Jeremy Cooper [AFS MBP]
09a9331fe2
Revert "Upgrade TF and TG for Test env"
|
3 rokov pred | |
|---|---|---|
| .. | ||
| README.md | 4 rokov pred | |
| terragrunt.hcl | 3 rokov pred | |
README.md
Teleport
Forwards ssh to instances
Creates these:
teleport.xdrtest.accenturefederalcyber.com # ALB for the web interface
teleport-nlb.xdrtest.accenturefederalcyber.com # the NLB
teleport.pvt.xdrtest.accenturefederalcyber.com # the instance
teleport-alb.pvt.accenturefederalcyber.com # the internal alb
S3 bucket: teleport-test (how was this not taken?)
Dynamodb tables: teleport, teleport-events, teleport-locks
And appropriate IAM roles and supporting KMS key.
Connectivity
There are two connection models.
For nodes (endpoints) with direct connecivity back to the teleport node, their /etc/teleport.yaml contains:
auth_servers:
- teleport.pvt.xdrtest.accenturefederalcyber.com:3025
The node makes a connection back to the teleport server on tcp/3025. Connections then go from the teleport server to the node on port 3022.
i.e.:
Node -> Teleport Instance:3025 (registration)
Teleport -> Node:3022 (ssh tunnel)
The other model is the IoT model, for use behind NAT. For those, the node will have:
auth_servers:
- teleport.xdrtest.accenturefederalcyber.com:443 # or 3080
The teleport server will then send it the tunnel address:
tunnel_public_addr: teleport-nlb.xdrtest.accenturefederalcyber.com:3024
which will then be used for a reverse ssh tunnel.
i.e.
Node -> Teleport ALB:443 (registration)
Node -> Teleport NLB:3024 (Reverse SSH Tunnel)