Bridged Proxy Cluster

Overview

You can deploy a StrongDM proxy cluster in "bridged" mode to enable access to a high-security internal network that only allows outbound network connections. The bridged proxy cluster has bridge workers outside the internal network and proxy workers inside the network. The proxy workers inside the network make outbound connections to one or more bridge workers running outside the network, which can then forward client traffic back to them.

For organizations that have employed nodes (gateways and relays) previously, this functionality is similar to that of the relay.

Just like in a normal proxy cluster, every proxy worker must have access to the same set of resources. Bridge workers do not intelligently route traffic between proxy workers running in different environments. Proxy workers running in separate environments containing separate resources must belong to separate clusters.

To deploy bridge workers, follow the steps to deploy a normal proxy cluster and add the following variable to the bridge workers' environment:

SDM_BRIDGE=local

If you are using the sdm install command, you can use the --bridge flag to set this variable:

./sdm install --worker --bridge local --worker-bind-addr :443 --app-domain {APP_DOMAIN}

This instructs the workers to run in bridge mode. StrongDM recommends running multiple bridge workers behind a load balancer for high availability.

Once the bridge workers are deployed, you can deploy proxy workers inside your sensitive network and configure them to connect to the bridge workers by adding the following environment variable:

SDM_BRIDGE=<PROXY_CLUSTER_ADDRESS>:<PORT>

Instead of binding to a local port and listening for incoming traffic, the proxy workers connect to the load-balanced bridge workers and start accepting client traffic from them.

You do not need to allow inbound traffic into your sensitive network.
You do not need to deploy a second load balancer inside the network.
Proxy workers can only connect to bridge workers within the same proxy cluster. You cannot mix and match workers between proxy clusters.

We recommend the following best practices when deploying a proxy cluster:

Deploy one proxy cluster in each environment where you host resources.
A proxy cluster should consist of at least two proxy workers behind a load balancer for high availability.
A bridged proxy cluster should consist of at least two proxy workers behind a load balancer for high availability and two bridge workers.
Configure the load balancer to accept connections on port 443 and forward them to the individual proxy workers on port 8443.
Use a network load balancer to forward TCP traffic directly to the proxy workers without any processing.
If the load balancer supports client IP address preservation, enable it.
Use a DNS domain name to route traffic to the load balancer rather than an IP address.

Proxy Egress Requirements

Workers in a bridged proxy cluster have the same egress requirements as in a normal proxy cluster. In addition, the proxy workers must be allowed to egress to the bridge workers.

Third-party Certificates

Third-party certificates are supported the same as in a normal proxy cluster. You must ensure the relevant environment variables are set on both the bridge workers and proxy workers.

Last updated 2 days ago

Was this helpful?