Tc
Applications Azure

Teleport Community on Ubuntu 24.04 on Azure User Guide

| Product: Teleport Community 18 on Ubuntu 24.04 LTS on Azure

Overview

Teleport is the open-source secure-access / infrastructure-identity platform (an "access plane"): identity-based, short-lived-certificate access to servers over SSH, plus Kubernetes clusters, databases and web apps, with role-based access control (RBAC), single sign-on (SSO), multi-factor authentication (MFA) and full session recording and audit. This cloudimg image installs Teleport 18.10.0 Community Edition from the official Teleport apt repository and runs it as a single all-in-one node (auth + proxy + SSH) with its own web UI served over TLS on port 443.

Because Teleport is itself the security perimeter, this image ships no cluster identity of any kind. On first boot each VM generates a fresh, unique cluster identity (its own certificate authorities), a per-VM self-signed TLS certificate, and a one-time admin sign-up link — there is no baked-in cluster CA, no static join token, and no shipped admin password.

What is included:

  • Teleport 18.10.0 Community Edition (OSS) from the official apt.releases.teleport.dev repository (channel stable/v18), security-patched via unattended-upgrades
  • All-in-one teleport.service (auth + proxy + SSH), config /etc/teleport.yaml (version v3)
  • Single-port TLS routing on 443 (web UI + tsh + node join multiplexed) — minimal NSG surface
  • Cluster state (CAs, cluster config, audit log, session recordings) on a dedicated 20 GiB data disk at /var/lib/teleport
  • Per-VM self-signed TLS certificate (SAN = VM public IP + hostname), generated on first boot
  • Per-VM local admin (teleport-admin) via a one-time sign-up URL — you set your own password + TOTP
  • Tiny nginx on port 80 serving an unauthenticated /healthz probe + a 301 redirect to HTTPS
  • 24/7 cloudimg support

Prerequisites

Active Azure subscription, SSH key, VNet + subnet, and a Network Security Group that allows inbound 22 (SSH), 443 (Teleport web UI + tsh, TLS routing) and 80 (health probe / HTTPS redirect). Standard_B2s (4 GB RAM) suits evaluation and small clusters; for production use D2s/D4s and add more resources as you enrol nodes.

Step 1: Connect

ssh azureuser@<vm-ip>

Step 2: Service Status + Version

Confirm Teleport (OSS Community) and nginx are running and note the single-port TLS-routing listeners.

teleport version | head -1
sudo systemctl is-active teleport.service nginx.service
sudo ss -tlnp | grep -E ':443 |:80 '

teleport.service + nginx active; Teleport v18.10.0 (Community); TLS routing on :443 and :80 healthz/redirect listeners

Step 3: Per-VM Cluster Identity + TLS Certificate

Teleport generates its own certificate authorities on first boot into the dedicated data disk. tctl status shows the cluster's per-VM CAs; the self-signed TLS certificate's SAN is unique to this VM; and the shipped config contains no static join token.

sudo tctl status
sudo findmnt /var/lib/teleport
sudo openssl x509 -in /var/lib/teleport/certs/teleport.crt -noout -subject -ext subjectAltName
echo "static join tokens in teleport.yaml: $(sudo grep -cE 'static_tokens|auth_token:' /etc/teleport.yaml || true)"

tctl status showing the per-VM cluster CAs and CA pin; cluster state on the /var/lib/teleport data disk; per-VM self-signed cert SAN; zero static join tokens in teleport.yaml

Step 4: Web UI over TLS

The Teleport proxy serves its web UI over TLS on port 443. The tiny nginx on port 80 answers an unauthenticated health probe and redirects everything else to HTTPS.

curl -sk -o /dev/null -w 'web/login HTTP %{http_code}\n' https://127.0.0.1/web/login
curl -s  -o /dev/null -w 'healthz  HTTP %{http_code}\n' http://127.0.0.1/healthz

Teleport Web UI returning HTTP 200 on https://127.0.0.1/web/login over the per-VM TLS certificate, and the :80 health probe returning 200

Step 5: Get Your One-Time Admin Sign-Up Link

The image ships no admin password. On first boot each VM creates a teleport-admin user with a single-use sign-up URL. Read it, then open it in your browser to set your own password and enrol an authenticator (TOTP).

sudo grep 'web/invite' /root/teleport-credentials.txt

The per-VM teleport-credentials.txt: cluster info, CA fingerprint and the one-time admin sign-up link (token masked here). No password ships in the image.

The sign-up link is single-use and expires. If it lapses, regenerate one on the VM with sudo tctl users add teleport-admin --roles=editor,access.

Step 6: Teleport Web UI Login

Browse to https://<vm-ip>/web/login. Because the VM uses a per-VM self-signed certificate, your browser shows a certificate warning the first time — accept it (or, for production, replace the cert as in Step 10). You reach the Teleport Community sign-in form.

Teleport Community sign-in page — username, password and authenticator code fields

Step 7: Resources Dashboard

After signing in you land on the unified Resources dashboard — the servers, Kubernetes clusters, databases and apps you can reach through the access plane. The VM itself appears as an SSH resource.

Teleport Resources dashboard listing the local SSH server, signed in as teleport-admin

Step 8: Audit Log

Every action — certificate issuance, MFA enrolment, user creation, session start/stop — is recorded. The Audit Log view (and Session Recordings) give you a full, tamper-evident record of access.

Teleport Audit Log showing certificate-issued, MFA-device-added and user-created events

Step 9: Users & Roles

Manage local users and their roles under Zero Trust Access → Users. The per-VM teleport-admin has the built-in access and editor roles.

Teleport Users page showing teleport-admin with the access and editor roles

Step 10: Add Servers and Resources

Enrol additional nodes (or databases, Kubernetes clusters and apps) so you can access them through Teleport with short-lived certificates and full session recording.

sudo tctl tokens add --type=node
sudo tctl nodes ls

Run the printed teleport start ... command on the target server to join it to the cluster, then it appears in the Resources dashboard.

Step 11: Components

Component Path
Teleport binary /usr/local/bin/teleport (tctl, tsh alongside)
systemd unit teleport.service (+ teleport-firstboot.service)
Config /etc/teleport.yaml (version v3, all-in-one auth + proxy + SSH)
Cluster state /var/lib/teleport/ (dedicated data disk — CAs, audit, recordings)
Per-VM TLS cert /var/lib/teleport/certs/teleport.{crt,key}
Firstboot script /usr/local/sbin/teleport-firstboot.sh
Credentials /root/teleport-credentials.txt (mode 0600 root:root)
Health probe nginx on :80/healthz + 301 to HTTPS

Step 12: Production Hardening

  • Replace the self-signed certificate: drop your own domain certificate at /var/lib/teleport/certs/ (update key_file/cert_file in /etc/teleport.yaml), or enable Teleport ACME with a real DNS name, then sudo systemctl restart teleport.
  • Set a real public_addr: point proxy_service.public_addr in /etc/teleport.yaml at your DNS name so tsh and the web UI use it.
  • Add an SSO connector: configure GitHub / SAML / OIDC as your identity source for production sign-in.
  • Enable WebAuthn MFA: with a real domain, switch authentication.second_factor to webauthn for phishing-resistant MFA (TOTP is the appliance default).
  • Restrict the NSG: keep 443 open to your users, 80 for the health probe/redirect, and 22 to your management CIDR only.
  • Patch regularly: the official Teleport apt repo keeps teleport current within the stable/v18 channel via unattended-upgrades; subscribe to https://goteleport.com/download/ for release news.

Licensing

This image ships the Teleport Community Edition (open source). Teleport's source is licensed AGPL-3.0; the prebuilt Community Edition binaries installed here (from apt.releases.teleport.dev) are distributed under a modified Apache 2.0 license — both are freely redistributable. This is not Teleport Enterprise, Team or Cloud.

cloudimg is not affiliated with, endorsed by, or sponsored by Gravitational, Inc. or the Teleport project. "Teleport" is a trademark of its respective owner; this image simply packages the unmodified open-source Community Edition. cloudimg provides commercial support separately. support@cloudimg.co.uk.