Trusted Clusters Architecture
Teleport can partition compute infrastructure into multiple clusters. A cluster is a group of Teleport connected resources. Each cluster manages a set of certificate authorities (CAs) for its users and resources.
Trusted Clusters allow the users of one cluster, the root cluster, to seamlessly SSH into the Nodes of another cluster, the leaf cluster, while remaining authenticated with only a single Auth Service. The leaf cluster can be running behind a firewall without any ingress ports open.
Uses for Trusted Clusters include:
- Managed service providers (MSP) remotely managing the infrastructure of their clients.
- Device manufacturers remotely maintaining computing appliances deployed on premises.
- Large cloud software vendors managing multiple data centers.
Individual nodes and proxies can create reverse tunnels to proxy services without creating a new cluster. You don't need to set up a trusted cluster just to connect a couple of servers, kubernetes clusters or databases behind a firewall.
In the example below, there are three independent clusters:
sso.example.comis a root cluster. This cluster can be used as a single-sign-on entry point for your organization. It can have it's own independent resources connected to it, or be used just for audit logs collection and single-sign-on.
us-east-1bare two independent clusters in different availability zones.
In Teleport, leaf clusters are autonomous - they have their own state, roles and even local users. Leaf clusters have autonomy to decide how to map identity of the external users to their local roles. We call this process role mapping. Take a look at the flow below to understand how it works:
If this all sounds complicated, but don't worry, you do not need to use trusted clusters unless you have large, distributed infrastructure or your organization works with external agencies or contractors who need separate access.
In many cases, a single cluster is enough. A single teleport cluster can scale to hundreds of thousands of connected resources!
Read the rest of the Architecture Guides: