Fork me on GitHub


Trusted Clusters Architecture



Teleport can partition compute infrastructure into multiple clusters. A cluster is a group of Teleport connected resources. Each cluster manages a set of certificate authorities (CAs) for its users and resources.

Trusted Clusters allow the users of one cluster, the root cluster, to seamlessly SSH into the Nodes of another cluster, the leaf cluster, while remaining authenticated with only a single Auth Service. The leaf cluster can be running behind a firewall without any ingress ports open.

Uses for Trusted Clusters include:

  • Managed service providers (MSP) remotely managing the infrastructure of their clients.
  • Device manufacturers remotely maintaining computing appliances deployed on premises.
  • Large cloud software vendors managing multiple data centers.

Individual nodes and proxies can create reverse tunnels to proxy services without creating a new cluster. You don't need to set up a trusted cluster just to connect a couple of servers, kubernetes clusters or databases behind a firewall.

Multi-Data-center Clusters

In the example below, there are three independent clusters:

  • Cluster is a root cluster. This cluster can be used as a single-sign-on entry point for your organization. It can have it's own independent resources connected to it, or be used just for audit logs collection and single-sign-on.
  • Clusters us-east-1a and us-east-1b are two independent clusters in different availability zones.
Trusted clusters

Role Mapping

In Teleport, leaf clusters are autonomous - they have their own state, roles and even local users. Leaf clusters have autonomy to decide how to map identity of the external users to their local roles. We call this process role mapping. Take a look at the flow below to understand how it works:

Role mapping

If this all sounds complicated, but don't worry, you do not need to use trusted clusters unless you have large, distributed infrastructure or your organization works with external agencies or contractors who need separate access.

In many cases, a single cluster is enough. A single teleport cluster can scale to hundreds of thousands of connected resources!

Next steps

Read the rest of the Architecture Guides:

  • See how Teleport uses Certificates for authentication.
  • Reduce your surface of attack using TLS routing.
  • Follow our guide to set up trusted clusters.