Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How scalable is teleport proxy? #1107

Closed
siepkes opened this issue Jun 24, 2017 · 3 comments
Closed

How scalable is teleport proxy? #1107

siepkes opened this issue Jun 24, 2017 · 3 comments

Comments

@siepkes
Copy link

siepkes commented Jun 24, 2017

As I understand it teleport proxy can be used to create a reverse tunnel to the auth server. Which in turn allows you to connect to SSH servers behind a NAT / firewall. My question is how well does this scale? I'm looking at a scenario with hundreds of appliances (or IoT devices if you want to give it a fancy name ;-) behind all sorts of NAT's and firewall which I would like to be able to reach. Would having hundreds of proxies work?

The alternative would be to use a VPN (Wireguard, OpenVPN, etc.) but I would like to keep things simple.
@nikatjef
Copy link
Contributor

Quick, if less than useful, answer yes. Yes that would work.

Having said that, Teleport's proxy limits are really based on activity levels vs memory (proxy connection information / management) and storage write speed (writing the proxy logs). If you are using the connections for traditional Ops activity, then you can handle 50 - 75 concurrently on a small Raspberry Pi3 without issue. If you a doing a traditional Dev activity, then you can handle about twice that many. If, instead you are doing a DevOps type activity, you can handle about 30 - 60 concurrently.

@siepkes
Copy link
Author

siepkes commented Jun 26, 2017

@nikatjef In my scenario (and in the case of hundreds of IoT devices like Rasberry PI's with sensors for example) there would basically be one proxy per host to connect to. Proxy and SSH server would be running on the same host. Since in that scenario it is just about getting connected with the device itself. Usually you can't connect to such devices directly because the have changing IP's because they are on 4G or because they are behind NAT. So my scaling concerns were more the other way around. Can the auth server (and rest of teleport) deal with hundreds of proxies?

@kontsevoy
Copy link
Contributor

@siepkes yes, hundreds of remote "trusted clusters" should work without any issues. IIRC the overhead of a "trusted cluster" is a 3-5 second network ping, so with 1,000 remote tunnels you're looking at ~200 pings per second at your "master auth server" (which everyone else connects to).

hatched pushed a commit that referenced this issue Feb 1, 2023
@gzdunek
Use .ico for Windows (#1097) (#1107)
267b353
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kontsevoy @nikatjef @siepkes