From 69c852a0c4d8e0be340bd0a3e1026bebea4c85d8 Mon Sep 17 00:00:00 2001 From: Paul Gottschling Date: Mon, 24 Apr 2023 09:57:31 -0400 Subject: [PATCH] Add headings to the Cloud FAQ Closes #12506 This change adds H2-level headings to the Cloud FAQ page in order to help users navigate the page. The order of headings is based on my guess as to the importance of each topic. This change does **not** attempt to refresh the content of each question/answer entry, but will make it easier to update the page in the future since the page should be easier to navigate. --- .../choose-an-edition/teleport-cloud/faq.mdx | 343 +++++++++--------- 1 file changed, 181 insertions(+), 162 deletions(-) diff --git a/docs/pages/choose-an-edition/teleport-cloud/faq.mdx b/docs/pages/choose-an-edition/teleport-cloud/faq.mdx index fca096de6dac6..3e78d7eaa74f9 100644 --- a/docs/pages/choose-an-edition/teleport-cloud/faq.mdx +++ b/docs/pages/choose-an-edition/teleport-cloud/faq.mdx @@ -1,120 +1,103 @@ --- title: Teleport Enterprise Cloud FAQ description: Teleport cloud frequently asked questions. +tocDepth: 3 --- -## Can I use Teleport Enterprise Cloud in production? +## Billing and usage -Yes. Large organizations leverage Teleport Enterprise Cloud to manage the vast number of resources in their organization. Teleport Enterprise Cloud is audited regularly to ensure the most reliable and secure service possible is available to our customers. +### How does Cloud Billing work? -## What is the Cloud SLA? +Please [reach out to sales](https://goteleport.com/signup/enterprise) to discuss pricing. -Teleport Enterprise Cloud commits to an SLA of (=cloud.sla.monthly_percentage=) of monthly uptime, -a maximum of (=cloud.sla.monthly_downtime=) of downtime per month. While we routinely exceed this SLA, -this number reflects risks in our architecture that we will improve over time. +### Can a customer deploy multiple clusters in Teleport Enterprise Cloud? -## Is there a status page available? +[Reach out to sales](https://goteleport.com/signup/enterprise) to discuss pricing. -[status.teleport.sh](https://status.teleport.sh) +### If I start with Teleport Enterprise Cloud, can I move to Teleport Enterprise or Teleport Open Source, or do I need to start again? -## Can I get push notifications of Teleport Enterprise Cloud downtime? +If you plan to use S3 and DynamoDB as storage backends, we can provide data for you to import. But you should reach out to us first. If you use a different backend, you will need to start over. -Yes. Customers can subscribe to Teleport Enterprise Cloud updates at [status.teleport.sh](https://status.teleport.sh). +## Security -## How does Cloud Billing work? +### How long will Teleport Enterprise Cloud retain my data? -Please [reach out to sales](https://goteleport.com/signup/enterprise) to discuss pricing. +See our documentation on [data retention](./architecture.mdx#data-retention). -## Are upgrades times configurable for my Teleport Enterprise Cloud tenant? +### Is an independent security audit available? -Yes, you can set the window start time that works best for your organization -for upgrades. Teleport provides a scheduled maintenance time window for any -upgrades, patches and other required updates for all tenants. An upgrade for -your tenant will not start earlier than the window start time you set. +Security audits by independent third-parties are performed at least annually. You can request audit results and other +related information on the [Teleport Trust Portal](https://trust.goteleport.com). -To set the window start time select your username in the Web UI, then the Help -& Support option from the drop-down. The Scheduled Upgrades section within that -page allows you to configure the window start time. +### Does your SOC 2 report include Teleport Enterprise Cloud? -Teleport recommends subscribing to the Teleport Enterprise Cloud updates at -[status.teleport.sh](https://status.teleport.sh) to keep up to date on -scheduled maintenance. +(!docs/pages/includes/soc2.mdx!) -## If I start with Teleport Enterprise Cloud, can I move to Teleport Enterprise or Teleport Open Source, or do I need to start again? +### How do you store passwords? -If you plan to use S3 and DynamoDB as storage backends, we can provide data for you to import. But you should reach out to us first. If you use a different backend, you will need to start over. +Password hashes are generated using +[Golang's bcrypt](https://pkg.go.dev/golang.org/x/crypto/bcrypt). -## How do I set up recovery codes for my account so I don't lose access? +### Do you encrypt data at rest? -We have a [short step-by-step guide](https://github.com/gravitational/teleport/discussions/12379) on setting up recovery codes. +Each deployment is using at-rest encryption using AWS DynamoDB and S3 at-rest encryption +for customer data including session recordings and user records. -## Are you using AWS-managed encryption keys, or CMKs via KMS? +### Can I get a list of IP addresses to configure a firewall? -We use AWS-managed keys. Currently there is no option to provide your own key. +We do not have plans to offer a list of IP addresses for Teleport Enterprise +Cloud at the moment. -## Is this Teleport's S3 bucket, or my bucket based on my AWS credentials? +Teleport Enterprise Cloud infrastructure is elastic and IP addresses can and do +change when we make infrastructure changes. This would make the maintenance of +IP allowlists a cumbersome and brittle process for customers. -It's a Teleport-managed S3 bucket with AWS-managed keys. -Currently there is no way to provide your own bucket. +However, we do provide customers with a stable tenant DNS name backed with +TLS certificates from [letsencrypt.org](https://letsencrypt.org) that can be +utilized to verify the integrity of any outbound connections to Teleport +Enterprise Cloud. -## How long will Teleport Enterprise Cloud retain my data? +### Can I configure an allowlist of inbound IP addresses to Teleport Enterprise Cloud? -See our documentation on [data retention](./architecture.mdx#data-retention). +We do not have plans to offer support for inbound connection IP allowlists. -## How do I add Nodes to Teleport Enterprise Cloud? +We believe mTLS with strong user and [device +identity](../../access-controls/guides/device-trust.mdx) provides the best +available security for client authentication. + +For customers that require IP-based control for compliance purposes, we do +support IP Pinning. For more information see `pin_source_ip` in our [Teleport +Access Controls Reference](../../access-controls/reference.mdx). + +### Are internal connections encrypted / authenticated? + +Teleport components communicate with themselves using mTLS, with a separate certificate authority for each tenant. Connections to AWS services, such as DynamoDB and +S3, are established using encryption provided by AWS, both at rest and in transit. Each tenant has its own credentials that isolate it to interacting with only its own data. +## Connecting resources + +### How do I add resources to Teleport Enterprise Cloud? You can connect servers, Kubernetes clusters, databases and applications using [reverse tunnels](../../management/join-services-to-your-cluster.mdx). There is no need to open any ports on your infrastructure for inbound traffic. -## Which Proxy Service ports are open on my Teleport Enterprise Cloud tenant? +### What is the maximum number of agents a customer can connect to their cluster? -Teleport Enterprise Cloud allocates a different set of ports to each tenant. To see which -ports are available for your Teleport Enterprise Cloud tenant, run a command similar to the -following, replacing `mytenant.teleport.sh` with your tenant domain: +If you plan on connecting more than 10,000 nodes or agents, please contact your account executive or customer support to ensure your tenant is properly scaled. -```code -$ curl https://mytenant.teleport.sh/webapi/ping | jq '.proxy' -``` +### Are dynamic node tokens available? -The output should resemble the following, including the unique ports assigned to -your tenant: +After [connecting](#how-can-i-access-the-tctl-admin-tool) `tctl` to Teleport Enterprise Cloud, users can generate +[dynamic tokens](../../management/join-services-to-your-cluster/join-token.mdx): -```json -{ - "kube": { - "enabled": true, - "public_addr": "mytenant.teleport.sh:11107", - "listen_addr": "0.0.0.0:3026" - }, - "ssh": { - "listen_addr": "[::]:3023", - "tunnel_listen_addr": "0.0.0.0:3024", - "public_addr": "mytenant.teleport.sh:443", - "ssh_public_addr": "mytenant.teleport.sh:11105", - "ssh_tunnel_public_addr": "mytenant.teleport.sh:11106" - }, - "db": { - "postgres_public_addr": "mytenant.teleport.sh:11109", - "mysql_listen_addr": "0.0.0.0:3036", - "mysql_public_addr": "mytenant.teleport.sh:11108" - }, - "tls_routing_enabled": true -} +```code +$ tctl nodes add --ttl=5m --roles=node,proxy --token=$(uuid) ``` -This output also indicates whether TLS routing is enabled for your tenant. When -TLS routing is enabled, connections to a Teleport service (e.g., the Teleport -SSH Service) are routed through the Proxy Service's public web address, rather -than through a port allocated to that service. - -In this case, you can see that TLS routing is enabled, and that the Proxy -Service's public web address (`ssh.public_addr`) is `mytenant.teleport.sh:443`. - -Read more in our [TLS Routing](../../architecture/tls-routing.mdx) guide. +## Using `tctl` -## How can I access the tctl admin tool? +### How can I access the `tctl` admin tool? Find the appropriate download at [Teleport Enterprise Cloud Downloads](./downloads.mdx). Use the Enterprise version of `tctl`. @@ -125,7 +108,7 @@ $ tsh login --proxy=myinstance.teleport.sh $ tctl status ``` -## Why am I getting `permission denied` errors when using `tctl`? +### Why am I getting `permission denied` errors when using `tctl`? If you have a local file `/etc/teleport.yaml` on your machine `tctl` will attempt to use the local cluster. Set the environment variable `TELEPORT_CONFIG_FILE` to `""` so it will not attempt to use that Teleport configuration file. @@ -134,26 +117,23 @@ $ export TELEPORT_CONFIG_FILE="" $ tctl tokens add --type=node ``` -## Are dynamic node tokens available? +## Audit events and session recordings -After [connecting](#how-can-i-access-the-tctl-admin-tool) `tctl` to Teleport Enterprise Cloud, users can generate -[dynamic tokens](../../management/join-services-to-your-cluster/join-token.mdx): +### Is there a way to forward Teleport Enterprise Cloud audit events to my company's internal Security Information and Event Management (SIEM)? -```code -$ tctl nodes add --ttl=5m --roles=node,proxy --token=$(uuid) -``` +Yes. We recommend Teleport's [event handler plugin](../../management/export-audit-events/fluentd.mdx) to export Teleport Enterprise Cloud audit events. -## Is an independent security audit available? +### Is it possible to enable proxy recording mode? -Security audits by independent third-parties are performed at least annually. You can request audit results and other -related information on the [Teleport Trust Portal](https://trust.goteleport.com). +Proxy recording mode is disabled for cloud customers -## Where does Teleport Enterprise Cloud run? +### Is there a way to download session recordings for easy playback? -Teleport Enterprise Cloud is deployed within AWS, using S3 and DynamoDB for storage with AWS-managed encryption keys. All data is currently hosted in us-west-2. -Currently there is no option to select an alternative region for storage. +The ability to download recordings for offline viewing will be available in a future release. -## Will Teleport be automatically upgraded with each release? +## Upgrading + +### Will Teleport be automatically upgraded with each release? Teleport Cloud follows the Teleport [Production readiness](../../preview/upcoming-releases.mdx) guidelines. @@ -165,120 +145,159 @@ readiness](../../preview/upcoming-releases.mdx) guidelines. - After the first minor release, subsequent minor and patch upgrades typically occur within a week. -## Does your SOC 2 report include Teleport Enterprise Cloud? +### Are upgrades times configurable for my Teleport Enterprise Cloud tenant? -(!docs/pages/includes/soc2.mdx!) +Yes, you can set the window start time that works best for your organization +for upgrades. Teleport provides a scheduled maintenance time window for any +upgrades, patches and other required updates for all tenants. An upgrade for +your tenant will not start earlier than the window start time you set. -## Can a customer deploy multiple clusters in Teleport Enterprise Cloud? +To set the window start time select your username in the Web UI, then the Help +& Support option from the drop-down. The Scheduled Upgrades section within that +page allows you to configure the window start time. -[Reach out to sales](https://goteleport.com/signup/enterprise) to discuss pricing. +Teleport recommends subscribing to the Teleport Enterprise Cloud updates at +[status.teleport.sh](https://status.teleport.sh) to keep up to date on +scheduled maintenance. -## Is FIPS mode an option? +### How can I find version information on connected agents? -FIPS is not currently an option for Teleport Enterprise Cloud clusters. +To find the version of Teleport agent is attached to your cluster, run the +following commands for the different protocols we support. + +```code +$ tctl get nodes --format=text +$ tctl get kube_server --format=text +$ tctl get app_server --format=text +$ tctl get db_server --format=text +$ tctl get windows_desktop_service --format=text +``` -## How do you store passwords? +Below you can see sample output of `tctl get nodes --format=text`. Note the +`Version` column will contain the version of the attached agent. -Password hashes are generated using -[Golang's bcrypt](https://pkg.go.dev/golang.org/x/crypto/bcrypt). +```code +$ tctl get nodes --format=text +Host UUID Public Address Labels Version +-------- ------------------------------------ -------------- ------ ---------- +server01 46d8cad0-8967-4815-a01a-77aae62c34fe 127.0.0.1:3022 12.0.0 +server02 c33b5513-a9eb-463b-8f1b-1f209afe5b4f 127.0.0.1:3122 12.0.0 +``` -## How does Teleport manage web certificates? Can I upload my own? +## Architecture and networking -Teleport uses [letsencrypt.org](https://letsencrypt.org/) to issue -certificates for every customer. It is not possible to upload a custom -certificate or use a custom domain name. +### Which Proxy Service ports are open on my Teleport Enterprise Cloud tenant? -## Do you encrypt data at rest? +Teleport Enterprise Cloud allocates a different set of ports to each tenant. To see which +ports are available for your Teleport Enterprise Cloud tenant, run a command similar to the +following, replacing `mytenant.teleport.sh` with your tenant domain: -Each deployment is using at-rest encryption using AWS DynamoDB and S3 at-rest encryption -for customer data including session recordings and user records. +```code +$ curl https://mytenant.teleport.sh/webapi/ping | jq '.proxy' +``` -## Can I get a list of IP addresses to configure a firewall? +The output should resemble the following, including the unique ports assigned to +your tenant: -We do not have plans to offer a list of IP addresses for Teleport Enterprise -Cloud at the moment. +```json +{ + "kube": { + "enabled": true, + "public_addr": "mytenant.teleport.sh:11107", + "listen_addr": "0.0.0.0:3026" + }, + "ssh": { + "listen_addr": "[::]:3023", + "tunnel_listen_addr": "0.0.0.0:3024", + "public_addr": "mytenant.teleport.sh:443", + "ssh_public_addr": "mytenant.teleport.sh:11105", + "ssh_tunnel_public_addr": "mytenant.teleport.sh:11106" + }, + "db": { + "postgres_public_addr": "mytenant.teleport.sh:11109", + "mysql_listen_addr": "0.0.0.0:3036", + "mysql_public_addr": "mytenant.teleport.sh:11108" + }, + "tls_routing_enabled": true +} +``` -Teleport Enterprise Cloud infrastructure is elastic and IP addresses can and do -change when we make infrastructure changes. This would make the maintenance of -IP allowlists a cumbersome and brittle process for customers. +This output also indicates whether TLS routing is enabled for your tenant. When +TLS routing is enabled, connections to a Teleport service (e.g., the Teleport +SSH Service) are routed through the Proxy Service's public web address, rather +than through a port allocated to that service. -However, we do provide customers with a stable tenant DNS name backed with -TLS certificates from [letsencrypt.org](https://letsencrypt.org) that can be -utilized to verify the integrity of any outbound connections to Teleport -Enterprise Cloud. +In this case, you can see that TLS routing is enabled, and that the Proxy +Service's public web address (`ssh.public_addr`) is `mytenant.teleport.sh:443`. -## Can I configure an allowlist of inbound IP addresses to Teleport Enterprise Cloud? +Read more in our [TLS Routing](../../architecture/tls-routing.mdx) guide. -We do not have plans to offer support for inbound connection IP allowlists. +### How does Teleport manage web certificates? Can I upload my own? -We believe mTLS with strong user and [device -identity](../../access-controls/guides/device-trust.mdx) provides the best -available security for client authentication. +Teleport uses [letsencrypt.org](https://letsencrypt.org/) to issue +certificates for every customer. It is not possible to upload a custom +certificate or use a custom domain name. -For customers that require IP-based control for compliance purposes, we do -support IP Pinning. For more information see `pin_source_ip` in our [Teleport -Access Controls Reference](../../access-controls/reference.mdx). +### Where does Teleport Enterprise Cloud run? + +Teleport Enterprise Cloud is deployed within AWS, using S3 and DynamoDB for storage with AWS-managed encryption keys. All data is currently hosted in us-west-2. +Currently there is no option to select an alternative region for storage. -## Is IPv6 Supported for connections to Teleport Enterprise Cloud? +### Are you using AWS-managed encryption keys, or CMKs via KMS? + +We use AWS-managed keys. Currently there is no option to provide your own key. + +### Is this Teleport's S3 bucket, or my bucket based on my AWS credentials? + +It's a Teleport-managed S3 bucket with AWS-managed keys. +Currently there is no way to provide your own bucket. + +### Is IPv6 Supported for connections to Teleport Enterprise Cloud? We don't currently support IPv6 connections to Teleport Enterprise Cloud. -## Can I change the domain name of my Cloud instance after it's been created? +### Can I change the domain name of my Cloud instance after it's been created? We're currently researching whether this can be done, so please contact support at support@goteleport.com. -## Can I retrieve diagnostics from my hosted cluster? +### Is FIPS mode an option? -We currently don't expose any metrics interfaces for a tenant. +FIPS is not currently an option for Teleport Enterprise Cloud clusters. -For our own metrics collection, we're rolling out mTLS, so that only authorized internal clients may collect or scrape metrics from the running instances. -This design does not include a mechanism to issue mTLS certificates to external clients, while maintaining isolation guarantees that one tenant cannot interact with another tenant. -Teleport cloud tenants are made up of a cluster of processes, with designated processes sitting behind a load balancer. To scrape the entire cluster would require each component of -the Teleport cluster to be individually addressable and accessible from external sources. This could allow individual components to be selectively attacked, if an adversary is able to -address traffic to any individual software instance within the cluster. +## Performance and reliability -## Is it possible to enable proxy recording mode? +### Can I use Teleport Enterprise Cloud in production? -Proxy recording mode is disabled for cloud customers +Yes. Large organizations leverage Teleport Enterprise Cloud to manage the vast number of resources in their organization. Teleport Enterprise Cloud is audited regularly to ensure the most reliable and secure service possible is available to our customers. -## Is there a way to download session recordings for easy playback? +### What is the Cloud SLA? -The ability to download recordings for offline viewing will be available in a future release. +Teleport Enterprise Cloud commits to an SLA of (=cloud.sla.monthly_percentage=) of monthly uptime, +a maximum of (=cloud.sla.monthly_downtime=) of downtime per month. While we routinely exceed this SLA, +this number reflects risks in our architecture that we will improve over time. -## Is there a way to forward Teleport Enterprise Cloud audit events to my company's internal Security Information and Event Management (SIEM)? +### Is there a status page available? -Yes. We recommend Teleport's [event handler plugin](../../management/export-audit-events/fluentd.mdx) to export Teleport Enterprise Cloud audit events. +[status.teleport.sh](https://status.teleport.sh) -## What is the maximum number of nodes a customer can connect to their cluster? +### Can I get push notifications of Teleport Enterprise Cloud downtime? -If you plan on connecting more than 10,000 nodes or agents, please contact your account executive or customer support to ensure your tenant is properly scaled. +Yes. Customers can subscribe to Teleport Enterprise Cloud updates at [status.teleport.sh](https://status.teleport.sh). -## Are internal connections encrypted / authenticated? +### Can I retrieve diagnostics from my hosted cluster? -Teleport components communicate with themselves using mTLS, with a separate certificate authority for each tenant. Connections to AWS services, such as DynamoDB and -S3, are established using encryption provided by AWS, both at rest and in transit. Each tenant has its own credentials that isolate it to interacting with only its own data. +We currently don't expose any metrics interfaces for a tenant. -## How can I find version information on connected agents? +For our own metrics collection, we're rolling out mTLS, so that only authorized internal clients may collect or scrape metrics from the running instances. +This design does not include a mechanism to issue mTLS certificates to external clients, while maintaining isolation guarantees that one tenant cannot interact with another tenant. -To find the version of Teleport agent is attached to your cluster, run the -following commands for the different protocols we support. +Teleport cloud tenants are made up of a cluster of processes, with designated processes sitting behind a load balancer. To scrape the entire cluster would require each component of +the Teleport cluster to be individually addressable and accessible from external sources. This could allow individual components to be selectively attacked, if an adversary is able to +address traffic to any individual software instance within the cluster. -```code -$ tctl get nodes --format=text -$ tctl get kube_server --format=text -$ tctl get app_server --format=text -$ tctl get db_server --format=text -$ tctl get windows_desktop_service --format=text -``` +### How do I set up recovery codes for my account so I don't lose access? + +We have a [short step-by-step guide](https://github.com/gravitational/teleport/discussions/12379) on setting up recovery codes. -Below you can see sample output of `tctl get nodes --format=text`. Note the -`Version` column will contain the version of the attached agent. -```code -$ tctl get nodes --format=text -Host UUID Public Address Labels Version --------- ------------------------------------ -------------- ------ ---------- -server01 46d8cad0-8967-4815-a01a-77aae62c34fe 127.0.0.1:3022 12.0.0 -server02 c33b5513-a9eb-463b-8f1b-1f209afe5b4f 127.0.0.1:3122 12.0.0 -```