Skip to main content

Teleport Enterprise Cloud Architecture

This guide describes architectural features of Teleport Enterprise (Cloud). In general, Teleport Enterprise (Cloud) includes managed deployments of the Teleport Auth Service and Teleport Proxy Service. Read on for information about topics like High Availability, deployment regions, and data retention.

If you are new to Teleport Enterprise (Cloud), read the Getting Started Guide.

Security

We have designed the Teleport Enterprise Cloud environment to be secure. We work with independent security auditors on a regular basis to identify and correct any gaps, while also continuing to iterate on improvements to fortify the platform for the most strict of compliance use-cases.

The Teleport Enterprise Cloud environment is protected from network and transport layer DDoS attacks that may target Teleport tenants by leveraging AWS Shield.

Compliance

We undergo an annual SOC 2 Type II audit of the Teleport Access Platform.

The audit report covers:

  • Teleport Open Source
  • Teleport Enterprise, self-hosted
  • Teleport Enterprise, cloud-hosted (SaaS)

The SOC 2 report is available for download at trust.goteleport.com.

For any other questions, reach out to https://goteleport.com/cloud/sales.

Managed Teleport Settings

SSH sessions are recorded on nodes. Teleport Enterprise Cloud Proxy does not terminate SSH sessions when using OpenSSH and tsh sessions. The Cloud Proxy terminates TLS for Application, Database, and Kubernetes sessions.

Data retention

All Teleport Enterprise Cloud customers have audit logs retained in S3 for 4 years, cluster configuration retained in DynamoDB indefinitely, and session recordings retained in S3 indefinitely.

Customers whose subscriptions lapse will have all session recordings, audit logs, and cluster state deleted between 7 and 30 days after the lapse.

Customers can configure External Audit Storage to store audit logs and session recordings in their own AWS account where retention period can be managed independently.

High Availability

Auth Service

The Teleport Auth Service is deployed in 2 AWS availability zones, and can tolerate a single zone failure. AWS guarantees 99.99% of monthly uptime. Teleport Enterprise Cloud can run in one of the following AWS regions:

  • us-west-2
  • us-east-1
  • eu-central-1
  • ap-south-1
  • ap-southeast-1
  • sa-east-1

Proxies

The Teleport Proxy Service is deployed to multiple AWS regions around the world for low-latency access to distributed infrastructure.

  • us-west-2
  • us-east-1
  • eu-central-1
  • ap-south-1
  • ap-southeast-1
  • sa-east-1

Releases

Teleport Enterprise Cloud only serves the latest stable release of the Teleport software for its customers.

Teleport Enterprise Cloud team upgrades the service with patch releases weekly and major releases quarterly. The team waits for the first minor release before a major upgrade. For example, the team will deploy 16.1.0 instead of 16.0.0. The first minor release happens 3-4 weeks after a first major release.

Patch releases are fully backward compatible and require no actions by the customer.

Major releases do require customers to upgrade all instances of Teleport they are running within 3 months of the upgrade. Failure to upgrade Teleport instances to the latest major release during this window may lead to compatibility issues with Teleport Enterprise Cloud and a loss of access to your infrastructure.

Subscribe to status updates at status.teleport.sh for Cloud upgrade notifications.

Service Level Agreement

Teleport Enterprise Cloud commits to an SLA of 99.9% of monthly uptime, a maximum of 44 minutes of downtime per month. As we continue to invest in the cloud product and infrastructure, the SLA will be increased.