How StrongDM Works

Last modified on March 24, 2023

Your StrongDM network is made up of several components: the client, node(s), and resource(s).

The client is the StrongDM Desktop application and/or CLI that is installed locally on a machine by a user, who is typically a member of your organization. Users use the client to authenticate to StrongDM, use StrongDM, manage their organization, and/or interact with resources.

StrongDM nodes are gateways and relays. A gateway is the entry point of the client into the rest of your StrongDM network. Responsible for routing your client’s traffic through your other nodes, gateways serve incoming and outgoing traffic. When users authenticate to StrongDM via their client, the client reaches out to a gateway and the gateway checks the user’s permission level, role(s), and access grants before routing the client’s traffic to other nodes and initiating a connection to target resources. Every network must have at least one gateway.

Relays perform the same function as gateways, but for security reasons, they initiate connections with gateways and do not accept incoming traffic directly. Relays first initiate connections with gateways, and only once that connection is established do they accept user traffic from those gateways to route it to resources.

Resources are the final part of your network. Whether you have only one gateway or a complicated network that requires several hops, the same thing happens at the last node before the target resource: the node acquires credentials from StrongDM or from your secret store, and authenticates the client’s traffic with the target resource.

StrongDM Network Architecture
StrongDM Network Architecture

Your network, large or small, comprises routes that are constantly updated to allow for rapid connections. Clients and nodes are software provided by StrongDM, but the hardware you choose to use to host them is up to you. Additionally, in many cases, you can add the resources that you wish to facilitate access to directly to your StrongDM network without making changes to them.

The StrongDM service can provide information on the current user’s role and access grants, and provide the last gateway in the route with information about how to get credentials for the requested resource. Everything happens imperceptibly to the user, so that they can easily interact with resources by simply logging in to StrongDM.

For more information, see our admin, node, and security documentation.