Teleport Community on Ubuntu 24.04 on Azure User Guide
Overview
Teleport is the open-source secure-access / infrastructure-identity platform (an "access plane"): identity-based, short-lived-certificate access to servers over SSH, plus Kubernetes clusters, databases and web apps, with role-based access control (RBAC), single sign-on (SSO), multi-factor authentication (MFA) and full session recording and audit. This cloudimg image installs Teleport 18.10.0 Community Edition from the official Teleport apt repository and runs it as a single all-in-one node (auth + proxy + SSH) with its own web UI served over TLS on port 443.
Because Teleport is itself the security perimeter, this image ships no cluster identity of any kind. On first boot each VM generates a fresh, unique cluster identity (its own certificate authorities), a per-VM self-signed TLS certificate, and a one-time admin sign-up link — there is no baked-in cluster CA, no static join token, and no shipped admin password.
What is included:
- Teleport 18.10.0 Community Edition (OSS) from the official
apt.releases.teleport.devrepository (channelstable/v18), security-patched via unattended-upgrades - All-in-one
teleport.service(auth + proxy + SSH), config/etc/teleport.yaml(version v3) - Single-port TLS routing on 443 (web UI +
tsh+ node join multiplexed) — minimal NSG surface - Cluster state (CAs, cluster config, audit log, session recordings) on a dedicated 20 GiB data disk at
/var/lib/teleport - Per-VM self-signed TLS certificate (SAN = VM public IP + hostname), generated on first boot
- Per-VM local admin (
teleport-admin) via a one-time sign-up URL — you set your own password + TOTP - Tiny nginx on port 80 serving an unauthenticated
/healthzprobe + a 301 redirect to HTTPS - 24/7 cloudimg support
Prerequisites
Active Azure subscription, SSH key, VNet + subnet, and a Network Security Group that allows inbound 22 (SSH), 443 (Teleport web UI + tsh, TLS routing) and 80 (health probe / HTTPS redirect). Standard_B2s (4 GB RAM) suits evaluation and small clusters; for production use D2s/D4s and add more resources as you enrol nodes.
Step 1: Connect
ssh azureuser@<vm-ip>
Step 2: Service Status + Version
Confirm Teleport (OSS Community) and nginx are running and note the single-port TLS-routing listeners.
teleport version | head -1
sudo systemctl is-active teleport.service nginx.service
sudo ss -tlnp | grep -E ':443 |:80 '

Step 3: Per-VM Cluster Identity + TLS Certificate
Teleport generates its own certificate authorities on first boot into the dedicated data disk. tctl status shows the cluster's per-VM CAs; the self-signed TLS certificate's SAN is unique to this VM; and the shipped config contains no static join token.
sudo tctl status
sudo findmnt /var/lib/teleport
sudo openssl x509 -in /var/lib/teleport/certs/teleport.crt -noout -subject -ext subjectAltName
echo "static join tokens in teleport.yaml: $(sudo grep -cE 'static_tokens|auth_token:' /etc/teleport.yaml || true)"

Step 4: Web UI over TLS
The Teleport proxy serves its web UI over TLS on port 443. The tiny nginx on port 80 answers an unauthenticated health probe and redirects everything else to HTTPS.
curl -sk -o /dev/null -w 'web/login HTTP %{http_code}\n' https://127.0.0.1/web/login
curl -s -o /dev/null -w 'healthz HTTP %{http_code}\n' http://127.0.0.1/healthz

Step 5: Get Your One-Time Admin Sign-Up Link
The image ships no admin password. On first boot each VM creates a teleport-admin user with a single-use sign-up URL. Read it, then open it in your browser to set your own password and enrol an authenticator (TOTP).
sudo grep 'web/invite' /root/teleport-credentials.txt

The sign-up link is single-use and expires. If it lapses, regenerate one on the VM with
sudo tctl users add teleport-admin --roles=editor,access.
Step 6: Teleport Web UI Login
Browse to https://<vm-ip>/web/login. Because the VM uses a per-VM self-signed certificate, your browser shows a certificate warning the first time — accept it (or, for production, replace the cert as in Step 10). You reach the Teleport Community sign-in form.

Step 7: Resources Dashboard
After signing in you land on the unified Resources dashboard — the servers, Kubernetes clusters, databases and apps you can reach through the access plane. The VM itself appears as an SSH resource.

Step 8: Audit Log
Every action — certificate issuance, MFA enrolment, user creation, session start/stop — is recorded. The Audit Log view (and Session Recordings) give you a full, tamper-evident record of access.

Step 9: Users & Roles
Manage local users and their roles under Zero Trust Access → Users. The per-VM teleport-admin has the built-in access and editor roles.

Step 10: Add Servers and Resources
Enrol additional nodes (or databases, Kubernetes clusters and apps) so you can access them through Teleport with short-lived certificates and full session recording.
sudo tctl tokens add --type=node
sudo tctl nodes ls
Run the printed teleport start ... command on the target server to join it to the cluster, then it appears in the Resources dashboard.
Step 11: Components
| Component | Path |
|---|---|
| Teleport binary | /usr/local/bin/teleport (tctl, tsh alongside) |
| systemd unit | teleport.service (+ teleport-firstboot.service) |
| Config | /etc/teleport.yaml (version v3, all-in-one auth + proxy + SSH) |
| Cluster state | /var/lib/teleport/ (dedicated data disk — CAs, audit, recordings) |
| Per-VM TLS cert | /var/lib/teleport/certs/teleport.{crt,key} |
| Firstboot script | /usr/local/sbin/teleport-firstboot.sh |
| Credentials | /root/teleport-credentials.txt (mode 0600 root:root) |
| Health probe | nginx on :80 → /healthz + 301 to HTTPS |
Step 12: Production Hardening
- Replace the self-signed certificate: drop your own domain certificate at
/var/lib/teleport/certs/(updatekey_file/cert_filein/etc/teleport.yaml), or enable Teleport ACME with a real DNS name, thensudo systemctl restart teleport. - Set a real
public_addr: pointproxy_service.public_addrin/etc/teleport.yamlat your DNS name sotshand the web UI use it. - Add an SSO connector: configure GitHub / SAML / OIDC as your identity source for production sign-in.
- Enable WebAuthn MFA: with a real domain, switch
authentication.second_factortowebauthnfor phishing-resistant MFA (TOTP is the appliance default). - Restrict the NSG: keep 443 open to your users, 80 for the health probe/redirect, and 22 to your management CIDR only.
- Patch regularly: the official Teleport apt repo keeps
teleportcurrent within thestable/v18channel via unattended-upgrades; subscribe to https://goteleport.com/download/ for release news.
Licensing
This image ships the Teleport Community Edition (open source). Teleport's source is licensed AGPL-3.0; the prebuilt Community Edition binaries installed here (from apt.releases.teleport.dev) are distributed under a modified Apache 2.0 license — both are freely redistributable. This is not Teleport Enterprise, Team or Cloud.
cloudimg is not affiliated with, endorsed by, or sponsored by Gravitational, Inc. or the Teleport project. "Teleport" is a trademark of its respective owner; this image simply packages the unmodified open-source Community Edition. cloudimg provides commercial support separately. support@cloudimg.co.uk.