{"id":55,"date":"2026-04-12T16:21:55","date_gmt":"2026-04-12T16:21:55","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-bastionhost-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/"},"modified":"2026-04-12T16:21:55","modified_gmt":"2026-04-12T16:21:55","slug":"alibaba-cloud-bastionhost-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-bastionhost-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/","title":{"rendered":"Alibaba Cloud Bastionhost Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Security<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>Bastionhost<\/strong> is a managed <strong>Security<\/strong> service that centralizes and controls administrative access (SSH\/RDP and related protocols) to your servers and critical systems. It is designed to replace ad-hoc \u201cjump boxes\u201d with a governed access layer that supports strong authentication, fine-grained authorization, and comprehensive auditing.<\/p>\n\n\n\n<p>In simple terms: <strong>users log in to Bastionhost, and Bastionhost connects to your hosts on their behalf<\/strong>. This reduces direct exposure of your servers to the internet, makes access easier to manage, and produces audit trails that are usable for security reviews and compliance.<\/p>\n\n\n\n<p>Technically, Bastionhost acts as a privileged access management (PAM) gateway for operations (O&amp;M). It typically provides: asset\/host onboarding, centralized identity and access control, credential\/host-account management, session auditing (including command logs and session recordings where supported), and approval workflows. Exact capabilities can vary by edition and region\u2014<strong>verify in official docs for your region<\/strong>.<\/p>\n\n\n\n<p>The main problem Bastionhost solves is <strong>uncontrolled privileged access<\/strong>:\n&#8211; Too many SSH keys or shared passwords\n&#8211; No consistent approval process\n&#8211; No reliable audit trail of admin actions\n&#8211; Direct public exposure of management ports (22\/3389)\n&#8211; Hard-to-prove compliance for operations on production systems<\/p>\n\n\n\n<blockquote>\n<p>Naming\/status note: As of the latest generally available Alibaba Cloud documentation and console listings, the service is called <strong>Bastionhost<\/strong>. Alibaba Cloud also offers adjacent security\/audit products in some regions. If you see overlapping services (for example, products focused on \u201coperation audit\u201d), <strong>confirm the recommended product for your account and region in the official documentation<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Bastionhost?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>Bastionhost is Alibaba Cloud\u2019s managed bastion\/PAM-style service for <strong>centralized operations access control and auditing<\/strong>. It is intended to be the single entry point for administrators and operators who need to access ECS instances and other connected assets.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities (high level)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralized access entry for O&amp;M (SSH\/RDP and related operational access paths)<\/li>\n<li>Asset (host) inventory and grouping<\/li>\n<li>User management and authorization policies<\/li>\n<li>Managed host accounts (password or key-based, depending on configuration)<\/li>\n<li>Auditing (login events, operation logs, and\u2014where supported\u2014session recording)<\/li>\n<li>Optional approval\/work order flows for privileged access (edition\/region dependent\u2014verify)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components (conceptual)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Bastionhost instance<\/strong>: The service instance you purchase in a region\/VPC.<\/li>\n<li><strong>Users \/ user groups<\/strong>: People who log in to Bastionhost (often mapped to enterprise IAM).<\/li>\n<li><strong>Assets \/ hosts<\/strong>: Targets like ECS instances (and potentially other systems reachable over the network).<\/li>\n<li><strong>Host accounts<\/strong>: OS-level accounts on the target (for example, <code>ops<\/code>, <code>root<\/code>, <code>Administrator<\/code>) managed or referenced by Bastionhost.<\/li>\n<li><strong>Authorization policies<\/strong>: Mappings between users\/groups and assets\/host accounts (often with time limits and constraints).<\/li>\n<li><strong>Audit logs \/ session records<\/strong>: Evidence for \u201cwho did what, when, and from where\u201d.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Managed <strong>Security<\/strong> \/ access governance service (PAM\/bastion).<\/li>\n<li>Purchased and operated as a service instance in Alibaba Cloud.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope (regional\/global\/etc.)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Typically <strong>regional<\/strong>: you purchase a Bastionhost instance in a specific Alibaba Cloud region, and it is deployed into a VPC\/vSwitch in that region.  <\/li>\n<li>Cross-region management may be possible only via network connectivity (VPN\/Express Connect\/peering) and supported product behavior\u2014<strong>verify in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Alibaba Cloud ecosystem<\/h3>\n\n\n\n<p>Bastionhost commonly sits between:\n&#8211; <strong>Identity<\/strong>: Alibaba Cloud RAM (Resource Access Management), enterprise IdP\/SAML integrations (if supported), MFA (if supported).\n&#8211; <strong>Compute<\/strong>: ECS instances and potentially other workloads reachable by IP\/port.\n&#8211; <strong>Network<\/strong>: VPC, vSwitches, Security Groups, VPN Gateway, Express Connect.\n&#8211; <strong>Audit\/Monitoring<\/strong>: ActionTrail (control-plane events), Log Service\/SLS (log storage\/analysis), CloudMonitor (metrics)\u2014integration details vary; <strong>verify per region\/edition<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Bastionhost?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reduces breach risk by minimizing direct administrative exposure and enabling consistent controls.<\/li>\n<li>Speeds up onboarding\/offboarding: access can be granted\/revoked centrally.<\/li>\n<li>Supports audits (SOC 2\/ISO 27001-like evidence needs) by producing operation trails.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralizes inbound admin access, reducing the need for public IPs on servers.<\/li>\n<li>Enforces consistent authentication and authorization patterns.<\/li>\n<li>Provides a controlled path for SSH\/RDP that is easier to secure than many ad-hoc jump servers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Simplifies asset inventory and access reviews.<\/li>\n<li>Improves accountability: actions are tied to named users rather than shared credentials.<\/li>\n<li>Enables operational workflows (such as approvals for production access) where supported.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Access governance: least privilege, time-bound permissions, separation of duties.<\/li>\n<li>Auditing: logins, commands (for SSH), and session trails (where supported).<\/li>\n<li>Helps meet internal security policies requiring centralized access control and monitoring.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Central access layer scales better than managing hundreds of per-host firewall rules and keys.<\/li>\n<li>Reduces blast radius of credential sprawl.<\/li>\n<li>A managed service typically reduces operational overhead compared to self-hosting a bastion stack (though you still must design networking and IAM carefully).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You operate production workloads and need auditable admin access.<\/li>\n<li>You need to remove direct SSH\/RDP exposure from the internet.<\/li>\n<li>You need centralized authorization (especially across multiple teams).<\/li>\n<li>You are preparing for compliance audits or want better incident response telemetry.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You only have a small number of ephemeral instances and already use a different access model effectively (for example, fully private access via SASE + endpoint posture + direct SSH with short-lived certs).<\/li>\n<li>Your workloads are entirely serverless (no OS-level admin access).<\/li>\n<li>You cannot route network connectivity from Bastionhost to the assets (for example, strict segmentation without a path, and you cannot introduce VPN\/Express Connect).<\/li>\n<li>Your requirements demand a specific PAM feature not supported by Bastionhost in your region\/edition (for example, advanced secret rotation or privileged session management features)\u2014<strong>verify<\/strong>.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Bastionhost used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Financial services and fintech (high auditability needs)<\/li>\n<li>E-commerce and retail (large fleets, frequent access requests)<\/li>\n<li>Healthcare and life sciences (strong governance and traceability requirements)<\/li>\n<li>SaaS and internet platforms (multi-team operations)<\/li>\n<li>Manufacturing\/IoT (hybrid networks with on-prem + cloud assets)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering and SRE<\/li>\n<li>DevOps and operations<\/li>\n<li>Security engineering (PAM and access governance)<\/li>\n<li>Compliance and audit teams<\/li>\n<li>Managed service providers (MSPs) and internal IT<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ECS-based applications (web, API, batch)<\/li>\n<li>Databases administered via OS access (or via network segments)<\/li>\n<li>Kubernetes worker nodes (if SSH access is allowed by policy)<\/li>\n<li>CI\/CD runner fleets (restricted admin access)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Private VPC workloads with no public IPs<\/li>\n<li>Multi-VPC environments (with peering\/Transit Router, depending on region)<\/li>\n<li>Hybrid cloud (on-prem assets reachable via VPN\/Express Connect)<\/li>\n<li>Segmented production networks with strict inbound controls<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u201cNo inbound SSH from the internet\u201d policies<\/li>\n<li>Temporary break-glass access under approval<\/li>\n<li>Centralizing admin access across multiple business units<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production<\/strong>: strongest value\u2014approvals, audit retention, and strict least privilege.<\/li>\n<li><strong>Dev\/Test<\/strong>: still useful for standardization, but you may relax approvals and shorten audit retention depending on policy.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic Bastionhost use cases. Exact UI\/feature names can differ by edition\u2014<strong>verify in official docs<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Remove public SSH\/RDP from ECS instances<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: ECS instances have public IPs with ports 22\/3389 exposed, increasing attack surface.<\/li>\n<li><strong>Why Bastionhost fits<\/strong>: Users access hosts through Bastionhost; hosts can stay private.<\/li>\n<li><strong>Scenario<\/strong>: Production ECS instances move to private subnets; only Bastionhost can reach them.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Centralized operator onboarding\/offboarding<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Access is distributed across SSH keys, local accounts, and manual firewall exceptions.<\/li>\n<li><strong>Why it fits<\/strong>: Central user management and authorization mappings.<\/li>\n<li><strong>Scenario<\/strong>: A contractor joins for 2 weeks; access is granted to a host group for a fixed period and then automatically removed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Command and session auditing for incident response<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: After an incident, you can\u2019t prove what commands were executed.<\/li>\n<li><strong>Why it fits<\/strong>: Bastionhost can record user sessions and commands (SSH command audit where supported).<\/li>\n<li><strong>Scenario<\/strong>: Security team reviews session records after a suspicious configuration change.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Approval-based production access (\u201cbreak-glass with workflow\u201d)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Engineers need occasional privileged production access, but it must be approved.<\/li>\n<li><strong>Why it fits<\/strong>: Bastionhost can support access requests\/approvals depending on edition.<\/li>\n<li><strong>Scenario<\/strong>: On-call requests temporary root-level access to a host group for 2 hours; manager approval is required.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Shared infrastructure access without shared credentials<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Teams share <code>root<\/code> passwords or a single \u201cops\u201d key.<\/li>\n<li><strong>Why it fits<\/strong>: Each user authenticates individually; access can be mapped to managed host accounts.<\/li>\n<li><strong>Scenario<\/strong>: Multiple SREs access the same fleet but are individually accountable.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Enforce least privilege via host\/account scoping<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Users get broad access because it\u2019s hard to manage fine-grained permissions.<\/li>\n<li><strong>Why it fits<\/strong>: Authorization can be scoped per host group and host account.<\/li>\n<li><strong>Scenario<\/strong>: App team can SSH as <code>appuser<\/code> to application servers but cannot access database servers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Standardize access across hybrid assets (cloud + on-prem)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: On-prem access is controlled differently than cloud access.<\/li>\n<li><strong>Why it fits<\/strong>: Bastionhost can manage assets reachable over network links (VPN\/Express Connect).<\/li>\n<li><strong>Scenario<\/strong>: Ops uses one portal for ECS and on-prem Linux hosts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Reduce lateral movement risk via network segmentation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Admin workstations can reach too much of the network directly.<\/li>\n<li><strong>Why it fits<\/strong>: Only Bastionhost is allowed into management subnets; operators cannot route directly.<\/li>\n<li><strong>Scenario<\/strong>: Security groups only allow inbound SSH from Bastionhost security group.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Vendor or third-party access with tight controls<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Vendors need access but should be restricted and monitored.<\/li>\n<li><strong>Why it fits<\/strong>: Time-bound authorization + audit.<\/li>\n<li><strong>Scenario<\/strong>: Vendor gets access only to a specific host and only during business hours (if supported by policy constraints\u2014verify).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Improve compliance reporting (who\/what\/when)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Auditors require evidence of administrative access controls and logs.<\/li>\n<li><strong>Why it fits<\/strong>: Bastionhost centralizes audit artifacts.<\/li>\n<li><strong>Scenario<\/strong>: Provide monthly access review reports and session evidence for selected changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Operational consistency across multiple accounts\/teams (organizational governance)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Different teams implement access differently; security baseline is inconsistent.<\/li>\n<li><strong>Why it fits<\/strong>: A consistent bastion pattern can be replicated across environments.<\/li>\n<li><strong>Scenario<\/strong>: Standard \u201cproduction bastion\u201d design with mandatory MFA and approval policies (where supported).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Controlled file transfer auditing (where supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: File transfers to\/from servers are untracked.<\/li>\n<li><strong>Why it fits<\/strong>: Bastionhost may audit file transfer operations (feature\/edition dependent\u2014verify).<\/li>\n<li><strong>Scenario<\/strong>: Database export files are transferred under recorded sessions.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Feature availability can vary by Bastionhost edition and region. For each item below, <strong>verify in official documentation<\/strong> for your specific instance type.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">1) Bastionhost instance deployed into your VPC<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Creates a managed bastion endpoint connected to your VPC.<\/li>\n<li><strong>Why it matters<\/strong>: Keeps management traffic inside your private network boundary.<\/li>\n<li><strong>Practical benefit<\/strong>: Hosts can stay without public IPs.<\/li>\n<li><strong>Caveat<\/strong>: You must design routing\/security groups correctly to allow Bastionhost-to-host connectivity.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Asset (host) onboarding and inventory<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Lets you register assets (typically by IP, protocol, port, and network type).<\/li>\n<li><strong>Why it matters<\/strong>: A clean inventory is the foundation for least-privilege access.<\/li>\n<li><strong>Practical benefit<\/strong>: Group assets by environment, system, owner, risk.<\/li>\n<li><strong>Caveat<\/strong>: If IPs change frequently, you need a process (static private IPs, DNS, or re-registration depending on product support).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Host account management (managed or referenced)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Associates OS accounts (Linux\/Windows) with the asset; some setups can store credentials securely for proxy login.<\/li>\n<li><strong>Why it matters<\/strong>: Eliminates shared credentials and enables consistent access patterns.<\/li>\n<li><strong>Practical benefit<\/strong>: Operators authenticate to Bastionhost, then select the target account.<\/li>\n<li><strong>Caveat<\/strong>: Credential storage\/rotation specifics must match your security policy\u2014<strong>verify encryption\/rotation features<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) User management and identity integration options<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Defines operator identities in Bastionhost; may integrate with Alibaba Cloud RAM and\/or enterprise identity providers depending on support.<\/li>\n<li><strong>Why it matters<\/strong>: Central identity enables consistent offboarding and MFA enforcement patterns.<\/li>\n<li><strong>Practical benefit<\/strong>: Access is tied to named identities, not shared accounts.<\/li>\n<li><strong>Caveat<\/strong>: Federation\/MFA behavior can vary; confirm for your region\/edition.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Fine-grained authorization (user \u2194 host \u2194 account)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Grants specific users or groups access to specific assets and specific host accounts.<\/li>\n<li><strong>Why it matters<\/strong>: Implements least privilege.<\/li>\n<li><strong>Practical benefit<\/strong>: App team can access app servers; DBAs can access database servers; interns get no production access.<\/li>\n<li><strong>Caveat<\/strong>: Poorly designed groups\/policies can become hard to audit\u2014plan a clear RBAC model.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Web-based login and session proxy<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Allows O&amp;M access through a centralized portal (often via browser for SSH\/RDP proxying).<\/li>\n<li><strong>Why it matters<\/strong>: Reduces need to distribute direct network access and credentials.<\/li>\n<li><strong>Practical benefit<\/strong>: Faster access from controlled endpoints; consistent session logging.<\/li>\n<li><strong>Caveat<\/strong>: Browser-based access can have usability constraints for advanced workflows; confirm supported clients.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Auditing: login, operation, and session records<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Records who logged in, which asset they accessed, and what they did (commands\/session) depending on protocol and settings.<\/li>\n<li><strong>Why it matters<\/strong>: Audit evidence and incident investigation.<\/li>\n<li><strong>Practical benefit<\/strong>: Trace configuration changes back to an individual and time.<\/li>\n<li><strong>Caveat<\/strong>: Retention and export options vary; plan downstream log archiving if needed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Approval \/ work-order flows (if supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Requires requests\/approvals for certain access (for example production).<\/li>\n<li><strong>Why it matters<\/strong>: Separation of duties and controlled elevation.<\/li>\n<li><strong>Practical benefit<\/strong>: \u201cJust-in-time\u201d access with approvals.<\/li>\n<li><strong>Caveat<\/strong>: Workflow complexity can slow operations; define break-glass paths.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Policy controls (command control, time windows, IP restrictions) (if supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Adds controls like blocking certain commands or restricting access windows.<\/li>\n<li><strong>Why it matters<\/strong>: Prevents high-risk actions or reduces misuse.<\/li>\n<li><strong>Practical benefit<\/strong>: Block destructive commands on sensitive hosts; restrict vendor access to business hours.<\/li>\n<li><strong>Caveat<\/strong>: Overly strict rules can break automation; test in staging first.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Integration hooks for governance (ActionTrail\/SLS\/CloudMonitor) (integration dependent)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Allows exporting logs or correlating control-plane events with O&amp;M activity.<\/li>\n<li><strong>Why it matters<\/strong>: Centralized security monitoring and long-term retention.<\/li>\n<li><strong>Practical benefit<\/strong>: Feed SIEM, create alerts on suspicious admin behavior.<\/li>\n<li><strong>Caveat<\/strong>: Costs can shift to log storage\/ingest; design retention tiers.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level service architecture<\/h3>\n\n\n\n<p>At a high level, Bastionhost introduces a managed proxy layer:\n1. Operator authenticates to Bastionhost (local user, RAM identity, or federated identity\u2014depending on configuration).\n2. Operator selects an asset (host) and a host account.\n3. Bastionhost establishes a network connection to the target host over the allowed protocol (for example SSH:22 or RDP:3389).\n4. Bastionhost proxies the session and records audit trails.\n5. Security and ops teams review logs\/session records as needed; optionally export to centralized logging.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane<\/strong>: Administrative actions in the Alibaba Cloud console\/API (creating instance, adding assets\/users, changing permissions). These are often tracked by Alibaba Cloud governance tools like ActionTrail (verify).<\/li>\n<li><strong>Data plane<\/strong>: The live SSH\/RDP traffic proxied through Bastionhost between operator and target.<\/li>\n<li><strong>Audit plane<\/strong>: Events, command logs, and\/or recordings stored by Bastionhost and optionally exported.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services (common patterns)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ECS<\/strong>: Primary target hosts.<\/li>\n<li><strong>VPC \/ vSwitch \/ Security Groups<\/strong>: Network reachability and segmentation.<\/li>\n<li><strong>VPN Gateway \/ Express Connect<\/strong>: Connectivity to on-prem networks.<\/li>\n<li><strong>RAM<\/strong>: Centralized identity and access for the Bastionhost console and possibly for Bastionhost user mapping (verify).<\/li>\n<li><strong>ActionTrail<\/strong>: Auditing of API\/control-plane operations (verify).<\/li>\n<li><strong>Log Service (SLS)<\/strong>: Centralized log storage\/analysis (verify).<\/li>\n<li><strong>CloudMonitor<\/strong>: Metrics\/alerts for the Bastionhost instance or related resources (verify).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VPC networking is fundamental (routing, security groups).<\/li>\n<li>Target host readiness (SSH server\/RDP service enabled, OS firewall rules).<\/li>\n<li>IAM\/RAM for who can administer Bastionhost configuration at the cloud level.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Two levels of access control<\/strong>:\n  1. Alibaba Cloud account\/RAM permissions to <em>manage<\/em> Bastionhost resources.\n  2. Bastionhost internal user authorization to <em>use<\/em> access to assets.<\/li>\n<li>Operators should authenticate strongly (MFA recommended).<\/li>\n<li>Bastionhost should enforce least privilege via host groups and account mappings.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<p>Common secure pattern:\n&#8211; Bastionhost is placed in a <strong>management subnet<\/strong>.\n&#8211; Target ECS instances are in <strong>private subnets<\/strong> with no public IP.\n&#8211; Security groups allow inbound SSH\/RDP <strong>only from Bastionhost<\/strong> (or from its security group).\n&#8211; Operators access Bastionhost over HTTPS (public endpoint or via private access path, depending on design).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define log retention requirements (days\/months\/years).<\/li>\n<li>Export logs to a centralized log platform if required.<\/li>\n<li>Alert on unusual behavior: off-hours access, access to high-risk hosts, repeated failed logins, use of privileged accounts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  User[Operator Laptop] --&gt;|HTTPS to Bastionhost Portal| BH[Bastionhost Instance]\n  BH --&gt;|SSH\/RDP (private)| ECS1[ECS Host A]\n  BH --&gt;|SSH\/RDP (private)| ECS2[ECS Host B]\n  BH --&gt; Logs[Audit Logs \/ Session Records]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Internet[Internet \/ Corporate Network]\n    U1[Engineers]\n    U2[Vendors]\n  end\n\n  subgraph AlibabaCloud[Alibaba Cloud]\n    subgraph VPC1[VPC: Production]\n      subgraph MgmtSubnet[Management Subnet]\n        BH[Bastionhost]\n      end\n      subgraph AppSubnet[Private App Subnet]\n        ECSAPP[App ECS Fleet]\n      end\n      subgraph DbSubnet[Private DB Subnet]\n        ECSDB[DB ECS \/ Admin Hosts]\n      end\n    end\n\n    RAM[RAM \/ IAM]\n    AT[ActionTrail (control-plane audit)\\nVerify integration]\n    SLS[Log Service (central log analytics)\\nVerify integration]\n  end\n\n  U1 --&gt;|HTTPS| BH\n  U2 --&gt;|HTTPS (restricted)| BH\n  BH --&gt;|SSH 22| ECSAPP\n  BH --&gt;|SSH 22 \/ RDP 3389| ECSDB\n\n  BH --&gt;|Audit export (optional)| SLS\n  RAM --&gt; BH\n  BH -. control plane events .-&gt; AT\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account\/subscription requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Alibaba Cloud account<\/strong> with billing enabled.<\/li>\n<li>Permission to purchase and manage Bastionhost.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM (RAM)<\/h3>\n\n\n\n<p>At minimum, you need:\n&#8211; Permissions to create and manage Bastionhost instances.\n&#8211; Permissions to view and manage VPC, vSwitch, Security Groups, and ECS instances used in the lab.<\/p>\n\n\n\n<p>If you work in an organization with separation of duties:\n&#8211; Cloud admins manage the Bastionhost instance and network baseline.\n&#8211; Security team defines authorization policies and audit exports.\n&#8211; Ops team uses Bastionhost for daily access.<\/p>\n\n\n\n<blockquote>\n<p>Exact RAM policy names\/actions can change. Use the Alibaba Cloud policy generator or official RAM docs to craft least-privilege policies\u2014<strong>verify in official docs<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bastionhost is typically a paid service (often subscription-based by edition\/spec).<\/li>\n<li>ECS\/VPC and potentially EIP\/bandwidth and log services can incur costs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools needed<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alibaba Cloud console access.<\/li>\n<li>Optional: SSH client for direct host testing (not required for Bastionhost access, but helpful).<\/li>\n<li>Optional: A text editor for notes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bastionhost availability is region-dependent. Confirm your target region supports Bastionhost before starting:<\/li>\n<li>Official product page: https:\/\/www.alibabacloud.com\/product\/bastionhost  <\/li>\n<li>Official documentation: https:\/\/www.alibabacloud.com\/help\/en\/bastionhost<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits (examples to check)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maximum number of assets\/hosts per Bastionhost instance (edition\/spec dependent).<\/li>\n<li>Maximum number of users\/concurrent sessions (edition\/spec dependent).<\/li>\n<li>Audit record retention limits and storage behavior.<\/li>\n<li>Network constraints (VPC-only, Classic support, or hybrid reachability)\u2014<strong>verify<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>VPC with at least one vSwitch\/subnet.<\/li>\n<li>At least one ECS instance (Linux recommended for this lab).<\/li>\n<li>Security group rules to allow Bastionhost to reach ECS (SSH on 22).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<blockquote>\n<p>Do not rely on static numbers in third-party blogs. Bastionhost pricing can vary by <strong>region, edition\/specification, and purchase term<\/strong>. Always confirm on the official pricing page.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Current pricing model (what to expect)<\/h3>\n\n\n\n<p>Bastionhost is commonly purchased as a <strong>service instance<\/strong> with a selected <strong>edition\/specification<\/strong> and <strong>subscription period<\/strong>. Pricing may reflect one or more of the following dimensions (exact billing items vary\u2014<strong>verify<\/strong>):\n&#8211; Instance edition\/spec (often determines capacity and feature set)\n&#8211; Managed assets\/hosts quota\n&#8211; Managed users quota\n&#8211; Concurrent sessions quota\n&#8211; Audit storage\/retention options (sometimes bundled, sometimes separate)\n&#8211; Public access bandwidth\/EIP (if you choose an internet-facing endpoint)\n&#8211; Optional integrations that store logs externally (SLS\/OSS) and incur their own charges<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<p>Bastionhost is generally not a \u201cfree tier\u201d service. Some regions may offer promotions or trial offers\u2014<strong>verify in the Alibaba Cloud console and pricing pages<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cost drivers (direct)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Edition\/spec selection<\/strong>: higher capacity and advanced features increase cost.<\/li>\n<li><strong>Subscription term<\/strong>: monthly vs annual (annual often discounted).<\/li>\n<li><strong>Internet exposure<\/strong>: using EIP and bandwidth for Bastionhost portal access.<\/li>\n<li><strong>Scale<\/strong>: number of managed assets\/users and session volume.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden\/indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ECS costs<\/strong> for the hosts you manage (not caused by Bastionhost, but part of total access architecture).<\/li>\n<li><strong>Network costs<\/strong>:<\/li>\n<li>EIP and bandwidth charges if Bastionhost is publicly reachable.<\/li>\n<li>VPN Gateway \/ Express Connect costs if hybrid connectivity is required.<\/li>\n<li><strong>Logging costs<\/strong>:<\/li>\n<li>If you export audit logs to Log Service (SLS) or store recordings in OSS, you pay ingestion, storage, and query\/analysis costs.<\/li>\n<li><strong>Operational overhead<\/strong>:<\/li>\n<li>Time spent defining RBAC, approvals, and audit review processes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bastionhost proxies interactive sessions; bandwidth typically is modest per session, but:<\/li>\n<li>RDP sessions, file transfers, and session recordings can increase traffic.<\/li>\n<li>Public access to the portal can incur internet egress\/ingress billing depending on how it is implemented in your region.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>private access<\/strong> (VPN\/Express Connect\/corporate network) rather than a public endpoint when feasible.<\/li>\n<li>Choose the smallest edition\/spec that supports:<\/li>\n<li>your near-term asset\/user count,<\/li>\n<li>required audit retention,<\/li>\n<li>required workflow\/security features.<\/li>\n<li>Control log retention:<\/li>\n<li>Keep \u201chot\u201d logs in SLS for short periods.<\/li>\n<li>Archive to OSS for longer-term retention if needed (verify supported export paths).<\/li>\n<li>Implement least privilege to reduce \u201cjust in case\u201d access and avoid operational sprawl.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (model, not numbers)<\/h3>\n\n\n\n<p>A typical low-cost evaluation environment often includes:\n&#8211; 1 Bastionhost instance (smallest available spec in your region)\n&#8211; 1\u20132 ECS instances in a VPC\n&#8211; No public EIP (access Bastionhost via VPN or a controlled corporate path), <strong>or<\/strong> minimal bandwidth if public\n&#8211; Default audit retention (short)<\/p>\n\n\n\n<p>Because pricing varies significantly by region and SKU, <strong>use the official pricing page and your region\u2019s console to calculate the monthly equivalent<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations (what to plan for)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multiple environments (dev\/stage\/prod) may require separate Bastionhost instances for isolation.<\/li>\n<li>Larger capacity edition\/spec to support:<\/li>\n<li>hundreds\/thousands of assets,<\/li>\n<li>many operator identities,<\/li>\n<li>concurrent sessions.<\/li>\n<li>Centralized logging and longer retention for compliance (SLS\/OSS).<\/li>\n<li>Hybrid connectivity costs (VPN\/Express Connect) if managing on-prem assets.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Official pricing references<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Product page (usually links to pricing): https:\/\/www.alibabacloud.com\/product\/bastionhost  <\/li>\n<li>Pricing landing page: https:\/\/www.alibabacloud.com\/pricing  <\/li>\n<li>Documentation hub: https:\/\/www.alibabacloud.com\/help\/en\/bastionhost  <\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>If your console shows a \u201cBuy\u201d page with detailed line items, treat that as the source of truth for your region\/edition.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab builds a minimal, realistic Bastionhost setup: one Bastionhost instance and one private ECS instance, accessed via Bastionhost with auditable sessions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deploy Bastionhost in a VPC.<\/li>\n<li>Create a private Linux ECS instance.<\/li>\n<li>Register the ECS instance as an asset in Bastionhost.<\/li>\n<li>Create a Bastionhost user and authorization policy.<\/li>\n<li>Connect to the ECS instance through Bastionhost and verify audit logs.<\/li>\n<li>Clean up to avoid ongoing charges.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will create:\n&#8211; A VPC with a vSwitch\/subnet\n&#8211; One ECS (Linux) instance in the subnet\n&#8211; A Bastionhost instance in the same VPC\n&#8211; Security group rules that allow Bastionhost \u2192 ECS over SSH (22)\n&#8211; A Bastionhost user authorized to access the ECS host account<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>: You can log in to Bastionhost, open a browser-based SSH session to the private ECS instance, run a command, and find evidence of the session in Bastionhost audit logs (exact audit UI depends on edition\u2014verify).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create a VPC and Security Group (baseline network)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the Alibaba Cloud console, go to <strong>VPC<\/strong>.<\/li>\n<li>Create a <strong>VPC<\/strong> (for example, <code>vpc-bh-lab<\/code>) with an IPv4 CIDR (for example <code>10.10.0.0\/16<\/code>).<\/li>\n<li>Create a <strong>vSwitch<\/strong> in one zone (for example <code>10.10.1.0\/24<\/code>) named <code>vsw-bh-lab<\/code>.<\/li>\n<li>Create a <strong>Security Group<\/strong> (for example <code>sg-bh-lab<\/code>) in the same VPC.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You have a VPC, vSwitch, and security group ready for both ECS and Bastionhost.<\/p>\n\n\n\n<p><strong>Notes<\/strong>\n&#8211; You can reuse an existing VPC if you already have one, but keep the lab isolated to reduce risk.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a private ECS Linux instance (the target asset)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>ECS<\/strong> \u2192 <strong>Instances<\/strong> \u2192 <strong>Create Instance<\/strong>.<\/li>\n<li>Choose:\n   &#8211; <strong>Region\/Zone<\/strong>: same as your vSwitch\n   &#8211; <strong>Network<\/strong>: select <code>vpc-bh-lab<\/code> and <code>vsw-bh-lab<\/code>\n   &#8211; <strong>Public IP<\/strong>: <strong>do not assign<\/strong> a public IP (keep it private)\n   &#8211; <strong>Security Group<\/strong>: <code>sg-bh-lab<\/code>\n   &#8211; <strong>Image<\/strong>: a mainstream Linux image (e.g., Alibaba Cloud Linux, CentOS, Ubuntu\u2014choose what your org supports)<\/li>\n<li>Set authentication:\n   &#8211; For a lab, you can use a password or key pair.\n   &#8211; If you use a password, store it securely for later.<\/li>\n<li>Create the instance and note its <strong>private IP address<\/strong> (for example <code>10.10.1.10<\/code>).<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; One running ECS instance with only a private IP.<\/p>\n\n\n\n<p><strong>Optional hardening (recommended)<\/strong>\nOnce you can connect via Bastionhost, create a dedicated OS user for operations (instead of using <code>root<\/code>).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create the Bastionhost instance in the same VPC<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Security<\/strong> \u2192 <strong>Bastionhost<\/strong> in the Alibaba Cloud console.<\/li>\n<li>Click <strong>Create\/Buy Bastionhost<\/strong>.<\/li>\n<li>Select:\n   &#8211; <strong>Region<\/strong>: same region as your ECS\/VPC\n   &#8211; <strong>Network type<\/strong>: VPC\n   &#8211; <strong>VPC\/vSwitch<\/strong>: <code>vpc-bh-lab<\/code> \/ <code>vsw-bh-lab<\/code>\n   &#8211; <strong>Edition\/specification<\/strong>: choose the smallest lab-appropriate option available<\/li>\n<li>Connectivity choice (important):\n   &#8211; If you have corporate VPN\/Express Connect into the VPC, prefer <strong>private access<\/strong> to Bastionhost.\n   &#8211; If you must access from the public internet, choose the option that provides a public endpoint (often EIP\/bandwidth). This increases exposure and cost\u2014use minimal bandwidth and strict IP allowlists where supported.<\/li>\n<li>Set the admin\/login parameters shown in the purchase wizard (varies by edition). Record:\n   &#8211; Bastionhost portal URL\/IP\n   &#8211; Admin username (if provided)\n   &#8211; Admin password you set<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; A Bastionhost instance in \u201cRunning\/Available\u201d state.\n&#8211; You can reach its login page (privately via VPN or via public endpoint).<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Open the Bastionhost portal URL and confirm the login page loads.<\/p>\n\n\n\n<p><strong>Common issue<\/strong>\n&#8211; If the portal is not reachable, confirm:\n  &#8211; You selected the correct endpoint (public vs private).\n  &#8211; Your local network can route to the private endpoint (if private).\n  &#8211; Any IP allowlist settings or security controls are correctly configured.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Allow Bastionhost to reach the ECS instance (security groups)<\/h3>\n\n\n\n<p>You must allow Bastionhost (source) to connect to ECS on SSH (22). The cleanest pattern is \u201csecurity group to security group\u201d referencing, if the UI supports it.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In <strong>ECS<\/strong> \u2192 <strong>Security Groups<\/strong> \u2192 open <code>sg-bh-lab<\/code>.<\/li>\n<li>Add an <strong>inbound rule<\/strong>:\n   &#8211; Protocol: SSH\n   &#8211; Port: 22\n   &#8211; Source:  <ul>\n<li>Prefer: Bastionhost instance security group (if Bastionhost uses one and SG referencing is supported), or  <\/li>\n<li>Bastionhost instance private IP (if static\/known), or  <\/li>\n<li>A tight CIDR that includes only the Bastionhost subnet (last resort for labs).<\/li>\n<\/ul>\n<\/li>\n<li>Ensure <strong>outbound<\/strong> rules allow Bastionhost\/ECS to respond (defaults usually allow all outbound).<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Network path: Bastionhost \u2192 ECS:22 is permitted.<\/p>\n\n\n\n<p><strong>Verification (optional)<\/strong>\nIf you can temporarily SSH from a test host in the same subnet, confirm port 22 is reachable. Otherwise proceed to Step 7 and verify through Bastionhost connection.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Prepare the ECS host account for Bastionhost login<\/h3>\n\n\n\n<p>You need a Linux OS account that Bastionhost will use when it proxies the session.<\/p>\n\n\n\n<p>If you can\u2019t yet access the host, you can:\n&#8211; Use the initial OS login method you selected (password\/key), and\n&#8211; Later switch to a dedicated <code>ops<\/code> user.<\/p>\n\n\n\n<p>Once you have access (or if you already do), run:<\/p>\n\n\n\n<pre><code class=\"language-bash\"># Create a dedicated ops user (example)\nsudo useradd -m -s \/bin\/bash ops\n\n# Set a strong password (for lab only; prefer key-based auth in production)\nsudo passwd ops\n\n# Optional: allow ops to use sudo (least privilege recommended in real deployments)\nsudo usermod -aG wheel ops 2&gt;\/dev\/null || true\nsudo usermod -aG sudo ops 2&gt;\/dev\/null || true\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; The ECS instance has an <code>ops<\/code> account that can log in via SSH.<\/p>\n\n\n\n<p><strong>Security note<\/strong>\nFor production, prefer:\n&#8211; Key-based auth or certificate-based auth\n&#8211; MFA at Bastionhost layer (if supported)\n&#8211; Disabling password SSH where feasible\n&#8211; Avoiding direct <code>root<\/code> login<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Register the ECS instance as an asset in Bastionhost<\/h3>\n\n\n\n<p>In the Bastionhost console\/portal (exact menu names vary), look for <strong>Assets\/Hosts<\/strong> management.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Log in to the Bastionhost admin portal.<\/li>\n<li>Navigate to <strong>Assets<\/strong> (or <strong>Host Management<\/strong>) \u2192 <strong>Add Host<\/strong>.<\/li>\n<li>Provide:\n   &#8211; Host name: <code>ecs-bh-lab-01<\/code>\n   &#8211; IP address: ECS private IP (e.g., <code>10.10.1.10<\/code>)\n   &#8211; Protocol: SSH\n   &#8211; Port: 22\n   &#8211; Network\/Connection type: VPC (or \u201cPrivate network\u201d)<\/li>\n<li>Save.<\/li>\n<\/ol>\n\n\n\n<p>Then add the host account:\n1. Go to the host entry \u2192 <strong>Accounts<\/strong> (or <strong>Host Accounts<\/strong>) \u2192 <strong>Add<\/strong>.\n2. Add OS account:\n   &#8211; Username: <code>ops<\/code> (or the OS user you prepared)\n   &#8211; Authentication: password or key (depending on what Bastionhost supports in your edition)\n3. Save.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Bastionhost shows the ECS host as an asset.\n&#8211; The <code>ops<\/code> host account is associated with that asset.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Many Bastionhost consoles provide a \u201cTest connectivity\u201d or \u201cVerify\u201d action. Run it if available.\n&#8211; If not available, proceed to Step 9 and test by connecting.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Create a Bastionhost user (operator identity)<\/h3>\n\n\n\n<p>Create a dedicated user who will log in and access the host.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In Bastionhost portal, go to <strong>Users<\/strong> \u2192 <strong>Create User<\/strong>.<\/li>\n<li>Set:\n   &#8211; Username: <code>bh-user1<\/code>\n   &#8211; Display name: <code>BH Lab User<\/code>\n   &#8211; Authentication settings (password\/MFA if available\u2014enable MFA if supported)<\/li>\n<li>Save.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; <code>bh-user1<\/code> can log in to Bastionhost portal (but has no asset permissions yet).<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Open an incognito\/private browser window, log in as <code>bh-user1<\/code>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Grant least-privilege authorization to the ECS asset and host account<\/h3>\n\n\n\n<p>Now map <strong>user \u2192 host \u2192 host account<\/strong>.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In Bastionhost portal, find <strong>Authorization<\/strong> \/ <strong>Permissions<\/strong>.<\/li>\n<li>Create a policy\/rule that grants:\n   &#8211; User: <code>bh-user1<\/code>\n   &#8211; Asset: <code>ecs-bh-lab-01<\/code>\n   &#8211; Account: <code>ops<\/code>\n   &#8211; Optional constraints (if available): time window, expiration date, IP restriction, approval requirement<\/li>\n<li>Save.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; <code>bh-user1<\/code> can see <code>ecs-bh-lab-01<\/code> and connect as <code>ops<\/code>.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; Log in as <code>bh-user1<\/code> and confirm the asset appears in the asset list.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 9: Connect to the ECS instance via Bastionhost<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Log in as <code>bh-user1<\/code>.<\/li>\n<li>Select <code>ecs-bh-lab-01<\/code> \u2192 <strong>Connect<\/strong> (SSH).<\/li>\n<li>Choose the host account <code>ops<\/code> if prompted.<\/li>\n<li>In the web terminal, run:<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">whoami\nhostname\nip a | head -n 20\nsudo -n true &amp;&amp; echo \"sudo without password is enabled\" || echo \"sudo prompts for password (expected in many setups)\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; <code>whoami<\/code> returns <code>ops<\/code>.\n&#8211; You can interact with the ECS instance through Bastionhost.\n&#8211; A session record should be created.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 10: Validate auditing (find the session and command evidence)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In Bastionhost admin portal (or audit section available to your user role), open <strong>Audit<\/strong> \/ <strong>Session Logs<\/strong> \/ <strong>Operation Logs<\/strong>.<\/li>\n<li>Filter by:\n   &#8211; User: <code>bh-user1<\/code>\n   &#8211; Host: <code>ecs-bh-lab-01<\/code>\n   &#8211; Time range: last 30 minutes<\/li>\n<li>Confirm you can see:\n   &#8211; Login event\n   &#8211; Session details\n   &#8211; Commands executed (for SSH) and\/or session recording entry (feature dependent)<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You can prove that <code>bh-user1<\/code> accessed <code>ecs-bh-lab-01<\/code> and ran commands.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>[ ] Bastionhost instance is \u201cAvailable\/Running\u201d.<\/li>\n<li>[ ] ECS has <strong>no public IP<\/strong>.<\/li>\n<li>[ ] Bastionhost can reach ECS over SSH (security group rule in place).<\/li>\n<li>[ ] Asset and host account are registered in Bastionhost.<\/li>\n<li>[ ] <code>bh-user1<\/code> can log in and connect to ECS.<\/li>\n<li>[ ] Audit logs show the session and activity.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Common issues and fixes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Cannot reach Bastionhost portal<\/strong>\n   &#8211; If using private access, confirm VPN\/Express Connect routing and DNS.\n   &#8211; If using public access, confirm EIP\/bandwidth configuration and local firewall policies.\n   &#8211; Confirm your browser can reach the portal URL.<\/p>\n<\/li>\n<li>\n<p><strong>Asset connection fails (timeout)<\/strong>\n   &#8211; Check ECS security group inbound rule allows <strong>SSH 22 from Bastionhost<\/strong> (preferred: SG referencing).\n   &#8211; Check ECS is in the same VPC and correct subnet routing exists.\n   &#8211; Check OS firewall (<code>ufw<\/code>, <code>firewalld<\/code>, iptables) allows SSH.<\/p>\n<\/li>\n<li>\n<p><strong>Authentication fails<\/strong>\n   &#8211; Confirm the OS account exists (<code>ops<\/code>) and password\/key is correct.\n   &#8211; Confirm SSH daemon allows the login method (password auth may be disabled).\n   &#8211; Check <code>\/etc\/ssh\/sshd_config<\/code> (requires access) and restart <code>sshd<\/code> carefully.<\/p>\n<\/li>\n<li>\n<p><strong>Connected but commands not visible in audit<\/strong>\n   &#8211; Some editions log session metadata but not full command logs or recordings.\n   &#8211; Check Bastionhost audit settings and retention configuration\u2014<strong>verify edition capabilities<\/strong>.<\/p>\n<\/li>\n<li>\n<p><strong>You can connect as admin but not as <code>bh-user1<\/code><\/strong>\n   &#8211; Confirm authorization mapping includes the correct host and host account.\n   &#8211; Confirm there is no approval workflow blocking access.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing costs, delete resources in the correct order:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In Bastionhost:\n   &#8211; Remove authorizations (optional).\n   &#8211; Delete users (optional).\n   &#8211; Remove assets\/hosts (optional).<\/li>\n<li>Release the <strong>Bastionhost instance<\/strong> from the Alibaba Cloud console (this is the main cost item).<\/li>\n<li>Release the <strong>ECS instance<\/strong>.<\/li>\n<li>Delete any associated EIP (if created for public access).<\/li>\n<li>Delete the VPC resources (vSwitches, security group, VPC) if they were dedicated to this lab.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; No Bastionhost\/ECS\/EIP resources remain, minimizing recurring charges.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Place Bastionhost in a dedicated <strong>management subnet<\/strong> with strict controls.<\/li>\n<li>Keep target hosts in <strong>private subnets<\/strong> without public IPs.<\/li>\n<li>Restrict inbound management ports on hosts to <strong>Bastionhost only<\/strong> (SG-to-SG where possible).<\/li>\n<li>Separate environments:<\/li>\n<li>Use distinct Bastionhost instances for <strong>prod vs non-prod<\/strong> if policy requires isolation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>RAM<\/strong> to restrict who can administer Bastionhost configuration.<\/li>\n<li>Enforce <strong>MFA<\/strong> for Bastionhost users if supported.<\/li>\n<li>Implement least privilege:<\/li>\n<li>user groups aligned to teams (SRE, DBA, AppOps)<\/li>\n<li>host groups aligned to environments and systems (prod\/app\/db)<\/li>\n<li>host account scoping (<code>ops<\/code> vs <code>root<\/code>)<\/li>\n<li>Prefer <strong>time-bound access<\/strong> and periodic access reviews.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start small and scale the edition\/spec based on measured needs.<\/li>\n<li>Avoid public endpoints if your org can provide private connectivity.<\/li>\n<li>Export\/retain logs strategically:<\/li>\n<li>short retention for interactive troubleshooting<\/li>\n<li>archive for compliance only when necessary<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep Bastionhost and targets in the same region to minimize latency.<\/li>\n<li>Ensure DNS and routing are stable.<\/li>\n<li>Avoid frequent target IP changes; prefer stable private IP allocation for assets.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Design for access continuity:<\/li>\n<li>ensure your corporate connectivity to the VPC is redundant if you rely on private-only portal access<\/li>\n<li>define break-glass procedures (with audit)<\/li>\n<li>Document operational runbooks for adding assets\/users and handling emergencies.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standardize naming:<\/li>\n<li><code>env-system-role-index<\/code> (e.g., <code>prod-payments-app-01<\/code>)<\/li>\n<li>Tag resources in Alibaba Cloud:<\/li>\n<li>environment, owner, cost-center, data-classification<\/li>\n<li>Monitor:<\/li>\n<li>failed login attempts<\/li>\n<li>spikes in session volume<\/li>\n<li>unusual access times<\/li>\n<li>Regularly test:<\/li>\n<li>onboarding new hosts<\/li>\n<li>offboarding users<\/li>\n<li>audit log retrieval and export paths<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use consistent tags at minimum:<\/li>\n<li><code>Environment<\/code>: <code>dev|stage|prod<\/code><\/li>\n<li><code>Owner<\/code>: team email\/alias<\/li>\n<li><code>CostCenter<\/code><\/li>\n<li><code>DataClass<\/code>: <code>public|internal|confidential|restricted<\/code><\/li>\n<li>Keep an access policy document that maps groups to host groups and accounts.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<p>Think in layers:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Cloud-level administration (RAM)<\/strong><br\/>\n   Controls who can:\n   &#8211; purchase Bastionhost\n   &#8211; change network bindings\n   &#8211; add\/remove assets and users\n   &#8211; view\/export audit records<\/p>\n<\/li>\n<li>\n<p><strong>Bastionhost user access (inside the service)<\/strong><br\/>\n   Controls who can:\n   &#8211; connect to which asset\n   &#8211; use which host account\n   &#8211; access which protocols<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Recommendations<\/strong>\n&#8211; Use separate roles for:\n  &#8211; Bastionhost administrators\n  &#8211; Security\/audit reviewers\n  &#8211; Operators (day-to-day access)\n&#8211; Implement periodic access reviews and remove stale permissions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>In transit<\/strong>: Use HTTPS for portal access; SSH\/RDP for backend sessions.<\/li>\n<li><strong>At rest<\/strong>: Audit logs\/session records and stored credentials should be encrypted by the service.<br\/>\n  Because encryption implementation details can change by edition\/region, <strong>verify encryption-at-rest and key management options in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer private access to the Bastionhost portal (VPN\/Express Connect).<\/li>\n<li>If public access is required:<\/li>\n<li>enforce IP allowlists if supported<\/li>\n<li>enable MFA<\/li>\n<li>use strong passwords and lockout policies<\/li>\n<li>monitor login failures and unusual geographies<\/li>\n<li>Do not open SSH\/RDP directly to hosts from the internet.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid sharing OS passwords or SSH private keys across teams.<\/li>\n<li>If Bastionhost stores host credentials:<\/li>\n<li>restrict who can view\/manage host accounts<\/li>\n<li>rotate credentials regularly (manual or automated if supported\u2014verify)<\/li>\n<li>For modern setups, consider short-lived credentials\/certs (if compatible with Bastionhost and your OS baseline\u2014verify).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure audit logs are:<\/li>\n<li>retained per policy<\/li>\n<li>protected from tampering (export to centralized logging with access controls)<\/li>\n<li>Correlate:<\/li>\n<li>Bastionhost session logs<\/li>\n<li>OS logs (<code>\/var\/log\/auth.log<\/code>, <code>\/var\/log\/secure<\/code>)<\/li>\n<li>Alibaba Cloud control-plane logs (ActionTrail\u2014verify)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<p>Bastionhost supports compliance by providing:\n&#8211; centralized access governance\n&#8211; evidentiary logs for administrative actions<\/p>\n\n\n\n<p>But compliance is a system outcome:\n&#8211; define policies (who can access prod, how approvals work, retention period)\n&#8211; implement change management\n&#8211; periodically test audit retrieval<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Leaving Bastionhost publicly exposed without MFA or IP restrictions.<\/li>\n<li>Granting broad access like \u201call users \u2192 all hosts \u2192 root\u201d.<\/li>\n<li>Using shared OS accounts without per-user attribution.<\/li>\n<li>Not exporting logs or not testing log retrieval until an incident occurs.<\/li>\n<li>Treating Bastionhost as a magic compliance checkbox instead of building processes around it.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations (baseline)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Private subnets for assets; no public IPs.<\/li>\n<li>Bastionhost in a management subnet; minimal inbound to portal.<\/li>\n<li>Strong IAM\/RAM boundaries.<\/li>\n<li>MFA and least privilege.<\/li>\n<li>Central log retention and alerting.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<p>Because features vary by edition\/region, validate these items early:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitation patterns to check (verify)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Edition-dependent quotas<\/strong>: max assets, users, concurrent sessions, audit retention.<\/li>\n<li><strong>Protocol support<\/strong>: SSH and RDP are common; additional protocols may be limited.<\/li>\n<li><strong>Command-level controls<\/strong>: may be limited or not available in some editions.<\/li>\n<li><strong>Session recording<\/strong>: may not be available for all protocols or all editions.<\/li>\n<li><strong>Hybrid asset onboarding<\/strong>: requires stable network connectivity (VPN\/Express Connect) and routing.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Security group source scoping<\/strong>: If you allow Bastionhost using a broad CIDR, you may unintentionally allow other instances in that subnet. Prefer SG referencing where possible.<\/li>\n<li><strong>IP changes break assets<\/strong>: If assets are registered by IP and the IP changes, Bastionhost access will fail until updated.<\/li>\n<li><strong>Password auth disabled on hosts<\/strong>: If Bastionhost expects password auth but SSHD disables it, login fails. Align your OS baseline with Bastionhost auth method.<\/li>\n<li><strong>Audit retention mismatch<\/strong>: Local service retention may be shorter than compliance needs; plan export\/archiving.<\/li>\n<li><strong>Break-glass confusion<\/strong>: If approvals are enabled, ensure on-call has a documented emergency path.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public access bandwidth\/EIP costs (if chosen).<\/li>\n<li>Log export and long retention costs (SLS\/OSS).<\/li>\n<li>Needing multiple instances for environment isolation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Moving from ad-hoc SSH keys to centralized access requires:<\/li>\n<li>OS account standardization<\/li>\n<li>permission model design<\/li>\n<li>operational training<\/li>\n<li>deprecating direct inbound rules safely<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Vendor-specific nuances<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Console UX and feature availability can differ by region and language.<\/li>\n<li>Some enterprise features may require a specific edition or purchase model\u2014<strong>verify in your console<\/strong>.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Bastionhost is one way to implement secure administrative access. Alternatives exist inside and outside Alibaba Cloud.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Options to consider<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Self-managed jump box on ECS<\/strong>: simple, but you must manage hardening, HA, auditing, and access governance yourself.<\/li>\n<li><strong>Zero Trust access \/ SASE<\/strong>: can provide private access without a traditional bastion, but may not provide the same session auditing model.<\/li>\n<li><strong>Cloud-native alternatives in other clouds<\/strong>: Azure Bastion, AWS Systems Manager Session Manager, Google IAP TCP forwarding + OS Login.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Alibaba Cloud Bastionhost<\/strong><\/td>\n<td>Centralized O&amp;M access, auditing, governance on Alibaba Cloud<\/td>\n<td>Managed service; centralized authz; audit\/session trail (edition dependent)<\/td>\n<td>Cost; feature set varies by edition\/region; requires network planning<\/td>\n<td>You need auditable admin access and want to reduce direct SSH\/RDP exposure<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed jump server (ECS)<\/strong><\/td>\n<td>Very small setups; full customization<\/td>\n<td>Cheap to start; fully customizable<\/td>\n<td>You own patching, HA, logging, RBAC, compliance evidence<\/td>\n<td>You have strong Linux\/security ops maturity and very specific requirements<\/td>\n<\/tr>\n<tr>\n<td><strong>VPN + direct SSH\/RDP<\/strong><\/td>\n<td>Teams with strong endpoint security and internal network controls<\/td>\n<td>Simple; keeps traffic private<\/td>\n<td>Weak governance if not paired with strong IAM; limited session recording<\/td>\n<td>You already have robust IAM + endpoint controls and don\u2019t need deep session auditing<\/td>\n<\/tr>\n<tr>\n<td><strong>Alibaba Cloud Cloud Firewall \/ Security Center (adjacent services)<\/strong><\/td>\n<td>Threat detection, firewalling, posture management<\/td>\n<td>Strong security controls in their domains<\/td>\n<td>Not a direct replacement for PAM session proxy<\/td>\n<td>Use alongside Bastionhost, not instead of it<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure Bastion<\/strong><\/td>\n<td>Azure-native RDP\/SSH via portal<\/td>\n<td>Easy portal access; no public IP on VMs<\/td>\n<td>Azure-only; pricing per scale<\/td>\n<td>If your estate is primarily Azure<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS Systems Manager Session Manager<\/strong><\/td>\n<td>AWS-native agent-based access<\/td>\n<td>No inbound ports; strong audit integration<\/td>\n<td>Requires SSM agent and IAM design; different model than classic SSH<\/td>\n<td>If your estate is primarily AWS and you can adopt agent-based access<\/td>\n<\/tr>\n<tr>\n<td><strong>Google IAP + OS Login<\/strong><\/td>\n<td>GCP-native gated access<\/td>\n<td>Strong identity gating; reduced exposure<\/td>\n<td>Setup complexity; model differs<\/td>\n<td>If your estate is primarily GCP and you standardize on OS Login<\/td>\n<\/tr>\n<tr>\n<td><strong>Open-source PAM\/bastion (e.g., Jumpserver)<\/strong><\/td>\n<td>Organizations wanting self-host control<\/td>\n<td>Flexible; community ecosystem<\/td>\n<td>You operate everything; compliance burden<\/td>\n<td>You need deep customization and can support the ops overhead<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example (regulated industry)<\/h3>\n\n\n\n<p><strong>Problem<\/strong><br\/>\nA fintech runs hundreds of ECS instances across production and staging. Auditors require:\n&#8211; named-user accountability for privileged access\n&#8211; session evidence for production changes\n&#8211; strict separation between prod and non-prod access<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Separate VPC segments for prod and non-prod.\n&#8211; A dedicated <strong>Bastionhost instance per environment<\/strong>.\n&#8211; RAM roles:\n  &#8211; Security team: Bastionhost policy + audit export administration\n  &#8211; Ops team: day-to-day access via least privilege\n&#8211; Security groups:\n  &#8211; ECS inbound SSH only from Bastionhost SG\n&#8211; Centralized audit:\n  &#8211; Export Bastionhost logs to a central log system (SLS\/SIEM) with immutable retention (verify exact export methods)<\/p>\n\n\n\n<p><strong>Why Bastionhost was chosen<\/strong>\n&#8211; Centralized O&amp;M entry point\n&#8211; Auditing and session traceability\n&#8211; Reduced public exposure of management ports<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Reduced attack surface (no public SSH)\n&#8211; Faster access review and offboarding\n&#8211; Audit-ready evidence for privileged operations<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example<\/h3>\n\n\n\n<p><strong>Problem<\/strong><br\/>\nA startup has 15 ECS instances and 6 engineers. Access is messy: shared keys, inconsistent firewall rules, and no reliable record of production changes.<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; One Bastionhost instance in the production VPC.\n&#8211; All ECS instances moved to private IP-only.\n&#8211; Create team-based groups:\n  &#8211; <code>app-ops<\/code> group: access to app servers as <code>ops<\/code>\n  &#8211; <code>db-admin<\/code> group: access to database admin host only\n&#8211; Enable audit logging and review weekly.<\/p>\n\n\n\n<p><strong>Why Bastionhost was chosen<\/strong>\n&#8211; Managed approach avoids building and maintaining a custom jump host + logging stack.\n&#8211; Immediate improvement in operational hygiene.<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Clean onboarding\/offboarding\n&#8211; Reduced risk from leaked keys\n&#8211; Basic audit trail for troubleshooting and accountability<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Is Bastionhost the same as a traditional jump box?<\/strong><br\/>\n   It serves a similar purpose (central entry point), but Bastionhost is typically managed and focuses on governance and auditing. A DIY jump box can be cheaper but requires you to implement auditing, RBAC, and hardening yourself.<\/p>\n<\/li>\n<li>\n<p><strong>Do my ECS instances need public IPs to use Bastionhost?<\/strong><br\/>\n   No. A common best practice is that ECS instances have only private IPs, and Bastionhost reaches them inside the VPC.<\/p>\n<\/li>\n<li>\n<p><strong>Can Bastionhost manage assets outside Alibaba Cloud (on-prem)?<\/strong><br\/>\n   Often yes if the assets are reachable over network connectivity (VPN\/Express Connect) and supported by Bastionhost asset onboarding. Confirm supported scenarios in official docs.<\/p>\n<\/li>\n<li>\n<p><strong>Does Bastionhost support SSH key authentication?<\/strong><br\/>\n   Many bastion products do, but exact behavior depends on Bastionhost edition\/configuration. Verify supported authentication modes in official docs.<\/p>\n<\/li>\n<li>\n<p><strong>Can I force MFA for all Bastionhost users?<\/strong><br\/>\n   MFA capabilities can depend on identity integration and edition. Use RAM MFA for cloud-console access and check Bastionhost user authentication options in your region\/edition.<\/p>\n<\/li>\n<li>\n<p><strong>What exactly is audited?<\/strong><br\/>\n   Usually: user logins, asset access events, and session metadata. Command logs and full session recordings may be available depending on protocol and edition\u2014verify.<\/p>\n<\/li>\n<li>\n<p><strong>How do I restrict access to production only during on-call windows?<\/strong><br\/>\n   Use time-based authorization constraints if supported, or implement an approval workflow. If not available, enforce via process + monitoring and short-lived permissions.<\/p>\n<\/li>\n<li>\n<p><strong>Can vendors be given access safely?<\/strong><br\/>\n   Yes, if you create a vendor-specific user\/group, restrict assets\/accounts, apply time limits, and monitor sessions. Avoid shared vendor credentials.<\/p>\n<\/li>\n<li>\n<p><strong>How do I prevent operators from using <code>root<\/code>?<\/strong><br\/>\n   Don\u2019t grant authorization to <code>root<\/code>. Provide a least-privileged account like <code>ops<\/code> and use sudo with logging and policy controls.<\/p>\n<\/li>\n<li>\n<p><strong>Does Bastionhost replace VPN?<\/strong><br\/>\n   Not always. Bastionhost governs O&amp;M access, but you may still want VPN\/Express Connect for private portal access and other internal connectivity needs.<\/p>\n<\/li>\n<li>\n<p><strong>How many Bastionhost instances do I need?<\/strong><br\/>\n   Often one per environment (prod vs non-prod) or per network boundary. Large organizations may deploy per business unit or per region for latency and governance reasons.<\/p>\n<\/li>\n<li>\n<p><strong>What is the best way to organize assets?<\/strong><br\/>\n   Use host groups by environment, system, and owner (e.g., <code>prod\/payments\/app<\/code>). Keep naming and tagging consistent.<\/p>\n<\/li>\n<li>\n<p><strong>What happens if Bastionhost is unavailable?<\/strong><br\/>\n   You lose the governed access path. Plan break-glass access (documented, tightly controlled) and design connectivity redundancy. Review HA options for your edition\u2014verify.<\/p>\n<\/li>\n<li>\n<p><strong>Can I export Bastionhost logs to a SIEM?<\/strong><br\/>\n   Often yes via Log Service (SLS) or other export mechanisms depending on product support. Confirm export formats and APIs in official docs.<\/p>\n<\/li>\n<li>\n<p><strong>Is Bastionhost suitable for fully automated machine-to-machine access?<\/strong><br\/>\n   Bastionhost is primarily for interactive human O&amp;M access. For automation, consider short-lived credentials, CI\/CD roles, and system-to-system IAM patterns; use Bastionhost only if your workflow explicitly requires it.<\/p>\n<\/li>\n<li>\n<p><strong>How do I do access reviews?<\/strong><br\/>\n   Periodically export or report on:\n   &#8211; Bastionhost users and group memberships\n   &#8211; authorization mappings\n   &#8211; recent session history<br\/>\n   Then remove stale privileges and document approvals.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Bastionhost<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official product page<\/td>\n<td>Alibaba Cloud Bastionhost<\/td>\n<td>Overview, positioning, and entry points to docs\/pricing: https:\/\/www.alibabacloud.com\/product\/bastionhost<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>Bastionhost Documentation<\/td>\n<td>Canonical feature descriptions and setup steps: https:\/\/www.alibabacloud.com\/help\/en\/bastionhost<\/td>\n<\/tr>\n<tr>\n<td>Pricing<\/td>\n<td>Alibaba Cloud Pricing<\/td>\n<td>Starting point for official pricing navigation: https:\/\/www.alibabacloud.com\/pricing<\/td>\n<\/tr>\n<tr>\n<td>Console<\/td>\n<td>Alibaba Cloud Console<\/td>\n<td>The real source of truth for what\u2019s available in your region\/account: https:\/\/home.console.alibabacloud.com\/<\/td>\n<\/tr>\n<tr>\n<td>IAM reference<\/td>\n<td>RAM Documentation<\/td>\n<td>Design least-privilege permissions for Bastionhost administration: https:\/\/www.alibabacloud.com\/help\/en\/ram<\/td>\n<\/tr>\n<tr>\n<td>Governance\/audit<\/td>\n<td>ActionTrail Documentation<\/td>\n<td>Control-plane audit logs for Alibaba Cloud resources (verify Bastionhost event coverage): https:\/\/www.alibabacloud.com\/help\/en\/actiontrail<\/td>\n<\/tr>\n<tr>\n<td>Logging<\/td>\n<td>Log Service (SLS) Documentation<\/td>\n<td>Central log storage\/analysis for exported logs (verify integration): https:\/\/www.alibabacloud.com\/help\/en\/sls<\/td>\n<\/tr>\n<tr>\n<td>Networking<\/td>\n<td>VPC Documentation<\/td>\n<td>Required to design private connectivity and segmentation: https:\/\/www.alibabacloud.com\/help\/en\/vpc<\/td>\n<\/tr>\n<tr>\n<td>Compute<\/td>\n<td>ECS Documentation<\/td>\n<td>OS\/network\/security group basics for target hosts: https:\/\/www.alibabacloud.com\/help\/en\/ecs<\/td>\n<\/tr>\n<tr>\n<td>Video learning<\/td>\n<td>Alibaba Cloud YouTube Channel<\/td>\n<td>Product walkthroughs and architecture content (search for Bastionhost): https:\/\/www.youtube.com\/@AlibabaCloud<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps\/SRE\/Cloud engineers<\/td>\n<td>DevOps + cloud operations + security fundamentals; may include bastion\/PAM patterns<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate IT professionals<\/td>\n<td>SCM\/DevOps foundations; practical operations workflows<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud operations teams<\/td>\n<td>Cloud ops practices, monitoring, governance patterns<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs and platform teams<\/td>\n<td>Reliability engineering, operational governance, incident response<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops\/SRE leaders exploring AIOps<\/td>\n<td>AIOps concepts, operational analytics, automation<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud coaching and guidance (verify offerings)<\/td>\n<td>Individuals and small teams<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training services (verify course catalog)<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps consulting\/training resources (verify scope)<\/td>\n<td>Teams needing hands-on help<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and enablement resources (verify services)<\/td>\n<td>Ops teams needing troubleshooting support<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify exact portfolio)<\/td>\n<td>Architecture, migration, operations processes<\/td>\n<td>Bastionhost access architecture design; network segmentation review; ops runbooks<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps consulting and enablement<\/td>\n<td>Training + implementation support<\/td>\n<td>Implementing Bastionhost governance model; IAM\/RAM least privilege; audit readiness<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify offerings)<\/td>\n<td>Process improvement and tooling<\/td>\n<td>Standardizing privileged access workflows; logging\/monitoring integration planning<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Bastionhost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Linux\/Windows administration basics<\/strong><\/li>\n<li>users\/groups, SSH\/RDP fundamentals, sudo\/UAC<\/li>\n<li><strong>Networking<\/strong><\/li>\n<li>VPC\/subnets, routing, CIDR, security groups, DNS<\/li>\n<li><strong>IAM fundamentals (Alibaba Cloud RAM)<\/strong><\/li>\n<li>users, roles, policies, MFA<\/li>\n<li><strong>Security fundamentals<\/strong><\/li>\n<li>least privilege, credential hygiene, logging and monitoring, incident response basics<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Bastionhost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Centralized logging and SIEM workflows<\/strong><\/li>\n<li>Log Service (SLS), alerting, correlation<\/li>\n<li><strong>Privileged access management (PAM) patterns<\/strong><\/li>\n<li>just-in-time access, approvals, break-glass, credential rotation<\/li>\n<li><strong>Zero Trust access design<\/strong><\/li>\n<li>identity-aware access, device posture, segmentation<\/li>\n<li><strong>Compliance operations<\/strong><\/li>\n<li>audit evidence collection, retention policies, access review automation<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud\/Platform Engineer<\/li>\n<li>DevOps Engineer<\/li>\n<li>SRE<\/li>\n<li>Security Engineer (IAM\/PAM focus)<\/li>\n<li>IT Operations \/ Infrastructure Engineer<\/li>\n<li>Compliance and audit support roles (read-only access to reports)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Alibaba Cloud certification offerings evolve. If you are targeting Alibaba Cloud skills:\n&#8211; Start with Alibaba Cloud foundational certifications (cloud fundamentals).\n&#8211; Progress to associate\/professional tracks aligned to security and architecture.<br\/>\n<strong>Verify the current Alibaba Cloud certification catalog in official channels<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Build a three-tier VPC (web\/app\/db) where only Bastionhost can reach app\/db management ports.<\/li>\n<li>Create RBAC model: <code>app-ops<\/code>, <code>db-admin<\/code>, <code>sec-auditor<\/code>, <code>bh-admin<\/code>.<\/li>\n<li>Implement time-bound access for vendors and test offboarding.<\/li>\n<li>Export audit logs to centralized logging and create alerts on suspicious patterns (failed logins, off-hours access).<\/li>\n<li>Run an \u201cincident replay\u201d: identify who changed a config file using audit records.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Bastionhost<\/strong>: Alibaba Cloud managed service providing centralized, governed access to hosts (SSH\/RDP) with auditing.<\/li>\n<li><strong>Bastion \/ Jump host<\/strong>: A controlled entry point used to access private network systems.<\/li>\n<li><strong>PAM (Privileged Access Management)<\/strong>: Practices and tools to control, monitor, and audit privileged access.<\/li>\n<li><strong>Asset\/Host<\/strong>: A target system registered in Bastionhost (e.g., an ECS instance).<\/li>\n<li><strong>Host account<\/strong>: An OS-level account on the asset (e.g., <code>ops<\/code>, <code>root<\/code>, <code>Administrator<\/code>).<\/li>\n<li><strong>Authorization policy<\/strong>: Rules granting users\/groups access to specific assets and accounts.<\/li>\n<li><strong>VPC<\/strong>: Virtual Private Cloud; your isolated virtual network in Alibaba Cloud.<\/li>\n<li><strong>vSwitch<\/strong>: A subnet within a VPC, scoped to a zone.<\/li>\n<li><strong>Security Group<\/strong>: Stateful virtual firewall controlling inbound\/outbound rules for ECS.<\/li>\n<li><strong>RAM<\/strong>: Resource Access Management; Alibaba Cloud IAM service.<\/li>\n<li><strong>MFA<\/strong>: Multi-factor authentication (e.g., password + OTP).<\/li>\n<li><strong>ActionTrail<\/strong>: Alibaba Cloud service that records API calls and control-plane events (verify integration coverage).<\/li>\n<li><strong>SLS (Log Service)<\/strong>: Alibaba Cloud centralized log storage, search, and analytics platform.<\/li>\n<li><strong>EIP<\/strong>: Elastic IP; a public IP that can be attached to cloud resources.<\/li>\n<li><strong>Least privilege<\/strong>: Granting only the minimum access necessary to perform a task.<\/li>\n<li><strong>Break-glass access<\/strong>: Emergency access path used during incidents, tightly controlled and audited.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>Bastionhost<\/strong> is a <strong>Security<\/strong> service that centralizes administrative access to servers and provides governance and auditing that ad-hoc SSH\/RDP access typically lacks. It fits best as the controlled entry layer for ECS and other reachable assets inside a VPC (and sometimes hybrid networks), enabling least privilege, improved accountability, and audit-ready operations.<\/p>\n\n\n\n<p>Cost is usually driven by <strong>edition\/spec capacity<\/strong>, environment separation, and whether you require <strong>public endpoints<\/strong> or long-term log retention\/export. Security success depends on the fundamentals: strong IAM\/RAM boundaries, MFA where supported, strict network segmentation (hosts reachable only from Bastionhost), and an access model that avoids shared privileged accounts.<\/p>\n\n\n\n<p>Use Bastionhost when you need <strong>auditable, controlled privileged access<\/strong> at scale. Next, deepen your implementation by validating edition-specific features in official docs, exporting logs to centralized monitoring, and formalizing approvals and break-glass procedures.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,10],"tags":[],"class_list":["post-55","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/55","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=55"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/55\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=55"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=55"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=55"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}