diff --git a/docs/pages/management/admin/trustedclusters.mdx b/docs/pages/management/admin/trustedclusters.mdx
index 86a4d3d8d2a60..6e9cc702592a1 100644
--- a/docs/pages/management/admin/trustedclusters.mdx
+++ b/docs/pages/management/admin/trustedclusters.mdx
@@ -18,6 +18,14 @@ When a user tries to connect to any resource in the leaf cluster, the Teleport A
 leaf cluster connects to the root cluster through the reverse tunnel using the Teleport Proxy Service 
 instance running on the root cluster.
 
+<Admonition type="warning">
+   Once a trust relationship is established between a root and leaf clusters, the root Proxy Service
+   can ask the leaf Proxy Service to establish network connections to arbitrary addresses. This is
+   how root clusters access resources on leaf clusters. A compromised root Proxy Service can ask
+   leaf Proxy Services to connect to sensitive or unauthorized resources, so be sure to use a
+   firewall to ensure leaf Proxy services are only allowed to connect to the appropriate resources.  
+</Admonition>
+
 ## Who uses trusted clusters?
 
 Most organizations don't need to configure trusted clusters. In most cases, you can add