Fork me on GitHub


Teleport Cloud FAQ


Can I use Teleport Cloud in production?

Yes. Large organizations leverage Teleport Cloud to manage the vast number of resources in their organization. Teleport Cloud is audited regularly to ensure the most reliable and secure service possible is available to our customers.

What is the Cloud SLA?

Teleport Cloud commits to an SLA of 99.5% of monthly uptime, a maximum of 3 hours 40 minutes of downtime per month. While we routinely exceed this SLA, this number reflects risks in our architecture that we will improve over time.

Is there a status page available?

Can I get push notifications of Teleport Cloud downtime?

Yes. Customers can subscribe to Teleport Cloud updates at

How does Cloud Billing work?

Please reach out to sales to discuss pricing.

If I start with Teleport Cloud, can I move to Teleport Enterprise or Teleport Open Source, or do I need to start again?

If you plan to use S3 and DynamoDB as storage backends, we can provide data for you to import. But you should reach out to us first. If you use a different backend, you will need to start over.

How do I set up recovery codes for my account so I don't lose access?

We have a short step-by-step guide on setting up recovery codes.

Are you using AWS-managed encryption keys, or CMKs via KMS?

We use AWS-managed keys. Currently there is no option to provide your own key.

Is this Teleport's S3 bucket, or my bucket based on my AWS credentials?

It's a Teleport-managed S3 bucket with AWS-managed keys. Currently there is no way to provide your own bucket.

How long will Teleport Cloud retain my data?

See our documentation on data retention.

How do I add Nodes to Teleport Cloud?

You can connect servers, Kubernetes clusters, databases and applications using reverse tunnels.

There is no need to open any ports on your infrastructure for inbound traffic.

Which Proxy Service ports are open on my Teleport Cloud tenant?

Teleport Cloud allocates a different set of ports to each tenant. To see which ports are available for your Teleport Cloud tenant, run a command similar to the following, replacing with your tenant domain:

curl | jq '.proxy'

The output should resemble the following, including the unique ports assigned to your tenant:

  "kube": {
    "enabled": true,
    "public_addr": "",
    "listen_addr": ""
  "ssh": {
    "listen_addr": "[::]:3023",
    "tunnel_listen_addr": "",
    "public_addr": "",
    "ssh_public_addr": "",
    "ssh_tunnel_public_addr": ""
  "db": {
    "postgres_public_addr": "",
    "mysql_listen_addr": "",
    "mysql_public_addr": ""
  "tls_routing_enabled": true

This output also indicates whether TLS routing is enabled for your tenant. When TLS routing is enabled, connections to a Teleport service (e.g., the Teleport SSH Service) are routed through the Proxy Service's public web address, rather than through a port allocated to that service.

In this case, you can see that TLS routing is enabled, and that the Proxy Service's public web address (ssh.public_addr) is

Read more in our TLS Routing guide.

How can I access the tctl admin tool?

Find the appropriate download at Teleport Cloud Downloads. Use the Enterprise version of tctl.

After downloading the tools, first log in to your cluster using tsh, then use tctl remotely:

tsh login
tctl status

Why am I getting permission denied errors when using tctl?

If you have a local file /etc/teleport.yaml on your machine tctl will attempt to use the local cluster. Set the environment variable TELEPORT_CONFIG_FILE to "" so it will not attempt to use that Teleport configuration file.

tctl tokens add --type=node

Are dynamic node tokens available?

After connecting tctl to Teleport Cloud, users can generate dynamic tokens:

tctl nodes add --ttl=5m --roles=node,proxy --token=$(uuid)

Is an independent security audit available?

Security audits by independent third-parties are performed at least annually, with the results made available on our Audit Reports page.

Where does Teleport Cloud run?

Teleport Cloud is deployed within AWS, using S3 and DynamoDB for storage with AWS-managed encryption keys. All data is currently hosted in us-west-2. Currently there is no option to select an alternative region for storage.

Will Teleport be automatically upgraded with each release?

The Teleport control plane is routinely upgraded within 1-2 weeks of a Teleport Core or Enterprise Release. New features may not be available to cloud users until compatibility is tested and fixed, and some features may not work in the cloud environment. Individual customers may not be upgraded to the latest release if they are running agents that are outside of the supported compatibility of the control plane.

Does your SOC 2 report include Teleport Cloud?

We completed our most current SOC 2 Type II audit on August 9th, 2022.

The report covers:

  • Teleport Open Source
  • Teleport Enterprise, self-hosted
  • Teleport Enterprise, cloud-hosted (SaaS)

Reach out to for report details.

Can a customer deploy multiple clusters in Teleport Cloud?

Reach out to sales to discuss pricing.

Is FIPS mode an option?

FIPS is not currently an option for Teleport Cloud clusters.

How do you store passwords?

Password hashes are generated using Golang's bcrypt.

How does Teleport manage web certificates? Can I upload my own?

Teleport uses to issue certificates for every customer. It is not possible to upload a custom certificate or use a custom domain name.

Do you encrypt data at rest?

Each deployment is using at-rest encryption using AWS DynamoDB and S3 at-rest encryption for customer data including session recordings and user records.

Can I get a list of IP addresses to configure a firewall?

We don't currently offer a list of addresses for firewall configuration and plan to make this available in the future.

Can I configure Teleport Cloud to only allow connections from an allowlist of IP addresses?

No. We believe mTLS with strong identity is the best standard available for authenticating and access clients. We are also investigating additional and new features that can be used as a defense in depth strategy for use with Teleport Cloud in 2022.

Is IPv6 Supported for connections to Teleport Cloud?

We don't currently support IPv6 connections to Teleport Cloud.

Can I change the domain name of my Cloud instance after it's been created?

We're currently researching whether this can be done, so please contact support at [email protected].

Can I retrieve diagnostics from my hosted cluster?

We currently don't expose any metrics interfaces for a tenant.

For our own metrics collection, we're rolling out mTLS, so that only authorized internal clients may collect or scrape metrics from the running instances. This design does not include a mechanism to issue mTLS certificates to external clients, while maintaining isolation guarantees that one tenant cannot interact with another tenant.

Teleport cloud tenants are made up of a cluster of processes, with designated processes sitting behind a load balancer. To scrape the entire cluster would require each component of the Teleport cluster to be individually addressable and accessible from external sources. This could allow individual components to be selectively attacked, if an adversary is able to address traffic to any individual software instance within the cluster.

Is it possible to enable proxy recording mode?

Proxy recording mode is disabled for cloud customers

Is there a way to download session recordings for easy playback?

The ability to download recordings for offline viewing will be available in a future release.

Is there a way to forward Teleport Cloud audit events to my company's internal Security Information and Event Management (SIEM)?

Yes. We recommend Teleport's event handler plugin to export Teleport Cloud audit events.

I'm noticing high latency / terminal sessions are slow ?

Please reach out to [email protected]. Our latency design is still being rolled out, and needs to be opted into.

What is the maximum number of nodes a customer can connect to their cluster?

If you plan on connecting more than 10,000 nodes or agents, please contact your account executive or customer support to ensure your tenant is properly scaled.

Are internal connections encrypted / authenticated?

Teleport components communicate with themselves using mTLS, with a separate certificate authority for each tenant. Connections to AWS services, such as DynamoDB and S3, are established using encryption provided by AWS, both at rest and in transit. Each tenant has its own credentials that isolate it to interacting with only its own data.