How to Upgrade Connectors Running in AWS/Azure/Docker Containers

If you are running Twingate Connectors as containers in Docker, AWS ECS, or Azure Container Instances, the instructions specific to each environment below cover how to upgrade Connectors. Please keep in mind the best practices for upgrading detailed in Upgrading Connectors to avoid downtime for your users.

See the Linux Docker deployment documentation for more information on deploying the Twingate Connector in a Linux Docker container.

AWS Elastic Container Service (ECS)

In order to upgrade a running ECS Connector service, it needs to be restarted with the “Force new deployment” option selected. You can either do this via the AWS Management Console or with the AWS CLI.

Management Console

  • Select the name of the running Connector service in your ECS cluster and choose “Update”.
  • Select the “Force new deployment” option, then “Skip to review”.
  • Click “Update Service”.

The service will automatically restart and pull the latest image.

Note: If the image tag in the ECS task definition was changed to anything other than 1 or latest then the image that’s pulled may not be the latest. It’s recommended to always pull the latest image when updating a Connector.

AWS CLI

The command below will force a new deployment of your running ECS Service. Note that you need the name of the ECS Service, Cluster name, and AWS region to run the command.

aws ecs update-service --region <REGION> --cluster <CLUSTER_NAME> --service <SERVICE_NAME> --force-new-deployment

Azure Container Instance

You can upgrade any Connectors running as a container instance on Azure with the following CLI command. This will automatically download the latest image. You will need the container name and Resource Group name to run the command.

az container restart --name <CONTAINER_NAME> --resource-group <RESOURCE_GROUP>

Docker

Checking the Connector Version

If you’d like to check the currently running version of a Connector in a Docker container, you can do so using the following command:

docker exec twingate-connector ./connectord --version

In the above example, twingate-connector represents the name of the Connector container.

The latest build version number and other update notes are available in the Connector Release Notes.

Linux: Command line / EC2 / VM

The following command can be used to upgrade running Connectors that have been deployed on a host using the Docker CLI. The script automates:

  • Pulling the latest Connector image (twingate/connector:1)
  • Comparing any running containers to the latest image
  • Stopping any out of date containers, deleting them, and restarting them with the same environment variables and the latest image
curl -s https://binaries.twingate.com/connector/docker-upgrade.sh | sudo nohup sudo bash

Watchtower

Watchtower is a popular open-source tool for automatically updating Docker containers. It can be used to automatically update the Twingate Connector container when a new version is available.

To use Watchtower, you can run the following command:

docker run -d --name watchtower -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower --cleanup

This will start Watchtower as a container, which will automatically check for new versions of all containers and update them when new images are available.

If you would like to limit Watchtower to just updating the Twingate Connector, you can use the following command:

docker run -d --name watchtower -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower --label-enable=true

This will run Watchtower with the label-enable option, which will check each container for a label com.centurylinklabs.watchtower.enable=true and only update containers with this label.

To add the label to the Twingate Connector container, will need to add the appropriate label to the Docker run command from the Admin Console:

docker run -d
--sysctl net.ipv4.ping_group_range="0 2147483647"
--env TWINGATE_NETWORK="networkname"
--env TWINGATE_ACCESS_TOKEN=""
--env TWINGATE_REFRESH_TOKEN=""
--env TWINGATE_LABEL_HOSTNAME="`hostname`"
--name "twingate-quixotic-squid"
--restart=unless-stopped
--pull=always
--label com.centurylinklabs.watchtower.enable=true
twingate/connector:1

Manual steps

To manually upgrade a Connector using the Docker command line, the following steps will pull the latest Connector image.

Note: You will need to reprovision the Connector in the Twingate Admin Console since this method does not preserve the authentication tokens for the running Connector.

docker ps
# Copy either the container ID or name
docker container rm -f [ container ID or name ]
docker image rm -f twingate/connector
# Obtain a new Docker run command from the Twingate admin console by reprovisioning the connector
docker run ...

Last updated 9 months ago