Database Access FAQ
Teleport Database Access currently supports the following protocols:
- Microsoft SQL Server
For PostgreSQL and MySQL, the following Cloud-hosted versions are supported in addition to self-hosted deployments:
- Amazon RDS
- Amazon Aurora (except for Amazon Aurora Serverless, which doesn't support IAM authentication)
- Amazon Redshift
- Google Cloud SQL
- Azure Database
See the available guides for all supported configurations.
The following PostgreSQL protocol features aren't currently supported:
- Canceling requests in progress. Cancel requests issued by the PostgreSQL clients connected to the Teleport Proxy Service won't be passed to the database server.
- Any authentication methods except for client certificate authentication and IAM authentication for cloud databases.
When configuring the Teleport Proxy Service, administrators can set the
mysql_public_addr configuration fields to public
addresses over which respective database clients should connect. See
Proxy Configuration for
This is useful when the Teleport Web UI is running behind an L7 load balancer (e.g. ALB in AWS), in which case the PostgreSQL/MySQL proxy needs to be exposed on a plain TCP load balancer (e.g. NLB in AWS).
In Teleport Cloud, the Proxy Service uses the following ports for Database Access client traffic:
Teleport relies on client certificates for authentication, so any database client that supports this method of authentication and uses modern TLS (1.2+) should work.
Standard command-line clients such as
supported. There are also instructions for configuring select
We plan to support more databases in the future based on customer demand.
Yes, you can pass custom CA certificate by using a
server_name under the
tls section in your Teleport configuration
file. Please look on our reference
for more details.
Yes, although it is not recommended. Certificate verification prevents person-in-the-middle attacks and makes sure that you are connected to the database that you intended to.
Teleport also allows you to edit your
to provide a custom CA certificate (
ca_cert_file) or custom DNS name
server_name), which is more secure.
If none of the above options work for you and you still want to disable the CA
check, you can use
mode under the
tls option in the Teleport configuration file.
For more details please refer to the reference configuration file.