Teleport Cluster configure across AWS and Data Centre

We have multiple environments in separate AWS VPCs and also bare metal servers running in an onsite Data Centre. We will have AWS Direct Connect to the DC and can setup VPC peering where required for the other VPCs.

We would like to have the primary Teleport cluster in an AWS VPCs using Dynamo DB and S3. We would like to access our DC nodes and nodes in the other VPCs via Teleport.

Ideally all management, users, recordings, etc would be stored in the Teleport cluster in AWS in Dynamo DB and the S3 bucket. We’re after some advice on the right way to setup the Teleport cluster(s). Can we have just one cluster that all nodes connect to, or do we need to have sub-clusters in each environment?

Any advice would be appreciated.

Thanks
Mark

It’s largely up to you. Prior to Teleport 4.0, the way to do this is to have a proxy and auth server set up for your “main” Teleport cluster, then to set up a Teleport proxy server in each sub-cluster and add the “main” cluster as a trusted cluster. This would allow you to gain access the sub-clusters via the “main” cluster.

In Teleport 4.0 we added support for what we’re calling “Teleport IoT” which allows users to instruct a node to connect back to a central Teleport proxy server via tunnelling, rather than needing its own local proxy. Whether this makes sense for you would likely depend on the connectivity available, how many nodes you have in each sub-cluster, how many sub-clusters you have and whether you want the extra effort of administrating the individual nodes in those clusters.

Hi Gus. Thanks for your prompt response. Teleport IoT sounds interesting so we will check that out. This sounds like it would achieve what we want. Primarily, we just don’t want to have to have multiple “full” clusters in each location and have the session recordings saved in AWS rather than locally to that node.

Why ‘tunneling’ approach keeps tunnels up all the time instead of just for the time it is being connected to?

If there is no tunnel established from a node back to the proxy server, how can the node know that a session should be started?

The whole point of IoT/node tunnelling mode is that the only connection requirement is for the node to be able to connect back to the proxy and not the other way around. Without a permanently-established tunnel, there is no communication between node and proxy.

I see. Thanks for explanation. I was thinking on the lines of, since teleport is running on the Node, so it can know when tunnel is needed to be established on demand?. i.e. Proxy sends “connect through me” and tunnel goes up.

Yeah, I understand what you were thinking. The issue is that for IoT/node tunnelling mode, there is no communication channel at all between the node and the proxy if the tunnel isn’t up. There would be no way for that message to be sent unless the tunnel was already established.

1 Like