Networking

StrongDM networking involves making decisions about how your network is or will be laid out, and implementing StrongDM proxy services and arranging or grouping them with resources to provide the best experience for your network administrators and end users.

Available StrongDM Proxy Types

All of the following StrongDM proxy types use the concept of a proxy service that runs on your infrastructure that interacts with StrongDM and proxies user connections to resources.

Proxy clusters

A StrongDM proxy cluster comprises one or more proxy workers. A proxy worker is a process that mediates connectivity between clients and resources.

When a client connects to a StrongDM resource, it looks up which proxy cluster the resource belongs to and uses that cluster to connect. One of the proxy workers in the cluster parses and logs the request; fetches, decrypts, and injects credentials as necessary; and forwards the connection to the resource. Proxy clusters allow your resources and infrastructure to be segmented as you wish, and they allow your proxy infrastructure to scale with your organizational growth or increased traffic. Proxy clusters, when compared to active networking, do require clients to be able to reach out to each proxy cluster (or bridged proxy cluster) that the client might need to interact with. This is not particularly conducive to hub-and-spoke networking.

A bridged proxy cluster also exists to allow bridging of traffic into private subnets.

Active networking

In active networking, which is currently the default method of routing traffic in StrongDM, organizations stand up nodes (gateways and relays) to proxy client traffic to resources. All gateways interact with all gateways, and gateways can connect to all resources that are not in private subnets. All relays within private subnets can reach out to the resources in that subnet as well as to all gateways. This type of networking is not able to be used behind load balancers and is less efficient at routing traffic. However, it can be used in a hub and spoke method, where clients direct their connections at a central set of gateways that are available to them according to your network security rules, and then traffic is routed to other gateways or relays that the client did not need to be allowed to directly make requests to.

Explicit routing

Explicit routing, using peering groups, is a way to segment your network into groups (peering groups) that can interact with other groups. Each group contains nodes (gateways and relays) as well as potentially resources. This method of network deployment allows for more directed traffic, but also allows for directed networking decisions, such as allowing multiple peering groups with resources in them to accept traffic from one ingress peering group. Explicit routing is not able to be managed in the Admin UI.

Docker

StrongDM has Docker images available for both the containerized client as well as the containerized relay.