Sign In

Sign in to Teleport

Teleport Cloud LoginLogin to your Teleport AccountDashboard LoginLegacy Login & Teleport Enterprise Downloads
Get Started
Fork me on GitHub

Teleport

Database Access High Availability (HA)

Version 12.x
Improve

Database Access High Availability (HA)

You can deploy Database Access in a Highly Available (HA) configuration in a couple of common ways: combined replicas and separate replicas. Both of those revolve around pointing multiple Database Services to the same database instance.

Combined replicas

The most common approach is to assign the same name to each Database Service proxying the database.

If you have two Database Services proxying the same database, configuration for both agents would be identical:

# Same config for both agents.
db_service:
  enabled: "yes"
  databases:
  - name: "postgres"
    protocol: "postgres"
    uri: "postgres.example.com:5432"

With this configuration, you will see only a single entry for the database in tsh db ls:

tsh db ls
Name
--------
postgres
tsh db connect postgres

When connecting, Teleport will randomly pick the Database Service instance to connect through to provide some load balancing. If the selected instance is down (e.g. in case of AZ outage), Teleport will try to connect via other instances.

Separate replicas

With separate replicas, each Database Service instance proxying the database assigns it a different name. This allows you to explicitly pick the agent you want to connect to the database over:

# Database service instance #1.
db_service:
  enabled: "yes"
  databases:
  # Note the name is different than instance #2 but the URI is the same.
  - name: "postgres-us-east-1a"
    protocol: "postgres"
    uri: "postgres.example.com:5432"

# Database service instance #2.
db_service:
  enabled: "yes"
  databases:
  # Note the name is different than instance #1 but the URI is the same.
  - name: "postgres-us-east-1b"
    protocol: "postgres"
    uri: "postgres.example.com:5432"

With this configuration, both services will appear as two separate entries in tsh db ls output and you will have to pick one explicitly when connecting:

tsh db ls
Name
-------------------
postgres-us-east-1a
postgres-us-east-1b
tsh db connect postgres-us-east-1a

This approach is useful when you want to have control over which replica you're using to connect.

Next steps

Have a suggestion or can’t find something?
IMPROVE THE DOCS