Where to Deploy the StrongDM Proxy

Marc O'Brien
Sr. Customer Support Engineer
2 min read
Last updated on: November 1, 2022

StrongDM's network architecture consists of a client on the user’s workstation, at least one gateway pair that the client communicates with, and optionally a relay pair between the gateways and the datasource the user needs to access. Communication ports need to be opened between the StrongDM API, clients, Gateways, Relays, and Resources. The ideal locations to deploy Gateway and Relay pairs in your environment will depend on the specifics of your network topology. Use your answers to the following questions to guide your network diagram template selection.

Critical Questions

Do you have a single environment (Cloud or On-Prem), or multiple environments (Multi-Cloud, Hybrid)?

  • Single Environment - Do you have resources in public, or private networks that you need to access?

    • Public - We recommend leveraging a pair of Gateways in your public network to serve your public resources. You can download the following example network diagram as a starting point.
      Network Diagram - Gateway Only
    • Private - We recommend leveraging a pair of Gateways in your public network, and a pair of Relays in your private network to serve your public as well as private resources. You can download the following example network diagram as a starting point.
      Network Diagram - Gateway and Relay
  • Multiple Environments - Do you have multiple environments within a single platform, or multiple platforms (Hybrid)?

    • Single Platform - We recommend leveraging a pair of Gateways in your public network, and a pair of Relays in each of your private networks to serve your public as well as private resources across environments. You can download the following example network diagram as a starting point.
      Network Diagram - Multi VPC
    • Multi Platform / Hybrid Cloud - We recommend leveraging a pair of Gateways in each of your public networks, and a pair of Relays in each of your private networks to serve your public as well as private resources across environments and platforms. You can download the following example network diagram as a starting point.
      Hybrid Network Diagram - Multi VPC and OnPrem

Best Practices

  • StrongDM dynamically calculates ideal routes to resources, so you may add and remove nodes easily as you test or grow your StrongDM implementation over time.
  • Gateways and Relays may be deployed with any mix of your preferred methods or platforms. Just ensure you maintain current version updates across your nodes and clients.
  • When deploying Gateways, consider where your users are located. Gateway pairs need to be as close as possible to users, typically in public networks.
  • When deploying Relays, consider where your resources are located. Relay pairs need to be as close as possible to resources, typically in private networks.
  • If you are currently using Jump Boxes, Bastion Hosts, VPNs, etc, consider if you want to use StrongDM to provide access to those services or to replace them. Locations of Jump Boxes, Bastion Hosts, and VPNs are good candidates for Gateway and Relay pairs.
  • Gateways and Relays, regardless of deployment method or platform, should always be deployed in pairs. This assures nodes can balance traffic and complete automatic updates with minimal service interruption.
  • Each Gateway and Relay node requires a unique endpoint rather than a shared Load Balancer. This is required for maintaining stability and session currency.
  • Communication ports need to be opened on clients, as well as between the StrongDM API, clients, Gateways, Relays, and Resources. Please note that some of these peering connections are only required in one direction, but all nodes require outbound access to the StrongDM API.

FAQ

Q: What are the maximum resources per Gateway pair?

A: Nodes on current versions of StrongDM can typically handle up to multiple thousands of users and resources.

Q: How do I monitor my Gateway and Relays?

A: Explore our newly released metrics, in addition to your current monitoring solutions.

Q: Will I need to make security software exceptions for StrongDM?

A: Yes, any security software installed on the workstations that can prevent the SDM client from working or might interrupt traffic will need an exception for the client, as well as network whitelisting of communication ports.

Q: Are there specific IPs on the StrongDM side that need whitelisting?

A: Our API is served by https://app.StrongDM.com, which is a CNAME to an AWS ELB. Because AWS can rotate these IPs, we recommend using a script to periodically look up the addresses and add them to your allow list.