Deployment Automation

Twingate Connectors run in a linux/amd64 Docker container, which makes them widely compatible with a range of deployment methods and environments. The information below will help you automate their deployment.

Full Automation: Terraform Provider

If your organization uses Terraform to manage your infrastructure as code, you can use Twingate’s Terraform provider to automatically provision Connectors, along with other Twingate constructs such as Resources and Remote Networks. Please see the documentation for more details.

Deployment Automation Alternatives

Twingate Admin API

Twingate’s Admin API provides programmatic control over most admin functions, which you can use to automate the configuration of your Twingate Network.

The API can also specifically be used to provision Connectors and new tokens programatically.

Semi-automated approach

If you do not use Terraform, or do not wish to use the API, you may retrieve tokens from the Admin Console using the “Manual” Connector deployment option in the Admin Console. Note that the Connector tokens are unique to that specific Connector, and these tokens cannot be reused for multiple Connectors.

Therefore, in order to incorporate Connectors into a semi-automated process, keep the following in mind:

You must continue to provision new Connectors through the Admin console or through the Twingate API.
Use the environment variables generated for that specific Connector.
The configuration variable for a single Connector cannot be re-used for additional Connectors.

Connector deployment parameters

If you are deploying Connectors and using manual token generation as described in the previous section, the following information will help deploy Connectors successfully.

Connector image source:

The Connector image is public and hosted on Docker Hub. You can use an image registry address of docker.io with the image name twingate/connector and image tag latest.

Fixed deployment parameters:

TWINGATE_NETWORK should be the subdomain of your Twingate account (eg. acme if your account is at https://acme.twingate.com).
The Docker parameter --restart=unless-stopped is used to ensure that the Connector container is always automatically restarted unless explicitly stopped. The equivalent setting should be used in any other container environment.

Connector-specific deployment parameters are:

TWINGATE_ACCESS_TOKEN is an authentication token specific to the Connector being deployed. This should be treated as a secret and never checked into source control.
TWINGATE_REFRESH_TOKEN is an authentication refresh token specific to the Connector being deployed. This should similarly be treated as a secret.
The Docker parameter --name is used to identify the connector in your container management system. You can any name here, but it is probably most helpful to ensure that it matches the auto-generated name in the Admin console.
(Optional) DNS_SERVER is an optional parameter that specifies what DNS server the Connector should use to resolve Resources. If this is a private DNS server, it must be accessible from the Connector host.

Example: Helm Chart

An example of pulling all of the above together for a Helm Chart can be found here: https://github.com/Twingate/helm-charts

Last updated 9 months ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Encryption in Twingate

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Usage-based Auto-lock

Ephemeral Access

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating