Proxy Clusters Migration

Last modified on March 25, 2025

Migration Considerations

When you create a plan to migrate your StrongDM deployment from active networking using gateways and relays to proxy clusters, here are a few things to consider:

  • Ensure your clients can reach the load balancer that you intend to use for the proxy cluster.
  • Determine whether a bridged cluster is necessary. Bridged clusters are useful for the same situations where relays were often used in active networking deployments. If you need to provide access to resources that are inside an egress-only subnet, bridged proxy clusters are the way to accomplish this.
  • When a resource is assigned to a proxy cluster, active client connections to that resource through gateways and relays are not disrupted. Only new connections route through the proxy cluster.

Migration from explicit routing

For users of explicit routing:

Do not remove resources from peering groups, if any, until after you’ve migrated and are satisfied with the proxy cluster setup. If a reversion is necessary, leaving the resources in peering groups would make that significantly easier.

Migration Process

  1. Create a network segmentation plan.
    1. What various proxy clusters does your organization need? This can be determined by access needs, security requirements, geographical locations, and other concerns.
    2. Map existing resources to the planned proxy clusters.
    3. Consider the amount of proxy workers needed for each cluster, based on the number of resources, and more importantly, the amount of anticipated traffic. Consider deploying at least two workers to every cluster, behind a load balancer, for high availability, as discussed in the Proxy Clusters page.
    4. Consider which proxy clusters will need to be bridged clusters.
  2. Set up proxy cluster for a test network segment first. See the Proxy Clusters guide for more detail.
  3. Ensure that it all works as expected prior to rolling out deployment.
  4. Verify that the test cluster is healthy.
  5. Add test resources to the cluster for your test segment. Ensure the test resources can be connected to directly prior to adding them to the cluster.
  6. Once the test resources are added to the cluster, grant your user the ability to connect to the resource(s) using roles, and test connecting to the resource.
  7. After the first cluster is set up satisfactorily, add each resource that you want included in this proxy cluster, one by one. Then, repeat this setup process with additional proxy clusters, until your planned migration is complete.

If all testing goes well, this procedure can be followed for each planned segment until all planned segments are up and running, or automate the creation of your clusters and registration of resources by creating Terraform plans or CLI automations.