Introduction
Why use HashiCorp Validated Designs?
We introduced the HashiCorp Validated Designs program to provide customers with guidance based on extensive experience working with various organizations to deploy our solutions. The HVD for Boundary offers a structured approach to implementing secure and automated user access management. Achieve a production-ready service faster by adopting the recommendations in this guide. This allows you to adopt a standard pattern enhancing your ability to serve your application teams with optimized workflows.
Hashicorp Validated Designs provides prescriptive guidance curated from our experience supporting numerous customer journeys with Boundary.
References to Boundary in this document apply to both HCP Boundary and Boundary Enterprise except where specified to indicate differences between the products. We also use Boundary in the context of the command-line tool where applicable.
Prerequisites
HashiCorp recommends the following prerequisites before implementing the Boundary Operating Guide for Adoption:
- Review Cloud Operating Model
- Review and implement the Boundary: Solution Design Guide
- Attend a Boundary workshop
HashiCorp recommends using Terraform to provision and configure Boundary. For guidance on using Terraform, please refer to the Terraform HVD.
Checklist
After completing the production readiness assessment, you are ready to implement core portions of the Adoption phase covered in this document.
Language and definitions
While this guide intentionally uses technology-agnostic language, there are some terms that do not translate seamlessly between providers. This document uses the following terms:
| Term | Definition |
|---|---|
| Scope | A permission boundary modeled as a container for resources. |
| Global scope | The top-level scope that encompasses all child scopes within the boundary system. It serves as the root of the hierarchical structure to organize resources. Configure resources such as storage buckets, storage policies, aliases, workers, users, groups, roles and auth methods at global scope level. |
| Organization | The intermediate scope level, also referred to as organizations, are a child scope of global. Configure IAM-related resources such as users, groups, roles and auth methods at the organization and global scope levels. |
| Project | The lowest scope level and a child scope of organization. It allows logical grouping of resources within an organization, such as targets, host catalogs, credentials stores and sessions. |
| Host catalog | A collection of hosts that Boundary can connect to, organized into host sets. |
| Host set | A subset of hosts within a host catalog which are equivalent for the purposes of access control. |
| Host | A resource with a network address reachable from Boundary, such as a server or database. |
| Target | A resource that ties network address information (via a direct address or by referencing host sets), credential libraries for injection or brokering (if desired) and port information to represent a networked service available for connection through Boundary. Targets also contain parameters, such as lifetime and connection count, to configure on the sessions created via authorization against the target. A target can be optionally configured with ingress/egress worker filters that determine which workers to use to access targets. |
| Worker | A secure network proxy, enabling users to access private targets by establishing a direct network tunnel between the Boundary client on the user's machine and the target systems. |
| User | A resource that represents an individual person or entity for the purposes of access control. It is possible to associate a user with zero or more accounts. A user authenticates to Boundary through an associated account and associated with at least one account before they can access Boundary. |
| Group | A group is a principal; assign these to roles. Any role assigned to a group is indirectly assigned to all users within the group. Defined a group at the global, organization, or project scope levels. |
| Managed group | A resource that represents a collection of accounts. Form the collection by evaluating account information (for example LDAP groups, OIDC claims) defined by the auth method's identity provider against the managed group's configuration. Associate an account with zero or more managed groups within the same auth method. Optionally use these as principals in roles. |
| Role | A role is a collection of permissions granted to any principal assigned to it. Configure users, groups, and managed groups as principals in a role. |
| Authentication method | The mechanism by which users authenticate to Boundary via external identity providers such as LDAP, Active Directory, or OIDC providers. |
| Account | A representation of a user's identity within a specific authentication method. Manually or automatically create accounts and associate them with a user in the same scope as the account's auth method. |
| Credential | Authentication details such as passwords, tokens, or keys used to access resources. |
| Credential store | Secure storage for managing and accessing credentials either internally to Boundary or to an external store such as HashiCorp Vault. |
| Credential library | A collection of credentials of the same type. Broker or inject a single credential library into the network session when users are accessing the networked services via sessions. |
| Session | A session is a set of related connections between a user and a host. A session may include a set of credentials which define the permissions granted to the user on the host for the duration of the session. Optionally place limits on the session, such as a maximum lifetime and/or a maximum connection count. |
| Session recordings | Recordings of user sessions for auditing and monitoring purposes. |
| Storage Bucket | A container for storing session recordings and other data within Boundary. |
| Storage Policy | Rules and configurations governing the management and retention of data within storage buckets. |
| Availability zone (AZ) | A distinct data center within a region that provides redundant and isolated infrastructure to ensure high availability and fail-over protection. Each region consists of multiple AZs to offer resilience against system failures. |
| Region | A geographically distinct area that hosts multiple data centers, providing redundancy and fault tolerance for cloud services. Each region consists of multiple, isolated locations known as Availability Zones. |
| Instance | A physical or virtual server or hardware unit used for computing purposes. |
| Load Balancer | A hardware or software device used to distribute incoming network traffic across multiple servers. |
Use cases covered
This document covers the adoption phase of operating Boundary on the maturity model and includes the following: | Use Case | Summary | | - | -- | | IdP Integration | Integrating identity providers with HashiCorp Boundary centralizes and secures user authentication, streamlining access management across your organization. By leveraging existing identity providers such as Okta, Auth0, Microsoft Entra ID (any OIDC based IdP), LDAP servers such as OpenLDAP, and Microsoft Active Directory, Boundary ensures that user access is consistent, secure, and easy to manage. | | Managed Groups | By integrating with identity providers like LDAP, Azure AD, and OIDC, Managed Groups enable dynamic user membership based on predefined criteria such as roles, departments, or project teams. This reduces administrative overhead and enhances security by ensuring that access policies are consistently enforced as users join, move within, or leave an organization. | | Administrative Governance | Boundary provides visibility into which identities access specific systems and allows you to control and exit sessions automatically or manually. It creates a system of record for user access and actions during remote sessions, helping you maintain security compliance and enforce strong access controls. | | Secure Proxy | Secure Proxy is a Boundary Worker capability that is responsible for proxying sessions between clients and targets, it has various operating modes, topology, and network connectivity requirements. | | Credential Management | When a user tries to access a remote machine, they require a set of credentials. There are two types of credentials - static and dynamic. Credential management refers to the management of these static and dynamic credentials using the concepts of credential brokering or credential injection. |