Securing Infrastructure Access at Scale in Large Enterprises
Dec 12
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

Teleport Enterprise Cloud FAQ

This page provides answers to frequently asked questions about Teleport Enterprise (Cloud). For a list of frequently asked questions about Teleport in general, see Frequently Asked Questions.

Billing and usage

How does Cloud Billing work?

Please reach out to sales to discuss pricing.

Can a customer deploy multiple clusters in Teleport Enterprise Cloud?

Reach out to sales to discuss pricing.

If I start with Teleport Enterprise Cloud, can I move to Teleport Enterprise or Teleport Community Edition, or do I need to start again?

If you plan to use S3 and DynamoDB as storage backends, we can provide data for you to import. But you should reach out to us first. If you use a different backend, you will need to start over.

Security

How long will Teleport Enterprise Cloud retain my data?

See our documentation on data retention.

Is an independent security audit available?

Security audits by independent third-parties are performed at least annually. You can request audit results and other related information on the Teleport Trust Portal.

Does your SOC 2 report include Teleport Enterprise Cloud?

We undergo an annual SOC 2 Type II audit of the Teleport Access Platform.

The audit report covers:

  • Teleport Open Source
  • Teleport Enterprise, self-hosted
  • Teleport Enterprise, cloud-hosted (SaaS)

The SOC 2 report is available for download at trust.goteleport.com.

For any other questions, reach out to https://goteleport.com/cloud/sales.

How do you store passwords?

Password hashes are generated using bcrypt.

Do you encrypt data at rest?

Each deployment is using at-rest encryption using AWS DynamoDB and S3 at-rest encryption for customer data including session recordings and user records.

Can I get a list of IP addresses that my infrastructure will need to allow connections to?

See the Public IP Address Allowlist for the list of IP addresses used for inbound connections to Teleport Enterprise Cloud.

Can I configure a list of IP addresses which are allowed to connect to Teleport Enterprise Cloud?

We do not have plans to offer support for inbound connection IP allowlists.

We believe mTLS with strong user and device identity provides the best available security for client authentication.

For customers that require IP-based control for compliance purposes, we do support IP Pinning. For more information see pin_source_ip in our Teleport Access Controls Reference.

Are internal connections encrypted / authenticated?

Teleport components communicate with themselves using mTLS, with a separate certificate authority for each tenant. Connections to AWS services, such as DynamoDB and S3, are established using encryption provided by AWS, both at rest and in transit. Each tenant has its own credentials that isolate it to interacting with only its own data.

Connecting resources

How do I add resources to Teleport Enterprise Cloud?

You can connect servers, Kubernetes clusters, databases, desktops, and applications using reverse tunnels.

There is no need to open any ports on your infrastructure for inbound traffic.

What is the maximum number of agents a customer can connect to their cluster?

If you plan on connecting more than 10,000 nodes or agents, please contact your account executive or customer support to ensure your tenant is properly scaled.

Should we use Enterprise or Teleport Community Edition for connecting resources to our Teleport cluster?

Teleport Enterprise and Enterprise Cloud customers should use the Enterprise release of the teleport binary for agents. Running the Community Edition binary could result in incompatibility to these cluster editions for certain features.

To verify you have a Teleport Enterprise release installed run the teleport version command and Enterprise will be in the output.

teleport version

Teleport Enterprise v16.4.7 go1.22

Teleport Community Edition clusters should use the Teleport Community Edition releases. The teleport version command will only include Teleport in its output for those releases.

teleport version

Teleport v16.4.7 go1.22

See the Installation guide for details on installing to specific platforms with Enterprise or Teleport Community Edition releases.

Are dynamic node tokens available?

After connecting tctl to Teleport Enterprise Cloud, users can generate dynamic tokens:

tctl nodes add --ttl=5m --roles=node,proxy --token=$(uuid)

Using tctl

How can I access the tctl admin tool?

Find the appropriate download at Installation. Use the Enterprise version of tctl.

After downloading the tools, first log in to your cluster using tsh, then use tctl remotely:

tsh login --proxy=example.teleport.sh
tctl status

Why am I getting permission denied errors when using tctl?

If you have a local file /etc/teleport.yaml on your machine tctl will attempt to use the local cluster. Set the environment variable TELEPORT_CONFIG_FILE to "" so it will not attempt to use that Teleport configuration file.

export TELEPORT_CONFIG_FILE=""
tctl tokens add --type=node

Audit events and session recordings

Is there a way to forward Teleport Enterprise Cloud audit events to my company's internal Security Information and Event Management (SIEM)?

Yes. We recommend Teleport's event handler plugin to export Teleport Enterprise Cloud audit events.

Is it possible to store audit logs and session recordings in my own S3 bucket?

Yes, you can configure External Audit Storage.

Is it possible to enable proxy recording mode?

Proxy recording mode is disabled for cloud customers

Is there a way to download session recordings for easy playback?

The ability to download recordings for offline viewing will be available in a future release.

Updates

Will Teleport be updated automatically?

The Teleport Auth Service and Teleport Proxy Service for managed Teleport Enterprise clusters are automatically kept up to date with patches and minor releases following the release schedule described in Teleport Upcoming Releases.

  • Major version updates for the Teleport Auth Service and Teleport Proxy Service typically occur one month after new major versions are released.
  • Minor updates and patches typically occur between one day and a week after a release.
  • Teleport Auth Service and Teleport Proxy Service updates are pushed to Teleport cloud accounts during your scheduled maintenance window.
  • The Teleport Auth Service and Proxy Service will not be automatically upgraded to the next major version with Teleport Agents on older major versions.
  • Teleport Agents are only updated automatically if you enroll them in automatic updates.

If you have Teleport Agents connected to a managed Teleport Enterprise cluster that are more than one major version behind, you might experience compatibility issues unless your Teleport Agents are enrolled in automatic updates. See the Upgrading Overview for more information.

To get version information for your Teleport Agents, see How can I find version information on connected agents?.

For more information about automatic updates and compatibility issues, contact Teleport support.

Why wasn't my managed Teleport Enterprise cluster upgraded to the latest major version?

The Teleport control plane supports Teleport Agents that are on the same major version or one major version behind. If your Teleport Agents are not up to date, we will withhold major version upgrades in order to prevent connectivity issues to your resources. For example, if your control plane is currently running Teleport 15 and you have Teleport Agents running Teleport 14, we will not be able to upgrade your control plane to Teleport 16 until all Teleport Agents are running Teleport 15.

You can check the status of your Teleport Agent versions from the tctl inventory ls command. Auth and Proxy services are those managed by Teleport. See How can I find version information on connected agents? for further detail.

Are updates times configurable for Teleport Enterprise Cloud?

Yes, Teleport provides a scheduled maintenance time window for updates and you can set the start time for the maintenance window that works best for your organization. The scheduled maintenance windows applies for all updates, including patches and agent updates for all Teleport Cloud accounts. Updates for your cluster won't start earlier than the maintenance window start time you set.

To set the maintenance window start time, select your username in the Teleport Web UI, then click Help & Support. Under Scheduled Upgrades, you can see the current maintenance window start time. Click Edit to set a different start time for scheduled maintenance.

Teleport recommends you check the status of Teleport Cloud at status.teleport.sh. From the status page, click Subscribe to Updates to get email notifications whenever Teleport Cloud creates, updates, or resolves an incident and stay informed about scheduled maintenance and new releases.

When are agents automatically updated?

Teleport Enterprise Cloud must be set to receive automatic updates to use the Teleport Cloud version server for automatic agent updates. With automatic agent updates, agents periodically check the version server for new releases and update the software when new versions are found.

If you enroll in automatic agent updates, Teleport agents are automatically updated after your Teleport cluster is updated during your scheduled maintenance period. For more information, read the Automatic Agent Updates guide.

How can I find version information on connected agents?

You can check the status of your agents' version from the tctl inventory ls command. Auth and Proxy services are those managed by Teleport.

tctl inventory ls
Server ID Hostname Services Agent Version Upgrader Upgrader Version------------------------------------ --------------------- --------------- ------------- -------- ----------------065ab336-1ac2-4314-8b16-32fc06a172a7 example-1 Node,App v16.4.7 unit v16.4.7065ab336-1ac2-4314-8b16-f00uj04004db example-2 Node,Db v16.4.7 unit v16.4.73de21e67-845a-4be1-a024-908829718d27 teleport-kube-0 Kube v16.4.7 kube v16.4.7

Architecture and networking

Which Proxy Service ports are open on my Teleport Enterprise Cloud tenant?

Teleport Enterprise Cloud allocates a different set of ports to each tenant. To see which ports are available for your Teleport Enterprise Cloud tenant, run a command similar to the following, replacing example.teleport.sh with your tenant domain:

curl https://example.teleport.sh/webapi/ping | jq '.proxy'

The output should resemble the following, including the unique ports assigned to your tenant:

{
  "kube": {
    "enabled": true,
    "public_addr": "example.teleport.sh:11107",
    "listen_addr": "0.0.0.0:3026"
  },
  "ssh": {
    "listen_addr": "[::]:3023",
    "tunnel_listen_addr": "0.0.0.0:3024",
    "public_addr": "example.teleport.sh:443",
    "ssh_public_addr": "example.teleport.sh:11105",
    "ssh_tunnel_public_addr": "example.teleport.sh:11106"
  },
  "db": {
    "postgres_public_addr": "example.teleport.sh:11109",
    "mysql_listen_addr": "0.0.0.0:3036",
    "mysql_public_addr": "example.teleport.sh:11108"
  },
  "tls_routing_enabled": true
}

This output also indicates whether TLS routing is enabled for your tenant. When TLS routing is enabled, connections to a Teleport service (e.g., the Teleport SSH Service) are routed through the Proxy Service's public web address, rather than through a port allocated to that service.

In this case, you can see that TLS routing is enabled, and that the Proxy Service's public web address (ssh.public_addr) is example.teleport.sh:443.

Read more in our TLS Routing guide.

How does Teleport manage web certificates? Can I upload my own?

Teleport uses letsencrypt.org to issue certificates for every customer. It is not possible to upload a custom certificate or use a custom domain name.

Where does Teleport Enterprise Cloud run?

Teleport Cloud runs on Amazon Web Services (AWS). We run proxies in a variety of regions all over the world, and allow customers to select the region where the data is stored.

Are you using AWS-managed encryption keys, or CMKs via KMS?

We use AWS-managed keys. Currently there is no option to provide your own key.

Is this Teleport's S3 bucket, or my bucket based on my AWS credentials?

It's a Teleport-managed S3 bucket with AWS-managed keys by default.

Configuring External Audit Storage will allow you to use your own S3 bucket.

Is IPv6 Supported for connections to Teleport Enterprise Cloud?

We don't currently support IPv6 connections to Teleport Enterprise Cloud.

Can I change the domain name of my Cloud instance after it's been created?

We're currently researching whether this can be done, so please contact support at support@goteleport.com.

Is FIPS mode an option?

FIPS is not currently an option for Teleport Enterprise Cloud clusters.

Performance and reliability

Can I use Teleport Enterprise Cloud in production?

Yes. Large organizations leverage Teleport Enterprise Cloud to manage the vast number of resources in their organization. Teleport Enterprise Cloud is audited regularly to ensure the most reliable and secure service possible is available to our customers.

What is the Cloud SLA?

Teleport Enterprise Cloud commits to an SLA of 99.9% of monthly uptime, a maximum of 44 minutes of downtime per month. While we routinely exceed this SLA, this number reflects risks in our architecture that we will improve over time.

Is there a status page available?

status.teleport.sh

Can I get push notifications of Teleport Enterprise Cloud downtime?

Yes. Customers can subscribe to Teleport Enterprise Cloud updates at status.teleport.sh.

Can I retrieve diagnostics from my hosted cluster?

We currently don't expose any metrics interfaces for a tenant.

For our own metrics collection, we're rolling out mTLS, so that only authorized internal clients may collect or scrape metrics from the running instances. This design does not include a mechanism to issue mTLS certificates to external clients, while maintaining isolation guarantees that one tenant cannot interact with another tenant.

Teleport cloud tenants are made up of a cluster of processes, with designated processes sitting behind a load balancer. To scrape the entire cluster would require each component of the Teleport cluster to be individually addressable and accessible from external sources. This could allow individual components to be selectively attacked, if an adversary is able to address traffic to any individual software instance within the cluster.

How do I set up recovery codes for my account so I don't lose access?

We have a short step-by-step guide on setting up recovery codes.