• Logo
    LXD
  • canonical.com/lxd
  • More resources
    • Install LXD
    • Manage LXD
    • Forum
    • GitHub
Contents Menu Expand Light mode Dark mode Auto light/dark, in light mode Auto light/dark, in dark mode Skip to content
LXD
  • LXD
  • Tutorials
    • First steps with LXD
    • Getting started with the UI
  • How-to guides
    • Getting started
      • Install LXD
      • Initialize LXD
      • Access the UI
      • Access documentation locally
    • LXD server and client
      • Expose LXD to the network
      • Configure the LXD server
      • Configure OIDC authentication with Auth0
      • Configure OIDC authentication with Ory Hydra
      • Configure OIDC authentication with Keycloak
      • Configure OIDC authentication with Microsoft Entra ID
      • Add remote servers
      • Add command aliases
    • Instances
      • Create instances
      • Configure instances
      • Manage instances
      • Use profiles
      • Troubleshoot errors
      • Auto attach Ubuntu Pro
      • Access files
      • Access the console
      • Run commands
      • Use cloud-init
      • Add a routed NIC to a VM
      • Back up instances
      • Migrate instances
      • Import existing machines
      • Pass NVIDIA GPUs
    • Images
      • Use remote images
      • Manage images
      • Associate profiles
      • Copy and import images
      • Create images
    • Projects
      • Create and configure
      • Work with projects
      • Confine users to projects
    • Storage
      • Manage pools
      • Manage volumes
      • Manage buckets
      • Create an instance in a pool
      • Back up a volume
      • Move or copy a volume
    • Networking
      • Create a network
      • Configure a network
      • Configure as BGP server
      • Configure network ACLs
      • Configure forwards
      • Configure network zones
      • Configure your firewall
      • Integrate with resolved
      • Set up OVN
      • Configure load balancers
      • Configure peer routing
      • Display IPAM information
    • Clustering
      • Form a cluster
      • Manage a cluster
      • Configure networks
      • Configure storage
      • Manage instances
      • Set up cluster groups
      • Recover a cluster
      • Create cluster links
      • Manage cluster links
    • Production setup
      • Benchmark performance
      • Increase bandwidth
      • Monitor metrics
      • Send logs to Loki
      • Set up Grafana
      • Back up a server
      • Recover instances
    • Manage the snap
    • Troubleshooting
      • Configure your firewall
      • Troubleshoot instances
      • Troubleshoot Dqlite
      • Debug LXD
      • Frequently asked
    • Get support
    • Contribute to LXD
  • Explanation
    • lxd and lxc
    • Containers and VMs
    • Local and remote images
    • Storage pools, volumes, and buckets
    • Networking setups
    • The LXD Dqlite database
    • lxc show and info
    • Remote API authentication
    • Remote API authorization
    • Instances grouping with projects
    • Clusters
    • Performance tuning
    • Security
    • Privilege delegation using BPF Token
  • Reference
    • Requirements
    • Architectures
    • Releases and snap
    • Remote image servers
    • Image format
    • Guest OS compatibility
    • Container environment
    • Configuration option index
    • Server configuration
    • Instance configuration
      • Instance properties
      • Instance options
      • Devices
        • Standard devices
        • Type: none
        • Type: nic
        • Type: disk
        • Type: unix-char
        • Type: unix-block
        • Type: usb
        • Type: gpu
        • Type: infiniband
        • Type: proxy
        • Type: unix-hotplug
        • Type: tpm
        • Type: pci
      • Units for storage and network limits
    • Preseed YAML file fields
    • Project configuration
    • Storage drivers
      • Btrfs - btrfs
      • CephFS - cephfs
      • Ceph Object - cephobject
      • Ceph RBD - ceph
      • Dell PowerFlex - powerflex
      • Pure Storage - pure
      • Directory - dir
      • LVM - lvm
      • ZFS - zfs
    • Networks
      • Bridge network
      • OVN network
      • Macvlan network
      • Physical network
      • SR-IOV network
    • Clusters
      • Cluster member configuration
      • Cluster link configuration
    • Production server settings
    • Provided metrics
    • Permissions
    • REST API
      • Main API documentation
      • Main API specification
      • Main API extensions
      • Events API documentation
      • Instance API
    • Man pages
      • lxc
    • Internals
      • Environment variables
      • UEFI variables for VMs
      • Daemon behavior
      • System call interception
      • User namespace setup
      • OVN implementation
      • VM live migration implementation
    • Project repository
    • Image server
Back to top
View this page

How to create cluster links¶

Cluster links can connect separate LXD clusters by establishing a trust relationship using mutual TLS with certificates, ensuring secure communication.

Prepare authentication¶

Before creating cluster links, set up proper authentication groups and Manage permissions:

lxc auth group create <group-name>
lxc auth group permission add <group-name> <entity-type> <entitlement>

The example below shows how to create an authentication group for each cluster called link with the admin entitlement on the server entity type:

Example: Cluster A¶
lxc auth group create link
lxc auth group permission add link server admin
Example: Cluster B¶
lxc auth group create link
lxc auth group permission add link server admin

Adjust the permissions according to your security requirements. Fine-grained permissions can be applied to control what operations each cluster can perform on the other.

For example, you can create a more restricted group for backup operations only:

lxc auth group create backup
lxc auth group permission add backup instance can_manage_backups

Create a cluster link¶

To create a new cluster link between two clusters (Cluster A and Cluster B), you must create the link on both sides. Follow these steps:

  1. On Cluster A, create a new cluster link to Cluster B and receive a trust token:

    lxc cluster link create <name-of-link-to-cluster-b> --auth-group <auth-group-name>

    This command:

    • Creates a pending identity for Cluster B under the link name you provided.

    • Assigns this identity to the specified authentication group.

    • Returns a trust token.

    Copy the trust token. You’ll need it for the next step.

    Example:

    lxc cluster link create cluster_b --auth-group clusters

  2. On Cluster B, create the corresponding cluster link using the trust token from Cluster A:

    lxc cluster link create <name-of-link-to-cluster-a> --token <token-from-A> --auth-group <auth-group-name>

    This command:

    • Verifies the token’s fingerprint against Cluster A’s certificate.

    • Creates an identity for Cluster A under the name you provided and assigns it to the specified authentication group.

    • Activates the pending link with Cluster A by sending Cluster B’s certificate.

    • Establishes bidirectional trust between the clusters.

    Example:

    lxc cluster link create cluster_a <token-from-A> --auth-group clusters

View the underlying identities¶

When you create a cluster link, LXD automatically creates an identity for authentication. You can view this identity with:

lxc auth identity show tls/<cluster-link-name>

The output shows the identity of your cluster link, with the type Cluster link certificate.

Next
How to manage cluster links
Previous
How to recover a cluster
Copyright © 2014-2025 LXD contributors
Last updated on Aug 11, 2025
Show source
Thanks to our contributor!
  • Kadin Sayani
Ask a question on Discourse
Ask a question on Matrix
Open a GitHub issue for this page
Edit this page on GitHub
Contents
  • How to create cluster links
    • Prepare authentication
    • Create a cluster link
    • View the underlying identities