Overview
You can log in to your bastion host in local, IAM, or admin login mode. In local or IAM login mode, use the accounts as required. In admin login mode, you can log in to a bastion host as user admin without entering passwords.
If you have logged in to your bastion host using the current browser, you need to log out of the current account before logging in to the instance using another account.
Port Requirements
To use a bastion host for resource management, ensure that the communication between the the bastion host and the managed resources is enabled. Before you start, check whether your network ACL configuration allows access to the bastion host and configure the security group of the bastion host by referring to Table 1.
- During cross-version upgrade, ports 80, 8080, 443, and 2222 are automatically enabled for the instance. If you do not need to use these ports, disable them immediately after the upgrade.
- During cross-version upgrade, ports 22, 31036, 31679, and 31873 are automatically enabled for the instance. After the upgrade, keep prot 31679 enabled and disable other ports immediately if you do not need to use them.
Scenario Description |
Direction |
Protocol/Application |
Port |
---|---|---|---|
Accessing a bastion host through a web browser (HTTP and HTTPS) |
Inbound |
TCP |
80, 443, and 8080 |
Accessing a bastion host through Microsoft Terminal Services Client (MSTSC) |
Inbound |
TCP |
53389 |
Accessing a bastion host through an SSH client |
Inbound |
TCP |
2222 |
Accessing a bastion host through FTP clients |
Inbound |
TCP |
20~21 |
Remotely accessing Linux ECSs of a bastion host over SSH clients |
Outbound |
TCP |
22 |
Remotely accessing Windows ECSs of a bastion host over the RDP Protocol |
Outbound |
TCP |
3389 |
Accessing Oracle databases through a bastion host |
Inbound |
TCP |
1521 |
Accessing Oracle databases through a bastion host |
Outbound |
TCP |
1521 |
Accessing MySQL databases through a bastion host |
Inbound |
TCP |
33306 |
Accessing MySQL databases through a bastion host |
Outbound |
TCP |
3306 |
Accessing SQL Server databases through a bastion host |
Inbound |
TCP |
1433 |
Accessing SQL Server databases through a bastion host |
Outbound |
TCP |
1433 |
Accessing DB databases through a bastion host |
Inbound |
TCP |
50000 |
Accessing DB databases through a bastion host |
Outbound |
TCP |
50000 |
Accessing GaussDB databases through a bastion host |
Inbound |
TCP |
18000 |
Accessing GaussDB databases through a bastion host |
Outbound |
TCP |
18000 |
License servers |
Outbound |
TCP |
9443 |
Cloud services |
Outbound |
TCP |
443 |
Accessing a bastion host system through the SSH client in the same security group |
Outbound |
TCP |
2222 |
SMS service |
Outbound |
TCP |
10743 and 443 |
Domain name resolution service |
Outbound |
UDP |
53 |
Accessing PGSQL databases through a bastion host |
Inbound |
TCP |
15432 |
Accessing PGSQL databases through a bastion host |
Outbound |
TCP |
5432 |
Verification Type
You can use remote Active Directory (AD), Remote Authentication Dial In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP), Security Assertion Markup Language (SAML), and Azure AD authentication methods. You can use existing user passwords on any of those remote servers for identity verification.
Verification Type |
Authentication Description |
---|---|
Local Authentication |
Static passwords configured for the system are used for identity verification.
|
AD domain authentication |
The passwords of users on the AD server are used for identity verification.
|
RADIUS Authentication |
The passwords of users on the RADIUS server are used for identity verification.
|
LDAP Authentication |
The passwords of users on the LDAP server are used for identity verification.
|
Azure AD authentication |
The passwords of Microsoft accounts are used for identity verification. The login page is redirected to the Microsoft Azure login page for you to provide credentials.
|
SAML authentication |
The passwords of users on the SAML server are used for identity verification.
|
Logon Type
Different login methods require different credentials. If multifactor verification is enabled, the static password login method becomes invalid.
Logon Type |
Login Description |
---|---|
Password |
Enter the username and password of your bastion host. |
Mobile SMS Authentication |
Enter the username and password of your bastion host, click Send Code, and enter the SMS verification code you will receive. |
Mobile OTP |
Enter the username and password first, and then enter the mobile one-time password (OTP). |
USBKey |
Insert your USB key into your terminal device, select the issued USB key, and enter the corresponding personal identification number (PIN). |
One-time Passwords (OTPs) |
Enter the username and password first, and then enter the verification code displayed on your OTP token device. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.