Fork me on GitHub


Teleport Enterprise Cloud FAQ


Billing and usage

How does Cloud Billing work?

Please reach out to sales to discuss pricing.

Can a customer deploy multiple clusters in Teleport Enterprise Cloud?

Reach out to sales to discuss pricing.

If I start with Teleport Enterprise Cloud, can I move to Teleport Enterprise or Teleport Open Source, or do I need to start again?

If you plan to use S3 and DynamoDB as storage backends, we can provide data for you to import. But you should reach out to us first. If you use a different backend, you will need to start over.


How long will Teleport Enterprise Cloud retain my data?

See our documentation on data retention.

Is an independent security audit available?

Security audits by independent third-parties are performed at least annually. You can request audit results and other related information on the Teleport Trust Portal.

Does your SOC 2 report include Teleport Enterprise Cloud?

We completed our most current SOC 2 Type II audit on August 9th, 2022.

The report covers:

  • Teleport Open Source
  • Teleport Enterprise, self-hosted
  • Teleport Enterprise, cloud-hosted (SaaS)

The SOC 2 report is available for download at

For any other questions, reach out to

How do you store passwords?

Password hashes are generated using Golang's bcrypt.

Do you encrypt data at rest?

Each deployment is using at-rest encryption using AWS DynamoDB and S3 at-rest encryption for customer data including session recordings and user records.

Can I get a list of IP addresses to configure a firewall?

We do not have plans to offer a list of IP addresses for Teleport Enterprise Cloud at the moment.

Teleport Enterprise Cloud infrastructure is elastic and IP addresses can and do change when we make infrastructure changes. This would make the maintenance of IP allowlists a cumbersome and brittle process for customers.

However, we do provide customers with a stable tenant DNS name backed with TLS certificates from that can be utilized to verify the integrity of any outbound connections to Teleport Enterprise Cloud.

Can I configure an allowlist of inbound IP addresses to Teleport Enterprise Cloud?

We do not have plans to offer support for inbound connection IP allowlists.

We believe mTLS with strong user and device identity provides the best available security for client authentication.

For customers that require IP-based control for compliance purposes, we do support IP Pinning. For more information see pin_source_ip in our Teleport Access Controls Reference.

Are internal connections encrypted / authenticated?

Teleport components communicate with themselves using mTLS, with a separate certificate authority for each tenant. Connections to AWS services, such as DynamoDB and S3, are established using encryption provided by AWS, both at rest and in transit. Each tenant has its own credentials that isolate it to interacting with only its own data.

Connecting resources

How do I add resources to Teleport Enterprise Cloud?

You can connect servers, Kubernetes clusters, databases and applications using reverse tunnels.

There is no need to open any ports on your infrastructure for inbound traffic.

What is the maximum number of agents a customer can connect to their cluster?

If you plan on connecting more than 10,000 nodes or agents, please contact your account executive or customer support to ensure your tenant is properly scaled.

Are dynamic node tokens available?

After connecting tctl to Teleport Enterprise Cloud, users can generate dynamic tokens:

tctl nodes add --ttl=5m --roles=node,proxy --token=$(uuid)

Using tctl

How can I access the tctl admin tool?

Find the appropriate download at Teleport Enterprise Cloud Downloads. Use the Enterprise version of tctl.

After downloading the tools, first log in to your cluster using tsh, then use tctl remotely:

tsh login
tctl status

Why am I getting permission denied errors when using tctl?

If you have a local file /etc/teleport.yaml on your machine tctl will attempt to use the local cluster. Set the environment variable TELEPORT_CONFIG_FILE to "" so it will not attempt to use that Teleport configuration file.

tctl tokens add --type=node

Audit events and session recordings

Is there a way to forward Teleport Enterprise Cloud audit events to my company's internal Security Information and Event Management (SIEM)?

Yes. We recommend Teleport's event handler plugin to export Teleport Enterprise Cloud audit events.

Is it possible to enable proxy recording mode?

Proxy recording mode is disabled for cloud customers

Is there a way to download session recordings for easy playback?

The ability to download recordings for offline viewing will be available in a future release.


Will Teleport be automatically upgraded with each release?

Teleport Cloud follows the Teleport Production readiness guidelines.

  • Major version upgrades for customer Auth and Proxy Servers occur after the first minor release (for example 13.1.0) of Teleport. This typically happens within one month of a new major release of Teleport becoming available.
  • After the first minor release, subsequent minor and patch upgrades typically occur within a week.

Are upgrades times configurable for my Teleport Enterprise Cloud tenant?

Yes, you can set the window start time that works best for your organization for upgrades. Teleport provides a scheduled maintenance time window for any upgrades, patches and other required updates for all tenants. An upgrade for your tenant will not start earlier than the window start time you set.

To set the window start time select your username in the Web UI, then the Help & Support option from the drop-down. The Scheduled Upgrades section within that page allows you to configure the window start time.

Teleport recommends subscribing to the Teleport Enterprise Cloud updates at to keep up to date on scheduled maintenance.

How can I find version information on connected agents?

To find the version of Teleport agent is attached to your cluster, run the following commands for the different protocols we support.

tctl get nodes --format=text
tctl get kube_server --format=text
tctl get app_server --format=text
tctl get db_server --format=text
tctl get windows_desktop_service --format=text

Below you can see sample output of tctl get nodes --format=text. Note the Version column will contain the version of the attached agent.

tctl get nodes --format=text

Host UUID Public Address Labels Version

-------- ------------------------------------ -------------- ------ ----------

server01 46d8cad0-8967-4815-a01a-77aae62c34fe 12.0.0

server02 c33b5513-a9eb-463b-8f1b-1f209afe5b4f 12.0.0

Architecture and networking

Which Proxy Service ports are open on my Teleport Enterprise Cloud tenant?

Teleport Enterprise Cloud allocates a different set of ports to each tenant. To see which ports are available for your Teleport Enterprise Cloud tenant, run a command similar to the following, replacing with your tenant domain:

curl | jq '.proxy'

The output should resemble the following, including the unique ports assigned to your tenant:

  "kube": {
    "enabled": true,
    "public_addr": "",
    "listen_addr": ""
  "ssh": {
    "listen_addr": "[::]:3023",
    "tunnel_listen_addr": "",
    "public_addr": "",
    "ssh_public_addr": "",
    "ssh_tunnel_public_addr": ""
  "db": {
    "postgres_public_addr": "",
    "mysql_listen_addr": "",
    "mysql_public_addr": ""
  "tls_routing_enabled": true

This output also indicates whether TLS routing is enabled for your tenant. When TLS routing is enabled, connections to a Teleport service (e.g., the Teleport SSH Service) are routed through the Proxy Service's public web address, rather than through a port allocated to that service.

In this case, you can see that TLS routing is enabled, and that the Proxy Service's public web address (ssh.public_addr) is

Read more in our TLS Routing guide.

How does Teleport manage web certificates? Can I upload my own?

Teleport uses to issue certificates for every customer. It is not possible to upload a custom certificate or use a custom domain name.

Where does Teleport Enterprise Cloud run?

Teleport Enterprise Cloud is deployed within AWS, using S3 and DynamoDB for storage with AWS-managed encryption keys. All data is currently hosted in us-west-2. Currently there is no option to select an alternative region for storage.

Are you using AWS-managed encryption keys, or CMKs via KMS?

We use AWS-managed keys. Currently there is no option to provide your own key.

Is this Teleport's S3 bucket, or my bucket based on my AWS credentials?

It's a Teleport-managed S3 bucket with AWS-managed keys. Currently there is no way to provide your own bucket.

Is IPv6 Supported for connections to Teleport Enterprise Cloud?

We don't currently support IPv6 connections to Teleport Enterprise Cloud.

Can I change the domain name of my Cloud instance after it's been created?

We're currently researching whether this can be done, so please contact support at [email protected].

Is FIPS mode an option?

FIPS is not currently an option for Teleport Enterprise Cloud clusters.

Performance and reliability

Can I use Teleport Enterprise Cloud in production?

Yes. Large organizations leverage Teleport Enterprise Cloud to manage the vast number of resources in their organization. Teleport Enterprise Cloud is audited regularly to ensure the most reliable and secure service possible is available to our customers.

What is the Cloud SLA?

Teleport Enterprise Cloud commits to an SLA of 99.9% of monthly uptime, a maximum of 44 minutes of downtime per month. While we routinely exceed this SLA, this number reflects risks in our architecture that we will improve over time.

Is there a status page available?

Can I get push notifications of Teleport Enterprise Cloud downtime?

Yes. Customers can subscribe to Teleport Enterprise Cloud updates at

Can I retrieve diagnostics from my hosted cluster?

We currently don't expose any metrics interfaces for a tenant.

For our own metrics collection, we're rolling out mTLS, so that only authorized internal clients may collect or scrape metrics from the running instances. This design does not include a mechanism to issue mTLS certificates to external clients, while maintaining isolation guarantees that one tenant cannot interact with another tenant.

Teleport cloud tenants are made up of a cluster of processes, with designated processes sitting behind a load balancer. To scrape the entire cluster would require each component of the Teleport cluster to be individually addressable and accessible from external sources. This could allow individual components to be selectively attacked, if an adversary is able to address traffic to any individual software instance within the cluster.

How do I set up recovery codes for my account so I don't lose access?

We have a short step-by-step guide on setting up recovery codes.