Teleport Cluster configure across AWS and Data Centre

We have multiple environments in separate AWS VPCs and also bare metal servers running in an onsite Data Centre. We will have AWS Direct Connect to the DC and can setup VPC peering where required for the other VPCs.

We would like to have the primary Teleport cluster in an AWS VPCs using Dynamo DB and S3. We would like to access our DC nodes and nodes in the other VPCs via Teleport.

Ideally all management, users, recordings, etc would be stored in the Teleport cluster in AWS in Dynamo DB and the S3 bucket. We’re after some advice on the right way to setup the Teleport cluster(s). Can we have just one cluster that all nodes connect to, or do we need to have sub-clusters in each environment?

Any advice would be appreciated.

Thanks
Mark

It’s largely up to you. Prior to Teleport 4.0, the way to do this is to have a proxy and auth server set up for your “main” Teleport cluster, then to set up a Teleport proxy server in each sub-cluster and add the “main” cluster as a trusted cluster. This would allow you to gain access the sub-clusters via the “main” cluster.

In Teleport 4.0 we added support for what we’re calling “Teleport IoT” which allows users to instruct a node to connect back to a central Teleport proxy server via tunnelling, rather than needing its own local proxy. Whether this makes sense for you would likely depend on the connectivity available, how many nodes you have in each sub-cluster, how many sub-clusters you have and whether you want the extra effort of administrating the individual nodes in those clusters.

Hi Gus. Thanks for your prompt response. Teleport IoT sounds interesting so we will check that out. This sounds like it would achieve what we want. Primarily, we just don’t want to have to have multiple “full” clusters in each location and have the session recordings saved in AWS rather than locally to that node.