From 4da1fa9b39da9d2e4e6cad014e8c3e32c566ce74 Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Fri, 11 Oct 2024 13:05:57 -0400 Subject: [PATCH 1/7] docs: update cloud networking on proxy service --- docs/pages/reference/networking.mdx | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/pages/reference/networking.mdx b/docs/pages/reference/networking.mdx index 9ec9a7d923f91..6c457f548adf2 100644 --- a/docs/pages/reference/networking.mdx +++ b/docs/pages/reference/networking.mdx @@ -36,21 +36,21 @@ following use cases: -All Teleport services (e.g., the Application Service and Database Service) have -an optional `public_addr` property that you can modify in each service's -configuration file. The public address can take an IP or a DNS name. It can also -be a list of values: +For Teleport Enterprise Cloud all Teleport services (e.g. Kubernetes Service, +SSH Service,...) connect via reverse tunnels through the Teleport Proxy Service. +The Teleport Proxy Service and Auth Service are provided so no specification +is required for those. This makes the usage of `public_addr` limited to the Application Service. + +In the case of web applications the public address must be a subdomain of the tenant +since the domain and TLS certificates are maintained by Teleport. ```yaml -public_addr: ["service-one.example.com", "service-two.example.com"] +public_addr: "myapp.example.teleport.sh" ``` -Specifying a public address for a Teleport agent may be useful in the -following use cases: +For TCP applications you can specify a fqdn outside of `teleport.sh` in combination +with [VNet](../enroll-resources/application-access/guides/vnet.mdx) since that domain is served via your machine's local network. -- You have multiple identical services behind a load balancer. -- You want Teleport to issue an SSH certificate for the service with additional - principals, e.g., host names. From 76631d1feabd06c84ab7d190e16d08959a759ab9 Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Tue, 22 Oct 2024 18:30:08 -0400 Subject: [PATCH 2/7] docs: update verbiage for networking Co-authored-by: Paul Gottschling --- docs/pages/reference/networking.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/pages/reference/networking.mdx b/docs/pages/reference/networking.mdx index 6c457f548adf2..f5b9ad96dd1be 100644 --- a/docs/pages/reference/networking.mdx +++ b/docs/pages/reference/networking.mdx @@ -41,14 +41,14 @@ SSH Service,...) connect via reverse tunnels through the Teleport Proxy Service. The Teleport Proxy Service and Auth Service are provided so no specification is required for those. This makes the usage of `public_addr` limited to the Application Service. -In the case of web applications the public address must be a subdomain of the tenant +In the case of web applications the public address must be a subdomain of the Teleport account URL since the domain and TLS certificates are maintained by Teleport. ```yaml public_addr: "myapp.example.teleport.sh" ``` -For TCP applications you can specify a fqdn outside of `teleport.sh` in combination +For TCP applications you can specify a fully qualified domain name outside of `teleport.sh` in combination with [VNet](../enroll-resources/application-access/guides/vnet.mdx) since that domain is served via your machine's local network. From af7ffe59bef92775cd6bd16d6fe3f326aa3f072e Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Tue, 22 Oct 2024 18:38:12 -0400 Subject: [PATCH 3/7] docs: update cloud-hosted public address --- docs/pages/reference/networking.mdx | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/pages/reference/networking.mdx b/docs/pages/reference/networking.mdx index f5b9ad96dd1be..c3fc2ce92e265 100644 --- a/docs/pages/reference/networking.mdx +++ b/docs/pages/reference/networking.mdx @@ -36,10 +36,9 @@ following use cases: -For Teleport Enterprise Cloud all Teleport services (e.g. Kubernetes Service, -SSH Service,...) connect via reverse tunnels through the Teleport Proxy Service. -The Teleport Proxy Service and Auth Service are provided so no specification -is required for those. This makes the usage of `public_addr` limited to the Application Service. +For Teleport Enterprise (managed) the domain name and sub-domains +are managed by Teleport for your account. The public address (`public_addr`) +for the Teleport Application services are configurable. In the case of web applications the public address must be a subdomain of the Teleport account URL since the domain and TLS certificates are maintained by Teleport. From 2e38dc79b215cc2102d46ae62e5f218cee727ad7 Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Thu, 24 Oct 2024 16:06:44 -0400 Subject: [PATCH 4/7] docs: update verbiage for app access for networking --- docs/pages/reference/networking.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/pages/reference/networking.mdx b/docs/pages/reference/networking.mdx index c3fc2ce92e265..8642b5fd042c8 100644 --- a/docs/pages/reference/networking.mdx +++ b/docs/pages/reference/networking.mdx @@ -36,9 +36,11 @@ following use cases: -For Teleport Enterprise (managed) the domain name and sub-domains -are managed by Teleport for your account. The public address (`public_addr`) -for the Teleport Application services are configurable. +For Teleport Enterprise (managed) you choose the sub-domain of +the domain `teleport.sh` for your account. That fully qualified domain name +(ex: `example.teleport.sh`) are managed by Teleport for your account +along with any sub-domains of it for Teleport Application Service. The public +address (`public_addr`) for the Teleport Application Service is configurable. In the case of web applications the public address must be a subdomain of the Teleport account URL since the domain and TLS certificates are maintained by Teleport. From 63cbfffbf3b5c7376113be88b048f243d4077f99 Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Mon, 28 Oct 2024 14:55:28 -0400 Subject: [PATCH 5/7] docs: update verbiage for public address for networks with cloud Co-authored-by: Paul Gottschling --- docs/pages/reference/networking.mdx | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/pages/reference/networking.mdx b/docs/pages/reference/networking.mdx index 8642b5fd042c8..41f68ef557f0d 100644 --- a/docs/pages/reference/networking.mdx +++ b/docs/pages/reference/networking.mdx @@ -36,13 +36,12 @@ following use cases: -For Teleport Enterprise (managed) you choose the sub-domain of +On Teleport Enterprise (Cloud), you can choose the sub-domain of the domain `teleport.sh` for your account. That fully qualified domain name -(ex: `example.teleport.sh`) are managed by Teleport for your account -along with any sub-domains of it for Teleport Application Service. The public -address (`public_addr`) for the Teleport Application Service is configurable. +(e.g., `example.teleport.sh`) is managed by Teleport for your account +along with any sub-domains assigned to Teleport-protected applications (e.g., `grafana.example.teleport.sh`). -In the case of web applications the public address must be a subdomain of the Teleport account URL +The public address (`public_addr`) for the Teleport Application Service is configurable. In the case of web applications, the public address must be a subdomain of the Teleport account URL since the domain and TLS certificates are maintained by Teleport. ```yaml From 7b7052f7939c2269514f3011ac70b8e041841d9b Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Tue, 29 Oct 2024 06:32:09 -0400 Subject: [PATCH 6/7] docs: clarify app configuration --- docs/pages/reference/networking.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/pages/reference/networking.mdx b/docs/pages/reference/networking.mdx index 41f68ef557f0d..ecf5160444888 100644 --- a/docs/pages/reference/networking.mdx +++ b/docs/pages/reference/networking.mdx @@ -41,7 +41,8 @@ the domain `teleport.sh` for your account. That fully qualified domain name (e.g., `example.teleport.sh`) is managed by Teleport for your account along with any sub-domains assigned to Teleport-protected applications (e.g., `grafana.example.teleport.sh`). -The public address (`public_addr`) for the Teleport Application Service is configurable. In the case of web applications, the public address must be a subdomain of the Teleport account URL +The public address (`public_addr`) for an application in the Teleport Application Service is configurable. +In the case of web applications, the public address must be a subdomain of the Teleport account URL since the domain and TLS certificates are maintained by Teleport. ```yaml From 3c3b8378aa66facdf7004868fa2b9924a8d534a1 Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Tue, 29 Oct 2024 14:40:25 -0400 Subject: [PATCH 7/7] docs: update cloud-hosted explanation for public address --- docs/pages/reference/networking.mdx | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/docs/pages/reference/networking.mdx b/docs/pages/reference/networking.mdx index ecf5160444888..ffd3c64a1aeef 100644 --- a/docs/pages/reference/networking.mdx +++ b/docs/pages/reference/networking.mdx @@ -36,21 +36,8 @@ following use cases: -On Teleport Enterprise (Cloud), you can choose the sub-domain of -the domain `teleport.sh` for your account. That fully qualified domain name -(e.g., `example.teleport.sh`) is managed by Teleport for your account -along with any sub-domains assigned to Teleport-protected applications (e.g., `grafana.example.teleport.sh`). - -The public address (`public_addr`) for an application in the Teleport Application Service is configurable. -In the case of web applications, the public address must be a subdomain of the Teleport account URL -since the domain and TLS certificates are maintained by Teleport. - -```yaml -public_addr: "myapp.example.teleport.sh" -``` - -For TCP applications you can specify a fully qualified domain name outside of `teleport.sh` in combination -with [VNet](../enroll-resources/application-access/guides/vnet.mdx) since that domain is served via your machine's local network. +On Teleport Enterprise (Cloud) the Teleport agent services always +connect using reverse tunnels so there is no need to set a public address for a agent.