Help Center/ Cloud Bastion Host/ Service Overview/ Restrictions on Using CBH
Updated on 2024-12-03 GMT+08:00

Restrictions on Using CBH

To improve the stability and security of the CBH system, there are some restrictions on the use of CBH instances and their mapped CBH systems.

Network Access Restrictions

  • Cross-region resource management is not supported.

    A CBH instance and resources (such as ECSs and cloud databases) managed in the mapped CBH system must be in the same region.

    Although some services such as Virtual Private Network (VPN) can be used to establish VPCs in different regions, using CBH to manage resources across regions is still not recommended because the cross-region network is less stable.

  • Cross-VPC resource management is not supported.

    A CBH instance and resources (such as ECSs and cloud databases) managed in the mapped CBH system must be in the same VPC so that the CBH system can communicate the managed resources directly.

    If they are in different VPCs, use a VPC peering connection to connect two VPCs.

  • Communication between the CBH instance security group and managed resource security group must be allowed.

    The managed resources must be accessible through the security group to which the CBH instance belongs, and the security group to which the resources belong must allow access from the private IP address of the CBH instance.

    If a CBH instance and its managed resources belong to different security groups, no communication between them is established by default. To establish a connection, add an inbound rule to the CBH instance security group.

    The default ports of the security group are ports 443 and 2222, which can be accessed through a web browser or SSH client by default. To use other access methods, manually add the destination port.

    For details, see Table 1.

  • A CBH system can be logged in only through IP address and port number.
    Table 1 Inbound and outbound rule configuration reference

    Scenario Description

    Direction

    Protocol/Application

    Port

    Accessing a bastion host through a web browser (HTTP and HTTPS)

    Inbound

    TCP

    80, 443, and 8080

    Accessing a bastion host through Microsoft Terminal Services Client (MSTSC)

    Inbound

    TCP

    53389

    Accessing a bastion host through an SSH client

    Inbound

    TCP

    2222

    Accessing a bastion host through FTP clients

    Inbound

    TCP

    20~21

    Remotely accessing Linux ECSs of a bastion host over SSH clients

    Outbound

    TCP

    22

    Remotely accessing Windows ECSs of a bastion host over the RDP Protocol

    Outbound

    TCP

    3389

    Accessing Oracle databases through a bastion host

    Inbound

    TCP

    1521

    Accessing Oracle databases through a bastion host

    Outbound

    TCP

    1521

    Accessing MySQL databases through a bastion host

    Inbound

    TCP

    33306

    Accessing MySQL databases through a bastion host

    Outbound

    TCP

    3306

    Accessing SQL Server databases through a bastion host

    Inbound

    TCP

    1433

    Accessing SQL Server databases through a bastion host

    Outbound

    TCP

    1433

    Accessing DB databases through a bastion host

    Inbound

    TCP

    50000

    Accessing DB databases through a bastion host

    Outbound

    TCP

    50000

    Accessing GaussDB databases through a bastion host

    Inbound

    TCP

    18000

    Accessing GaussDB databases through a bastion host

    Outbound

    TCP

    18000

    License servers

    Outbound

    TCP

    9443

    Cloud services

    Outbound

    TCP

    443

    Accessing a bastion host system through the SSH client in the same security group

    Outbound

    TCP

    2222

    SMS service

    Outbound

    TCP

    10743 and 443

    Domain name resolution service

    Outbound

    UDP

    53

    Accessing PGSQL databases through a bastion host

    Inbound

    TCP

    15432

    Accessing PGSQL databases through a bastion host

    Outbound

    TCP

    5432

Supported Resources

You can use CBH to manage servers you purchased on other clouds and on-premises servers as long as they can communicate with CBH through protocols supported by CBH and these servers.

  • Supported host types

    CBH allows you to manage Linux or Windows hosts with the SSH, RDP, VNC, Telnet, FTP, SFTP, SCP, or Rlogin protocol configured.

  • Supported database types
    • Relational Database Service (RDS) DB instances
    • Databases on Elastic Cloud Servers (ECSs)
  • Supported database versions
    Table 2 Supported database versions

    Database Engine

    Engine Version

    MySQL

    MySQL 5.5, 5.6, 5.7, and 8.0

    Microsoft SQL Server

    2014, 2016, 2017, 2019, and 2022

    Oracle

    10g, 11g, 12c, 19c, and 21c

    DB2

    DB2 Express-C

    PostgreSQL

    11, 12, 13, 14, and 15

    GaussDB

    2 and 3

  • Supported application server types and versions
    Only applications on Windows servers and Linux servers can be managed. Table 3 lists the supported operating system versions.
    Table 3 Supported application server types and versions

    OS Type

    Version

    Windows

    Windows Server 2008 R2 or later

    Linux

    CentOS7.9

    Currently, application O&M is available only on the x86 CBH instances.

Supported Third-Party Clients

To perform secure O&M management through CBH, use a third-party client to log in to the CBH system.

Table 4 Clients and versions supported for logging in to the CBH system

Login Type

Supported Client

Version

Logging in to a CBH system from a web browser

Edge

Microsoft Edge 44 or later

NOTE:

When you use Microsoft Edge, the maximum size of a file that can be uploaded to a host is 4 GB.

Google Chrome

Google Chrome 52.0 or later

Safari

Safari 10 or later

Mozilla Firefox

Mozilla Firefox 50.0 or later

Login using an SSH client

SecureCRT

SecureCRT 8.0 or later

Xshell

Xshell 5 or later

Mac Terminal

Mac Terminal 2.0 or later

Table 5 Clients that can be invoked during operation

Operation Method

Resource Protocol Type/Application Type

Supported Client

Database operation

(in the Host Operations module)

MySQL

Navicat 11, 12, 15, and 16

MySQL Administrator 1.2.17

MySQL CMD

DBeaver 22 and 23

SQL Server

Navicat 11, 12, 15, and 16

SSMS 17

Oracle

Toad for Oracle 11.0, 12.1, 12.8, and 13.2

Navicat 11, 12, 15, and 16

PL/SQL Developer 11.0.5.1790

DBeaver 22 and 23

DB2

DB2 CMD command line 11.1.0

File Transfer

SFTP

Xftp, WinSCP, and FlashFXP

FTP

Xftp, WinSCP, FlashFXP, and FileZilla

Application operation

MySQL Tool

MySQL Administrator

Oracle Tool

PL/SQL Developer

SQL Server Tool

SSMS

dbisql

dbisql

Google Chrome

Google Chrome

Edge

Edge

Mozilla Firefox

Mozilla Firefox

VNC Client

VNC Viewer

SecBrowser

SecBrowser

vSphere Client

vSphere Client

Radmin

Radmin

Bastion Host Versions and OSs

The OS version varies depending on the bastion host image. The details are as follows:

Table 6 Mapping between bastion hosts and OS versions

Bastion Host Version

System Architecture

OS Version

3.3.37.X or earlier

x86

EulerOS 2.2

Arm

EulerOS 2.8

3.3.38.0 or later to 3.3.50.X or earlier

x86

EulerOS 2.10

Arm

3.3.52.0 or later

x86

HCE 2.0

Arm

Other Constraints

  • The maximum number of resources that can be managed by CBH cannot exceed the number of assets allowed by the instance edition.
  • The maximum number of resources that can be concurrently logged in to through CBH cannot exceed the number of concurrent requests allowed by the CBH instance edition.

The number of assets refers to the number of resources running on a cloud host managed by CBH. One cloud host may have multiple resources, including protocols and applications running on it.

The number of concurrent requests indicates the number of connections established between a managed hosts and the CBH system over all protocols at the same time.

For more details, see Basic Concepts.