Fork me on GitHub

Teleport

Proxy Peering Migration

Improve

This guide shows you how to migrate your Teleport cluster to use Proxy Peering, which enables you to scale your Proxy Service instances horizontally by reducing the number of connections created between Teleport Proxy instances and Teleport services like the Database Service and Application Service.

Prerequisites

An existing Teleport Enterprise cluster. See our getting started guide for help setting up a Teleport cluster.

All components in the cluster should be running Teleport 10.0 or later. See our upgrade procedure for help upgrading a Teleport cluster.

Teleport Proxy Service instances must be able to reach each other over the network on port 3021 by default. Ensure there are no firewall policies that would block communication between instances.

Step 1/3. Enable Proxy Peering

Update your cluster's Auth Service configuration to set the tunnel strategy type to proxy_peering.

auth_service:
    tunnel_strategy:
        type: proxy_peering
        agent_connection_count: 1

This setting will indicate to agents that they are only required to connect to 1 Teleport Proxy instance as specified by the agent_connection_count field.

For high availability, an agent_connection_count greater than 1 can be configured. This ensures an agent is still reachable if one of the Proxy Service instances it is connected to is not available.

Step 2/3. Restart the Auth Services

Restart all Teleport Auth Services running in the cluster to apply the new Auth Service configuration.

Step 3/3. Restart the Proxy Services

Restart all Teleport Proxy Service instances running in the cluster in order to start the services required for Proxy Peering.