Nodes

Last modified on November 30, 2023

Overview

Nodes are gateways and relays.

Gateways serve as the primary entry point to a StrongDM network. Gateways have an assigned IP address and optional DNS entry.

Relays, much like gateways, are how the StrongDM network connects with resources such as databases and servers. Unlike a gateway, the relay does not listen for client connections. When might this be helpful? For a secure network where you are not able to expose ports, the StrongDM relay is the answer. The relay dials out to connect to your gateways, preserving the egress-only nature of your firewall, but allowing your StrongDM clients to reach any configured resources in the network via those connections.

Gateways

Gateways serve as the primary entry point to a StrongDM network. Therefore, each gateway must be assigned an address that is accessible to your users. They can be deployed with a Domain Name System (DNS) entry or sit privately on the corporate network behind a Virtual Private Network (VPN). You can also assign an IP address directly if you prefer not to use DNS or a VPN. You need at least one gateway to connect to resources, but we recommend running them in pairs.

StrongDM gateways are usually exposed directly to the internet. In the case of a flat network, the gateway talks to the target systems on the corporate network. On a segmented network with no ingress, however, resources such as databases and servers may not be publicly accessible. If you wish to extend your StrongDM network into a more secure network or subnet, you may deploy a relay behind your firewall to route traffic and allow egress-only connections to secured resources.

StrongDM Network Architecture
StrongDM Network Architecture

Gateways are essentially relays with an assigned IP address and optional DNS entry. Both gateways and relays also decrypt end-user credentials and deconstruct requests for auditing purposes.

When clients connect to the StrongDM network, they request a list of available gateways. StrongDM determines the most suitable route and sends all connections through one or more of these gateways. From the point of view of a resource, such as a database or server, all traffic originates from any relay or gateway with access to the resource.

Gateway settings and configurations can be managed in the Admin UI from Network > Gateways. On the Gateways page, you can add new gateways and view the status and details of existing gateways.

Add a gateway

  1. Log in to the Admin UI.

  2. Go to Network > Gateways.

  3. Click Add gateway. You can rename the gateway here or modify it later. Advertised host is the IP address or host that the gateway listens on. The Advertised port (default 5000) is the port that the service listens on.

    Add a New Gateway
    Add a New Gateway
  4. Click Advanced to add a Bind IP or a Bind Port.

    Add Advanced Bind Settings
    Add Advanced Bind Settings
  5. Click Create gateway and the gateway token appears in a modal. Copy the gateway token and save it for use in a later step.

    Gateway Token
    Gateway Token
  6. Set up a 64-bit Linux instance to run the gateway. Machines should have at least 2 CPUs and 4 GB of memory. If the instance is using SELinux, you need to disable SELinux to install the gateway.

  7. Log in to the gateway instance. Then download the StrongDM binary:

    curl -J -O -L https://app.strongdm.com/releases/cli/linux
    
  8. Unzip the binary:

    unzip sdmcli_VERSION_NUMBER_linux_amd64.zip
    
  9. Run the installer:

    sudo ./sdm install --relay
    
  10. When you are prompted for the gateway token you created in Step 5, paste it into the terminal. Press enter. For security purposes, the token does not display in the terminal.

  11. Log in to the Admin UI and go to Network > Gateways. The gateway you created appears online and healthy. You may need to hard refresh the page.

  12. Confirm your gateway creation was successful by verifying that the LISTENADDR is accessible from the appropriate end user network, as in the following example.

    telnet 10.0.50.17 5000
    Trying 10.0.50.17...
    Connected to 10.0.50.17
    Escape character is '^]'
    
  13. Repeat this process to create a second gateway if you wish.

Relays

As with gateways, StrongDM uses relays to connect with network resources such as databases and servers. However, relays do not listen for client connections. They can be deployed behind your firewall when internal subnets do not allow ingress, and you are not able to expose ports publicly.

Relays create a reverse tunnel to form connections to the gateway. With this action, they preserve the egress-only nature of your firewall and allow your users to reach any configured resources in the network via the desktop app.

StrongDM Network Architecture
StrongDM Network Architecture

When clients connect to the StrongDM network, they request a list of available gateways. StrongDM determines the most suitable route and sends all connections through one or more of these gateways. From the point of view of a resource, such as a database or server, all traffic originates from any relay or gateway with access to the resource.

The relay component can be deployed as a native Linux service, Docker container, or Kubernetes container. For more, check the Download & Install page in the Admin UI.

Relay settings and configurations can be managed in the Admin UI from Network > Relays. On the Relays page, you can add new relays and view the status and details of existing relays.

Relay use cases

How do you know when to deploy a relay instead of a gateway? You may wish to use a relay if your organization has sensitive resources or if you want to isolate certain parts of the network in order to further protect them.

Relays are typically used if the organization has any of the following:

  • Sensitive internal website resources (data science tools, CI/CD, internal repositories, and so forth)
  • Sensitive databases with network compliance requirements
  • Sensitive servers with network compliance requirements
  • Segmented networks for Protected Health Information (PHI), Personally Identifiable Information (PII), or other sensitive data, with separate VPCs with additional compliance requirements

Add a relay

Add a relay to generate a relay token.

New Relay
New Relay
  1. Log into the Admin UI.
  2. Go to Network > Relays.
  3. Click the Add relay button.
  4. In the modal that appears, you can rename the relay, or you can do it later.
  5. Click Create relay and the relay token appears.
    New Relay
    New Relay
  6. Copy the relay token and save it for use in a later step.
  7. Set up a 64-bit Linux instance to run the relay. Machines should have at least 2 CPUs and 4 GB of memory. If the instance is using SELinux you need to disable SELinux to install the relay.
  8. Log in to the relay instance and download the StrongDM binary: curl -J -O -L https://app.strongdm.com/releases/cli/linux
  9. Unzip it: unzip sdmcli_*_linux_amd64.zip
  10. Run the installer: sudo ./sdm install --relay
  1. When prompted for the relay token you created in Step 5, paste it into the terminal and press enter. For security purposes you will not see the token on the screen.
  2. Log in to the Admin UI and the relay you created should now appear as online, with a heartbeat. You may need to hard refresh the page.
  3. Repeat this process to create a second relay if you wish. We recommend running them in pairs for high availability.
  4. To allow access to and from resources and StrongDM, make sure that relay egress requirements are met.

Relay egress requirements

Although relays are intended to be unreachable from outside traffic sources, they must be able to successfully send traffic to several destinations in order to function correctly. Specifically, they must meet the following minimal egress requirements:

  • app.strongdm.com (which resolves to multiple IP addresses) and app.strongdm.com:443 for communication with StrongDM API servers
  • downloads.strongdm.com:433 (which resolves to multiple IP addresses) for downloading updates
  • Gateway(s) in your StrongDM organization
  • checkip.amazonaws.com:443 to obtain the IP address for the relay

Node Management in the Admin UI

The Gateways and Relays pages of the Admin UI list the gateways and relays that have been configured for your organization. On these pages, you may search and filter on gateways and relays, view status, and get more details about them.

Search filters

You can use search filters to search for specific nodes and display them according to their name, status, listen address, or bind address.

To use filters, type or copy/paste the following filters into the Search field, with or without other text. Do not use quotes or tick marks.

FilterDescriptionExample search
bindaddr:<IP_ADDRESS>Shows gateways or relays with the specified bind addressbindaddr:0.0.0.0:5000 finds gateways or relays that have a bind address of 0.0.0.0:5000.
listenaddr:<IP_ADDRESS>Shows gateways or relays with the specified listen addresslistenaddr:10.0.0.021:5000 finds gateways or relays that have a listen address of 10.0.0.021:5000.
name:<PARTIAL_STRING> or any free-form textShows gateways or relays with names that match the entered string; partial string OKname:keen-coffee or coffee finds all gateways or relays whose names contain those characters.
status:<BOOLEAN>Shows gateways or relays that are online (true) or offline (false)status:false finds all offline gateways or relays.

View status

In addition to the node name and heartbeat, you can see a node’s current status (for example, “online”).

The possible statuses for nodes are shown in the following table.

StatusDescriptionNode type
awaiting restartGateway or relay is waiting to enter a restart window to execute a planned restartGateway, relay
deadGateway or relay is offline or not able to reach the StrongDM APIGateway, relay
isolatedRelay cannot dial or successfully handshake an authentication with any gateways; isolated relays may successfully healthcheck resources, but their routes will be unavailable for use by users, as there is no way for the user to hop from a gateway to an isolated relayRelay
new gatewayGateway has been created but has not been started or has never accessed the StrongDM APIGateway
new relayRelay has been created but has not been started or has never accessed the StrongDM APIRelay
onlineGateway or relay is able to reach out to both the StrongDM API and at least one gateway and can serve client connectionsGateway, relay
restartingGateway or relay has shut down for a planned restartGateway, relay
verifying restartGateway or relay has come online once and is awaiting coming back online after an initial restartGateway, relay

Maintenance Windows

See the Maintenance Windows for information about how to schedule a maintenance window for gateways and relays.

Install Your Gateway

The first step to deploy StrongDM is deciding where to host your StrongDM gateways. This is not a final decision; you can change your gateway or add additional gateways at any time. Check out the following guides for installation of a gateway on various tech stacks:

You can find resources and information about the following StrongDM topics in this section: