• Logo
    LXD
  • canonical.com/lxd
  • More resources
    • Discourse
    • Matrix
    • GitHub
Contents Menu Expand Light mode Dark mode Auto light/dark, in light mode Auto light/dark, in dark mode Skip to content
LXD documentation 6.9
LXD documentation 6.9
  • LXD
  • Tutorial
  • How-to guides
    • Getting started
      • Install LXD
      • Initialize LXD
      • Access the UI
      • Access documentation locally
    • LXD server and client
      • Configure the LXD server
      • Expose LXD to the network
      • Configure single sign-on with OIDC
        • Configure Auth0
        • Configure Ory Hydra
        • Configure Keycloak
        • Configure Entra ID
        • Configure Pocket ID
      • Add remote servers
      • Add command aliases
    • Instances
      • Create instances
      • Configure instances
      • Manage instances
      • Use profiles
      • Troubleshoot errors
      • Auto attach Ubuntu Pro
      • Access files
      • Access the console
      • Run commands
      • Use cloud-init
      • Add a routed NIC to a VM
      • Back up instances
      • Import existing machines
      • Migrate instances
      • Pass NVIDIA GPUs
    • Images
      • Use remote images
      • Manage images
      • Associate profiles
      • Copy and import images
      • Create images
    • Projects
      • Create and configure projects
      • Work with projects
      • Confine users to projects
    • Storage
      • Manage pools
      • Manage volumes
      • Manage buckets
      • Create or move an instance in a pool
      • Back up a custom volume
      • Move or copy a custom volume
      • Use the LXD CSI driver with Kubernetes
    • Networking
      • Create a network
      • Configure a network
      • Configure as BGP server
      • Configure network ACLs
      • Configure forwards
      • Configure network zones
      • Configure your firewall
      • Integrate with resolved
      • Set up OVN
      • Configure load balancers
      • Configure peer routing
      • Display IPAM information
    • Clustering
      • Form a cluster
      • Manage a cluster
      • Configure networks
      • Configure storage
      • Manage instances
      • Set up cluster groups
      • Use placement groups
      • Recover a cluster
      • Recover orphaned volume entries
      • Set up a highly available virtual IP
      • Create cluster links
      • Manage cluster links
      • Set up replicators
      • Manage replicators
    • Production setup
      • Benchmark performance
      • Increase bandwidth
      • Monitor metrics
      • Monitor security events
      • Send logs to Loki
      • Set up Grafana
      • Back up a server
      • Recover instances
      • Disaster recovery with storage replication
      • Disaster recovery with replicators
      • Decommission LXD
    • Manage the snap
    • Harden security
    • Troubleshooting
      • Configure your firewall
      • Troubleshoot instances
      • Troubleshoot networks
      • Troubleshoot Dqlite
      • Frequently asked
      • Debug LXD
      • Track a bugfix in the LXD snap
    • Authenticate to the LXD API using bearer tokens
    • Authenticate to the DevLXD API
    • Get support
    • Contribute to LXD
  • Explanation
    • lxd and lxc
    • Containers and VMs
    • Local and remote images
    • Storage pools, volumes, and buckets
    • Networking setups
    • The LXD Dqlite database
    • lxc show and info
    • Remote API authentication
    • Remote API authorization
    • Instances grouping with projects
    • Clusters
    • Replicators
    • Performance tuning
    • Security
    • Privilege delegation using BPF Token
    • The LXD CSI driver
  • Reference
    • Requirements
    • Architectures
    • Guest OS compatibility
    • Container environment
    • Man pages
      • lxc
    • Release notes
      • LXD 6
        • LXD 6.9
        • LXD 6.8
        • LXD 6.7
        • LXD 6.6
      • LXD 5.21 LTS
        • LXD 5.21.5 LTS
      • LXD 5.0 LTS
        • LXD 5.0.7 LTS
      • LXD 4.0 LTS
        • LXD 4.0.11 LTS
    • Releases and snap
    • Remote image servers
    • Image format
    • Configuration option index
    • Server configuration
    • Instance configuration
      • Instance properties
      • Instance options
      • Devices
        • Standard devices
        • Type: none
        • Type: nic
        • Type: disk
        • Type: unix-char
        • Type: unix-block
        • Type: usb
        • Type: gpu
        • Type: infiniband
        • Type: proxy
        • Type: unix-hotplug
        • Type: tpm
        • Type: pci
      • Units for storage and network limits
    • Preseed YAML file fields
    • Project configuration
    • Storage drivers
      • Directory - dir
      • Btrfs - btrfs
      • LVM - lvm
      • ZFS - zfs
      • Ceph RBD - ceph
      • Dell PowerFlex - powerflex
      • Dell PowerStore - powerstore
      • Pure Storage - pure
      • HPE Alletra - alletra
      • CephFS - cephfs
      • Ceph Object - cephobject
    • Networks
      • Bridge network
      • OVN network
      • Macvlan network
      • Physical network
      • SR-IOV network
    • Placement group configuration
    • Clusters
      • Cluster member configuration
      • Cluster link configuration
    • Replicator configuration
    • Permissions
    • Production server settings
    • Provided metrics
    • REST API
      • Main API overview
      • Main API specification
      • Main API extensions
      • Events stream
      • DevLXD API for instances
    • LXD CSI driver reference
    • Internals
      • Environment variables
      • Daemon behavior
      • UEFI variables for VMs
      • System call interception
      • User namespace setup
      • OVN implementation
      • VM live migration implementation
      • Dqlite database for cluster state
      • ZFS storage driver
    • Project repository
    • Image server
Back to top
Contribute to this page

How to create cluster links¶

Cluster links connect separate LXD clusters. There are two link types — bidirectional and unidirectional — each with a different creation flow.

Prepare authentication¶

Before creating bidirectional or unidirectional cluster links, set up proper authentication groups and manage permissions:

lxc auth group create <group-name>
lxc auth group permission add <group-name> <entity-type> <entitlement>

The example below shows how to create an authentication group for each cluster called link with the admin entitlement on the server entity type:

Example: Cluster A¶
lxc auth group create link
lxc auth group permission add link server admin
Example: Cluster B¶
lxc auth group create link
lxc auth group permission add link server admin

Adjust the permissions according to your security requirements. Fine-grained permissions can be applied to control what operations each cluster can perform on the other.

For example, you can create a more restricted group for backup operations only:

lxc auth group create backup
lxc auth group permission add backup instance my-instance can_manage_backups

Create a bidirectional cluster link¶

To create a bidirectional cluster link between two clusters (Cluster A and Cluster B), you must create the link on both sides. Follow these steps:

  1. On Cluster A, create a new cluster link to Cluster B and receive a trust token:

    lxc cluster link create <name-of-link-to-cluster-b> --auth-group <auth-group-name>
    

    This command:

    • Creates a pending identity for Cluster B under the link name you provided.

    • Assigns this identity to the specified authentication group.

    • Returns a trust token.

    Copy the trust token. You’ll need it for the next step.

    Example:

    lxc cluster link create cluster_b --auth-group clusters
    

    For a single-node cluster, click Server in the navigation sidebar, then select the Cluster links tab in the main content pane. Otherwise, click Clustering in the navigation sidebar, then select Links from the expanded drop-down list.

    Click on the + Create cluster link button to open the side panel.

    Enter a name and optionally a description for the new cluster link. Leave Generate token checked, select relevant authentication group(s), and click Create link.

    In the modal, copy the trust token by clicking the Copy token button next to the token. You’ll need it for the next step.

  2. On Cluster B, create the corresponding cluster link using the trust token from Cluster A:

    lxc cluster link create <name-of-link-to-cluster-a> --token <token-from-A> --auth-group <auth-group-name>
    

    This command:

    • Verifies the token’s fingerprint against Cluster A’s certificate.

    • Creates an identity for Cluster A under the name you provided and assigns it to the specified authentication group.

    • Activates the pending link with Cluster A by sending Cluster B’s certificate.

    • Establishes bidirectional trust between the clusters.

    Example:

    lxc cluster link create cluster_a --token <token-from-A> --auth-group clusters
    

    For a single-node cluster, click Server in the navigation sidebar, then select the Cluster links tab in the main content pane. Otherwise, click Clustering in the navigation sidebar, then select Links from the expanded drop-down list.

    Click on the + Create cluster link button to open the side panel.

    Enter a name and optionally a description for the new cluster link. Select I have a token, and paste the trust token you generated in the previous step. Select relevant authentication group(s), then click Create link.

Create a unidirectional cluster link¶

A unidirectional link lets Cluster A access Cluster B’s resources, but Cluster B cannot initiate requests to Cluster A. Cluster B creates an identity for Cluster A, but Cluster A does not create an identity for Cluster B.

Follow these steps:

  1. On Cluster B (the target), issue a pending identity token:

    lxc auth identity create cluster-link/<name-for-cluster-a> --auth-group <auth-group-name>
    

    This command creates a pending Cluster link certificate identity on Cluster B and returns a trust token.

    Example:

    lxc auth identity create cluster-link/cluster_a --auth-group clusters
    
  2. On Cluster A (the initiator), create the cluster link using the token from Cluster B:

    lxc cluster link create <name-for-cluster-b> --token <token-from-B> --unidirectional
    

    This command:

    • Pins Cluster B’s certificate on Cluster A.

    • Calls back to Cluster B to activate Cluster B’s pending identity for Cluster A.

    • Stores Cluster B’s addresses in volatile.addresses so Cluster A can reach B.

    Example:

    lxc cluster link create cluster_b --token <token-from-B> --unidirectional
    

After these steps, Cluster A has a link with type: unidirectional and no associated identity. Cluster B has an active Cluster link certificate identity for Cluster A but no cluster link record.

View the underlying identities¶

LXD creates Cluster link certificate identities differently depending on the link type:

  • Bidirectional links: each cluster creates an identity for the other. On either cluster, view the identity for the remote cluster with:

    lxc auth identity show tls/<cluster-link-name>
    
  • Unidirectional links: only the target cluster (B) has an identity for the initiator cluster (A). The initiator cluster has no associated identity. To view the identity, run the following on Cluster B:

    lxc auth identity show tls/<name-for-cluster-a>
    

The output shows the identity with the type Cluster link certificate.

Next steps¶

  • How to set up replicators — set up replicators to sync instances across this link for active-passive disaster recovery.

  • How to manage cluster links — view, configure, and delete existing cluster links.

Next
How to manage cluster links
Previous
How to set up a highly available virtual IP for clusters
© 2014-2026 AGPL-3.0, LXD contributors
Last updated on Jun 29, 2026
Manage your tracker settings
Contents
  • How to create cluster links
    • Prepare authentication
    • Create a bidirectional cluster link
    • Create a unidirectional cluster link
    • View the underlying identities
    • Next steps