Create a relay when you need access to a network segment where direct ingress is not possible or desirable.
A Relay creates connectivity to your datasources, while maintaining the egress-only nature of your firewall. Relays are the only things that can speak to your databases, mediating the connection between them and the SDM public relay pool (or your Gateways). Relays use a statically-compiled binary, optionally wrapped in a Docker container.
To create redundancy, you should deploy two relays (per firewalled/VPC region).
strongDM relays can be configured in two modes: gateway and standard. If you will be using gateways, you can follow the Gateway Guide instead.
Note: If you will be deploying your relay in a Docker container, please follow the steps in the Docker Relay Guide.
When installing a relay or gateway, do not use the root user. Please use an ordinary privileged user and leverage sudo.
Generate a relay token. Log into the Admin UI and select Relays on the left navigation bar. Click on the add relay button in the upper right, and a box will pop up. You can rename the relay here, or do it later. Click on create and the relay token will appear onscreen.
Copy the relay token and put it aside, being careful to capture every character. You will need it again in step eight.
sdm relay create if you want to generate a token via the CLI.
Set up a 64-bit Linux instance that will run the relay. If you have two relays, you need two instances. Machines should have at least 2 CPUs and 4 GB of memory.
Turn SE Linux off if it is running.
Login to the relay instance and download the SDM binary:
$ curl -J -O -L https://app.strongdm.com/releases/cli/linux
$ unzip sdmcli_VERSION_NUMBER_linux_amd64.zip
Install the relay:
$ sudo ./sdm install --relay
Note: The installer must be run by a user that exists in the
/etc/passwd file. Any users remotely authenticated, such as with LDAP or an SSO service, may fail to complete the installation.
You will be prompted for the relay token you created in Step 1. Paste it in. It will not echo back to you for security purposes.
Turn SE Linux on if you disabled it in step three.
Login to the Admin UI and hard refresh. The Relays section will appear on the left hand navigation. In that section, the relay you created should appear Online, with a heartbeat.
Add a datasource using the internal IP address that the relay can access.
Once added, you should see its name populate under ‘Datasources Served’ section of each Relay that is serving it. (another hard refresh might be required).
If you have multiple relays to create, follows steps 1 - 8 for each relay.
If any errors occur, please copy them into an email and send to email@example.com.