How to Upgrade Connectors Running in AWS/Azure/Docker Containers

If you are running Twingate Connectors as containers in Docker, AWS ECS, or Azure Container Instances, the instructions specific to each environment below cover how to upgrade Connectors. Please keep in mind the best practices for upgrading detailed in Upgrading Connectors to avoid downtime for your users.

See the Linux Docker deployment documentation for more information on deploying the Twingate Connector in a Linux Docker container.

AWS Elastic Container Service (ECS)

In order to upgrade a running ECS Connector service, it needs to be restarted with the “Force new deployment” option selected. You can either do this via the AWS Management Console or with the AWS CLI.

Management Console

Select the name of the running Connector service in your ECS cluster and choose “Update”.
Select the “Force new deployment” option, then “Skip to review”.
Click “Update Service”.

The service will automatically restart and pull the latest image.

Note: If the image tag in the ECS task definition was changed to anything other than 1 or latest then the image that’s pulled may not be the latest. It’s recommended to always pull the latest image when updating a Connector.

AWS CLI

The command below will force a new deployment of your running ECS Service. Note that you need the name of the ECS Service, Cluster name, and AWS region to run the command.

aws ecs update-service --region <REGION> --cluster <CLUSTER_NAME> --service <SERVICE_NAME> --force-new-deployment

Azure Container Instance

You can upgrade any Connectors running as a container instance on Azure with the following CLI command. This will automatically download the latest image. You will need the container name and Resource Group name to run the command.

az container restart --name <CONTAINER_NAME> --resource-group <RESOURCE_GROUP>

Docker

Checking the Connector Version

If you’d like to check the currently running version of a Connector in a Docker container, you can do so using the following command:

docker exec twingate-connector ./connectord --version

In the above example, twingate-connector represents the name of the Connector container.

The latest build version number and other update notes are available in the Connector Release Notes.

Linux: Command line / EC2 / VM

The following command can be used to upgrade running Connectors that have been deployed on a host using the Docker CLI. The script automates:

Pulling the latest Connector image (twingate/connector:1)
Comparing any running containers to the latest image
Stopping any out of date containers, deleting them, and restarting them with the same environment variables and the latest image

curl -s https://binaries.twingate.com/connector/docker-upgrade.sh | sudo nohup sudo bash

Watchtower

Watchtower is a popular open-source tool for automatically updating Docker containers. It can be used to automatically update the Twingate Connector container when a new version is available.

Watchtower on Production Systems

Watchtower is not meant to be used on critical production systems. The makers of the tool recommend implementing container maintenance through the use of Kubernetes or other similar services instead.

To use Watchtower, you can run the following command:

docker run -d --name watchtower -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower --cleanup

This will start Watchtower as a container, which will automatically check for new versions of all containers and update them when new images are available.

If you would like to limit Watchtower to just updating the Twingate Connector, you can use the following command:

docker run -d --name watchtower -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower --label-enable=true

This will run Watchtower with the label-enable option, which will check each container for a label com.centurylinklabs.watchtower.enable=true and only update containers with this label.

To add the label to the Twingate Connector container, will need to add the appropriate label to the Docker run command from the Admin Console:

docker run -d
    --sysctl net.ipv4.ping_group_range="0 2147483647"
    --env TWINGATE_NETWORK="networkname"
    --env TWINGATE_ACCESS_TOKEN=""
    --env TWINGATE_REFRESH_TOKEN=""
    --env TWINGATE_LABEL_HOSTNAME="`hostname`"
    --name "twingate-quixotic-squid"
    --restart=unless-stopped
    --pull=always
    --label com.centurylinklabs.watchtower.enable=true
    twingate/connector:1

Manual steps

To manually upgrade a Connector using the Docker command line, the following steps will pull the latest Connector image.

Note: You will need to reprovision the Connector in the Twingate Admin Console since this method does not preserve the authentication tokens for the running Connector.

docker ps
# Copy either the container ID or name
docker container rm -f [ container ID or name ]
docker image rm -f twingate/connector

# Obtain a new Docker run command from the Twingate admin console by reprovisioning the connector
docker run ...

Last updated 8 months ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Encryption in Twingate

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Usage-based Auto-lock

Ephemeral Access

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating