Deployment
Last modified on March 21, 2025
StrongDM deployment generally involves creating nodes in your choice of host environment, adding and managing resources, installing the StrongDM client, and customizing settings to suit the needs of your organization. In this section, you find important information related to organization-wide features and settings, including network ports, resource ports, environment variables, container usage, using the Terraform provider to create common infrastructure configurations, and more.
Available StrongDM Proxy Types
All of the following StrongDM proxy types use the concept of a proxy service that runs on your infrastructure that interacts with StrongDM and proxies user connections to resources.
Proxy clusters
A StrongDM proxy cluster comprises one or more proxy workers. A proxy worker is a process that mediates connectivity between clients and resources.
When a client connects to a StrongDM resource, it looks up which proxy cluster the resource belongs to and uses that cluster to connect. One of the proxy workers in the cluster parses and logs the request; fetches, decrypts, and injects credentials as necessary; and forwards the connection to the resource. Proxy clusters allow your resources and infrastructure to be segmented as you wish, and they allow your proxy infrastructure to scale with your organizational growth or increased traffic. Proxy clusters, when compared to active networking, do require clients to be able to reach out to each proxy cluster (or bridged proxy cluster) that the client might need to interact with. This is not particularly conducive to hub-and-spoke networking.
A bridged proxy cluster also exists to allow bridging of traffic into private subnets.
Active networking
In active networking, which is currently the default method of routing traffic in StrongDM, organizations stand up nodes (gateways and relays) to proxy client traffic to resources. All gateways interact with all gateways, and gateways can connect to all resources that are not in private subnets. All relays within private subnets can reach out to the resources in that subnet as well as to all gateways. This type of networking is not able to be used behind load balancers and is less efficient at routing traffic. However, it can be used in a hub and spoke method, where clients direct their connections at a central set of gateways that are available to them according to your network security rules, and then traffic is routed to other gateways or relays that the client did not need to be allowed to directly make requests to.
Explicit routing
Explicit routing, using peering groups, is a way to segment your network into groups (peering groups) that can interact with other groups. Each group contains nodes (gateways and relays) as well as potentially resources. This method of network deployment allows for more directed traffic, but also allows for directed networking decisions, such as allowing multiple peering groups with resources in them to accept traffic from one ingress peering group. Explicit routing is not able to be managed in the Admin UI.
Docker
StrongDM has Docker images available for both the containerized client as well as the containerized relay.
Local Client Traffic
There are two available options for the routing of traffic locally on client machines. StrongDM, by default, uses a loopback interface, which uses a single local IP with different ports for various resources (and can be expanded to a local IP block). This means that when a user opens their client and connects to a resource, that connection is being routed through a local IP and a preconfigured port that the StrongDM listener is listening for connections on. The other option is Virtual Networking Mode, which uses DNS names to route traffic locally on the client machine rather than specific IPs.
You can also override the ports that clients access resources through, on their local machine, just as you can alter local IPs or DNS names.
Self-Managed Deployments
StrongDM also offers a self-managed deployment model, in which you deploy your own StrongDM instance in a private cloud environment.
Related Topics
You can find resources and information about the following StrongDM topics in this section: