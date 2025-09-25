Version: 19.x (unreleased)

This page provides answers to frequently asked questions about Teleport Enterprise (Cloud). For a list of frequently asked questions about Teleport in general, see Frequently Asked Questions.

Please reach out to sales to discuss pricing.

If you plan to use S3 and DynamoDB as storage backends, we can provide data for you to import. But you should reach out to us first. If you use a different backend, you will need to start over.

See our documentation on data retention.

Security audits by independent third-parties are performed at least annually. You can request audit results and other related information on the Teleport Trust Portal.

We undergo an annual SOC 2 Type II audit of the Teleport Infrastructure Identity Platform.

The audit report covers:

Teleport Community Edition

Teleport Enterprise, self-hosted

Teleport Enterprise, cloud-hosted (SaaS)

The SOC 2 report is available for download at trust.goteleport.com.

Password hashes are generated using bcrypt.

Each deployment is using at-rest encryption using Amazon DynamoDB and S3 at-rest encryption for customer data including session recordings and user records.

See the Public IP Address Allowlist for the list of IP addresses used for inbound connections to Teleport Enterprise Cloud.

We do not have plans to offer support for inbound connection IP allowlists.

We believe mTLS with strong user and device identity provides the best available security for client authentication.

For customers that require IP-based control for compliance purposes, we do support IP Pinning. For more information see pin_source_ip in our Teleport Access Controls Reference.

Teleport components communicate with themselves using mTLS, with a separate certificate authority for each tenant. Connections to AWS services, such as DynamoDB and S3, are established using encryption provided by AWS, both at rest and in transit. Each tenant has its own credentials that isolate it to interacting with only its own data.

You can connect servers, Kubernetes clusters, databases, desktops, and applications using reverse tunnels.

There is no need to open any ports on your infrastructure for inbound traffic.

If you plan on connecting more than 10,000 nodes or agents, please contact your account executive or customer support to ensure your tenant is properly scaled.

Teleport Enterprise and Enterprise Cloud customers should use the Enterprise release of the teleport binary for agents. Running the Community Edition binary could result in incompatibility to these cluster editions for certain features.

To verify you have a Teleport Enterprise release installed run the teleport version command and Enterprise will be in the output.

teleport version

Teleport Community Edition clusters should use the Teleport Community Edition releases. The teleport version command will only include Teleport in its output for those releases.

teleport version

See the Installation guide for details on installing to specific platforms with Enterprise or Teleport Community Edition releases.

After connecting tctl to Teleport Enterprise Cloud, users can generate dynamic tokens:

tctl nodes add --ttl=5m --roles=node,proxy --token=$(uuid)

Find the appropriate download at Installation.

After downloading the tools, first log in to your cluster using tsh , then use tctl remotely:

tsh login --proxy=example.teleport.sh tctl status

If you have a local file /etc/teleport.yaml on your machine tctl will attempt to use the local cluster. Set the environment variable TELEPORT_CONFIG_FILE to "" so it will not attempt to use that Teleport configuration file.

export TELEPORT_CONFIG_FILE="" tctl tokens add --type=node

Yes. We recommend Teleport's event handler plugin to export Teleport Enterprise Cloud audit events.

Yes, you can configure External Audit Storage.

Proxy recording mode is disabled for cloud customers

The ability to download recordings for offline viewing will be available in a future release.

If you have Teleport Agents connected to a Teleport Enterprise Cloud cluster that are more than one major version behind, you might experience compatibility issues unless your Teleport Agents are enrolled in automatic updates. See the Upgrading Overview for more information.

To get version information for your Teleport Agents, see How can I find version information on connected agents?.

If you want more details about cluster updates, see Cloud Cluster Updates.

For more information about automatic updates and compatibility issues, contact Teleport support.

The Teleport control plane supports Teleport Agents that are on the same major version or one major version behind. If your Teleport Agents are not up to date, we will withhold major version upgrades in order to prevent connectivity issues to your resources. For example, if your control plane is currently running Teleport 15 and you have Teleport Agents running Teleport 14, we will not be able to upgrade your control plane to Teleport 16 until all Teleport Agents are running Teleport 15.

You can check the status of your Teleport Agent versions from the tctl inventory ls command. Auth and Proxy services are those managed by Teleport. See How can I find version information on connected agents? for further detail.

Yes, see Cloud Cluster Updates for further instruction.

Teleport Enterprise Cloud must be set to receive automatic updates to use the Teleport Cloud version server for automatic agent updates. With automatic agent updates, agents periodically check the version server for new releases and update the software when new versions are found.

If you enroll in automatic agent updates, Teleport Agents are automatically updated after your Teleport cluster is updated during your scheduled maintenance period. For more information, read the Automatic Agent Updates guide.

You can check the status of your agents' version from the tctl inventory ls command. Auth and Proxy services are those managed by Teleport.

tctl inventory ls Server ID Hostname Services Agent Version Upgrader Upgrader Version ------------------------------------ --------------------- --------------- ------------- -------- ---------------- 065ab336-1ac2-4314-8b16-32fc06a172a7 example-1 Node,App v18.1.4 unit v18.1.4 065ab336-1ac2-4314-8b16-f00uj04004db example-2 Node,Db v18.1.4 unit v18.1.4 3de21e67-845a-4be1-a024-908829718d27 teleport-kube-0 Kube v18.1.4 kube v18.1.4

Teleport Enterprise Cloud allocates a different set of ports to each tenant. To see which ports are available for your Teleport Enterprise Cloud tenant, run a command similar to the following, replacing example.teleport.sh with your tenant domain:

curl https://example.teleport.sh/webapi/ping | jq '.proxy'

The output should resemble the following, including the unique ports assigned to your tenant:

{ "kube" : { "enabled" : true , "public_addr" : "example.teleport.sh:11107" , "listen_addr" : "0.0.0.0:3026" } , "ssh" : { "listen_addr" : "[::]:3023" , "tunnel_listen_addr" : "0.0.0.0:3024" , "public_addr" : "example.teleport.sh:443" , "ssh_public_addr" : "example.teleport.sh:11105" , "ssh_tunnel_public_addr" : "example.teleport.sh:11106" } , "db" : { "postgres_public_addr" : "example.teleport.sh:11109" , "mysql_listen_addr" : "0.0.0.0:3036" , "mysql_public_addr" : "example.teleport.sh:11108" } , "tls_routing_enabled" : true }

This output also indicates whether TLS routing is enabled for your tenant. When TLS routing is enabled, connections to a Teleport service (e.g., the Teleport SSH Service) are routed through the Proxy Service's public web address, rather than through a port allocated to that service.

In this case, you can see that TLS routing is enabled, and that the Proxy Service's public web address ( ssh.public_addr ) is example.teleport.sh:443 .

Read more in our TLS Routing guide.

Teleport uses letsencrypt.org to issue certificates for every customer. It is not possible to upload a custom certificate or use a custom domain name.

Teleport Cloud runs on Amazon Web Services (AWS). We run proxies in a variety of regions all over the world, and allow customers to select the region where the data is stored.

We use AWS-managed keys. Currently there is no option to provide your own key.

It's a Teleport-managed S3 bucket with AWS-managed keys by default.

Configuring External Audit Storage will allow you to use your own S3 bucket.

We don't currently support IPv6 connections to Teleport Enterprise Cloud.

We're currently researching whether this can be done, so please contact support at [email protected].

FIPS is not currently an option for Teleport Enterprise Cloud clusters.

Yes. Large organizations leverage Teleport Enterprise Cloud to manage the vast number of resources in their organization. Teleport Enterprise Cloud is audited regularly to ensure the most reliable and secure service possible is available to our customers.

Teleport Cloud commits to an SLA of 99.9% of monthly uptime, a maximum of 44 minutes of downtime per month. As we continue to invest in the cloud product and infrastructure, the SLA will be increased.

In Teleport Cloud accounts that enable multi-region high availability, the SLA increases to 99.99%.

For more information on Teleport Cloud SLAs, see the Teleport Enterprise Edition Pricing Guide (PDF).

Check the current and historical status of Teleport Cloud at status.teleport.sh. From the status page, click Subscribe to Updates to get email notifications about scheduled maintenances or updates in service health.

Yes. Customers can subscribe to Teleport Enterprise Cloud updates at status.teleport.sh.

We currently don't expose any metrics interfaces for a tenant.

For our own metrics collection, we're rolling out mTLS, so that only authorized internal clients may collect or scrape metrics from the running instances. This design does not include a mechanism to issue mTLS certificates to external clients, while maintaining isolation guarantees that one tenant cannot interact with another tenant.

Teleport cloud tenants are made up of a cluster of processes, with designated processes sitting behind a load balancer. To scrape the entire cluster would require each component of the Teleport cluster to be individually addressable and accessible from external sources. This could allow individual components to be selectively attacked, if an adversary is able to address traffic to any individual software instance within the cluster.

When you sign up for a Teleport Enterprise (Cloud) account and set up your first user within the account, the Teleport Web UI displays a set of recovery codes:

Save the recovery codes into a safe location, such as your organization's password manager. You can use these codes to reset your account if you lose your password or multi-factor authentication credentials.