How HCP Boundary Works
HCP Boundary is an intelligent proxy that automates user and host onboarding, and provisions access permissions. Boundary creates a workflow for accessing infrastructure remotely with a number of key steps:
- User Authentication: Integrates with trusted identity platforms (such as Azure Active Directory, Okta, Ping, and many others that support OpenID Connect).
- Granular User Authorization: allows operators to tightly control access to remote systems and the actions that can be performed against those systems.
- Automated Connections to Hosts: HCP Boundary streamlines connection to hosts by automating service discovery and access configuration as workloads are deployed or changed. Dynamic host catalogs are currently available with AWS and Azure. This is critical in ephemeral, cloud-based environments so that operators don't need to reconfigure access lists.
- Integrated Credential Management: HCP Boundary brokers access to target credentials natively or via integration with HashiCorp Vault.
- Time-Limited Network Access to Targets: Boundary provides time-limited proxies to private endpoints, avoiding the need to expose your network to users.
- Session Monitoring and Management: Provides visibility into the sessions Boundary creates.
Across clouds, local data centers, and low-trust networks, HCP Boundary provides a solution to protect and safeguard access to applications and critical systems by leveraging trusted identities, without exposing the underlying network. HCP Boundary is an identity-aware proxy that sits between users and the infrastructure they wish to connect.
The proxy has two components:
- Controllers: manage state for users, hosts, and access policies, and the external providers HCP Boundary can query for service discovery.
- Worker: nodes are assigned by the control plane once an authenticated user selects a host to connect to. Workers are a stateless proxy with end-network access to hosts under management.
The session is presented to the user as a TCP tunnel wrapped in mutual TLS. This mitigates the risk of a man-in-the-middle attack. If a user is connecting to a host over SSH through an HCP Boundary tunnel, there are two layers of encryption- the SSH session that user creates, and the underlying TLS that HCP Boundary creates.
HCP Boundary is fully managed by HashiCorp, but organizations can choose to self-manage Boundary workers (Boundary's gateway nodes). Self-managed workers enable organizations to proxy all session data through their own network, while still providing the convenience of a managed service. In the standard fully-managed deployment model, both the control plane and worker nodes are managed by HashiCorp, making it easy to get started with Boundary while facilitating scaling over time.
Self-managed workers allow Boundary users to securely connect to private endpoints without exposing an organization's networks to the public, or to HashiCorp-managed resources. All session activity is proxied by the organization's worker nodes. To learn more about self-managed workers see the self-managed workers tutorial and operations document.