Save 10-15% Register for HashiConf and save big when you buy 2+ tickets Get your passes
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

How HCP Boundary works

HCP Boundary is an intelligent proxy that automates user and host onboarding, and provisions access permissions. Boundary creates a workflow for accessing infrastructure remotely with a number of key steps:

  • User authentication: Integrates with trusted identity platforms (such as Azure Active Directory, Okta, Ping, and many others that support OpenID Connect).
  • Granular user authorization: Allows operators to tightly control access to remote systems, and the actions against those systems.
  • Automated connections to hosts: As you deploy or update workloads, HCP Boundary updates connections to targets and hosts using automated service discovery. Dynamic host catalogs are available with AWS, Azure, and GCP. This is critical in ephemeral, cloud-based environments so that operators don't need to reconfigure access lists.
  • Integrated credential management: HCP Boundary brokers access to target credentials natively or via integration with HashiCorp Vault.
  • Time-limited network access to targets: Boundary provides time-limited proxies to private endpoints, avoiding the need to expose your network to users.
  • Session monitoring and management: Provides visibility into the sessions Boundary creates.

Access model

HCP Boundary provides a solution to protect and safeguard access to applications and critical systems by leveraging trusted identities, without exposing the underlying network. HCP Boundary is an identity-aware proxy that sits between users and the infrastructure they wish to connect.

The proxy has two components:

  • Controllers: manage state for users, hosts, and access policies, and the external providers HCP Boundary can query for service discovery.
  • Workers: are a stateless proxy with end-network access to hosts under management. The control plane assigns each worker node to a target system once an authenticated user selects the target to connect.

The session starts for the user as a TCP tunnel wrapped in mutual TLS. This mitigates the risk of a man-in-the-middle attack. If a user is connecting to a host over SSH through an HCP Boundary tunnel, there are two layers of encryption: the SSH session that user creates, and the underlying TLS that HCP Boundary creates.

Diagram of user requests flow through the worker node before HCP Boundary connects the user to the target system.

Deployment options

HCP Boundary is fully managed by HashiCorp, but organizations can choose to self-manage Boundary workers (Boundary's gateway nodes). Self-managed workers enable organizations to proxy all session data through their own networks, while still providing the convenience of a managed service. In the standard fully-managed deployment model, HashiCorp manages the control plane and worker nodes, making it easy to get started with Boundary while facilitating scaling over time.

Self-managed workers

Self-managed workers allow Boundary users to securely connect to private endpoints without exposing an organization's networks to the public, or to HashiCorp-managed resources. The organization's worker nodes proxy all session activities. To learn more about self-managed workers see the self-managed workers tutorial and operations document.

Diagram of user requests flow through the self-managed worker before connecting to the target system.