Deployment Automation

Twingate Connectors run in a linux/amd64 Docker container, which makes them widely compatible with a range of deployment methods and environments. The information below will help you automate their deployment.

Full Automation: Terraform Provider

If your organization uses Terraform to manage your infrastructure as code, you can use Twingate’s Terraform provider to automatically provision Connectors, along with other Twingate constructs such as Resources and Remote Networks. Please see the documentation for more details.

Deployment Automation Alternatives

Twingate Admin API

Twingate’s Admin API provides programmatic control over most admin functions, which you can use to automate the configuration of your Twingate Network.

The API can also specifically be used to provision Connectors and new tokens programatically.

Semi-automated approach

If you do not use Terraform, or do not wish to use the API, you may retrieve tokens from the Admin Console using the “Manual” Connector deployment option in the Admin Console. Note that the Connector tokens are unique to that specific Connector, and these tokens cannot be reused for multiple Connectors.

Therefore, in order to incorporate Connectors into a semi-automated process, keep the following in mind:

  • You must continue to provision new Connectors through the Admin console or through the Twingate API.
  • Use the environment variables generated for that specific Connector.
  • The configuration variable for a single Connector cannot be re-used for additional Connectors.

Connector deployment parameters

If you are deploying Connectors and using manual token generation as described in the previous section, the following information will help deploy Connectors successfully.

Connector image source:

  • The Connector image is public and hosted on Docker Hub. You can use an image registry address of with the image name twingate/connector and image tag latest.

Fixed deployment parameters:

  • TWINGATE_NETWORK should be the subdomain of your Twingate account (eg. acme if your account is at
  • The Docker parameter --restart=unless-stopped is used to ensure that the Connector container is always automatically restarted unless explicitly stopped. The equivalent setting should be used in any other container environment.

Connector-specific deployment parameters are:

  • TWINGATE_ACCESS_TOKEN is an authentication token specific to the Connector being deployed. This should be treated as a secret and never checked into source control.
  • TWINGATE_REFRESH_TOKEN is an authentication refresh token specific to the Connector being deployed. This should similarly be treated as a secret.
  • The Docker parameter --name is used to identify the connector in your container management system. You can any name here, but it is probably most helpful to ensure that it matches the auto-generated name in the Admin console.
  • (Optional) DNS_SERVER is an optional parameter that specifies what DNS server the Connector should use to resolve Resources. If this is a private DNS server, it must be accessible from the Connector host.

Example: Helm Chart

An example of pulling all of the above together for a Helm Chart can be found here:

Last updated 4 months ago