. You must enable the appropriate access method and configure an IP whitelist for allowed sources. Otherwise, O&M personnel will receive the address but fail to connect.

Access method selection

Access Method

Scenario

Network Requirement

Prerequisite

Public network access

O&M personnel need to access Bastionhost over the public internet—for example, from remote offices, mobile networks, or while traveling.

The O&M device must have public internet access, and its outbound IP must be fixed (to configure the whitelist).

You have confirmed the O&M personnel's public outbound IP. Enabling this option incurs public bandwidth charges.

Private network access

O&M personnel access Bastionhost over the VPC private network in the same region—for example, from a jump server in the same VPC or from an office network connected via leased line.

The O&M network must be reachable from the VPC where Bastionhost resides.

You have planned a VPC and vSwitch in the same region and confirmed network connectivity between the O&M network and this VPC.
Note

You can enable both public and private network access simultaneously for different groups of O&M personnel. After enabling, the Overview page displays both public and private O&M portal addresses.

Enable access steps

  1. In the navigation pane on the left, click Overview.

  2. In the Bastion Host Information section, find the Network Configuration entry and click it to open the network settings page.

  3. Enable public network access, private network access, or both based on your selected access method.

    • Enable public network access: In the Public Network Access section, click Enable Public Network. In the dialog box, confirm bandwidth and billing details, then click OK. The system automatically assigns a public O&M address, which takes effect in about 1–3 minutes.

    • Enable private network access: In the Private Network Access section, click Enable Private Network. In the dialog box, select the target VPC and vSwitch, then click OK. The system creates a private O&M address in the selected VPC.

    Important

    Public network access incurs bandwidth charges. Private network access consumes IP resources in the selected VPC. If you enabled either for testing or temporary use and no longer need it, disable the access method promptly.

  4. Configure the source IP whitelist.

    • Public access whitelist (required): In the public network access section, click Set Whitelist and add the public IPs or CIDR blocks allowed to access the O&M portal (for example, your company’s outbound IP). IPs not in the whitelist cannot access the portal.

    • Private access whitelist (optional): Private access is open to all IPs in the selected VPC by default. To further restrict access, set a whitelist in the private network access section.

    Warning

    Never set the public access whitelist to 0.0.0.0/0. Doing so exposes the Bastionhost O&M portal completely to the public internet, creating a critical security risk. Add only the real outbound IPs or CIDR blocks used by your O&M personnel. Whitelist changes take effect in about 1–3 minutes.

  5. Return to the Overview page of your Bastionhost instance. In the Bastion Host Information section, view the enabled O&M portal addresses. Public and private addresses appear separately. Copy and share the appropriate address with your O&M personnel based on their network environment.

Note

If O&M personnel cannot access the O&M portal after receiving the address, common causes include the following:

  • The public access entry is enabled, but the O&M personnel’s actual outbound IP is not in the whitelist (most common). Use a tool such as https://ipinfo.io to confirm their current public outbound IP and add it to the whitelist.

  • A private address was shared, but the O&M network cannot reach the Bastionhost VPC. Confirm whether you should switch to public access or establish connectivity via leased line or VPN.

  • The whitelist was recently updated and has not taken effect yet (takes about 1–3 minutes).

Step 5: Obtain the Bastionhost O&M address and share it with O&M personnel

After completing Step 4 to enable access, view the O&M portal address on the Overview page.

  1. In the navigation pane on the left, click Overview.

  2. In the Bastion Host Information section, copy the Bastionhost O&M address and share it with O&M personnel along with their login credentials. The address follows the format https://<O&M portal IP>:443. O&M personnel can open this address in a browser to log on to Bastionhost.

    In the Bastionhost Instance Information section on the right, you can view the Public O&M Address, Private O&M Address, Public O&M Portal Address, and Private O&M Portal Address. Copy the appropriate address based on your network environment.

Step 6: Audit O&M sessions as an administrator

In the navigation pane on the left, click O&M Audit to view session details. For more information, see Audit O&M sessions.

The O&M Audit section includes five subfeatures: Session Audit, Real-Time Monitoring, Operation Logs, O&M Reports, and Task Records.

Previous:Purchase a bastion host and log on to the console of the bastion hostNext:Get started as an O&M administrator