Boundary — Secure Remote Access by HashiCorp

What it is

Boundary is an identity-based access management tool by HashiCorp that replaces traditional VPNs. Instead of giving users broad network access, Boundary provides fine-grained, identity-aware connections to specific infrastructure resources. Users authenticate through identity providers (Okta, Azure AD, OIDC), and Boundary grants access only to the specific databases, servers, or services they are authorized to use.

This tool is for security teams, platform engineers, and DevOps engineers who need to provide secure remote access to infrastructure without the overhead and risk of VPN tunnels.

How it saves time or tokens

Boundary eliminates VPN configuration and management overhead. No more VPN profiles, split-tunneling rules, or broad network access that exposes more than necessary. Access is granted per resource and per identity. Session recording and audit logs provide compliance visibility without additional tooling.

How to use

1. Deploy Boundary server (self-hosted or HCP Boundary).
2. Configure identity providers and targets.
3. Users authenticate and connect to authorized resources.
4. Boundary proxies connections securely.

# Install Boundary CLI
brew install hashicorp/tap/boundary

# Authenticate
boundary authenticate oidc -auth-method-id amoidc_1234567890

# List available targets
boundary targets list -recursive

# Connect to a database target
boundary connect postgres -target-id ttcp_1234567890 \
  -dbname mydb

# Connect to an SSH target
boundary connect ssh -target-id ttcp_0987654321

Example

Boundary Terraform configuration for a database target:

resource "boundary_target" "prod_db" {
  name        = "production-database"
  description = "Production PostgreSQL"
  type        = "tcp"
  scope_id    = boundary_scope.project.id

  default_port = 5432

  host_source_ids = [
    boundary_host_set_static.prod_db.id
  ]

  injected_application_credential_source_ids = [
    boundary_credential_library_vault.db_creds.id
  ]
}

Boundary injects credentials from Vault automatically. Users never see the database password.

Related on TokRepo

• Security tools — More access management and security tools
• DevOps tools — Infrastructure management tools

Common pitfalls

• Boundary has a learning curve compared to simple VPNs. The concepts of scopes, targets, host catalogs, and credential stores require upfront investment.
• Self-hosted deployment requires PostgreSQL and careful network architecture. HCP Boundary (HashiCorp Cloud) simplifies this.
• Credential brokering with Vault adds another system to manage. Ensure your Vault setup is stable before integrating.
• Not all applications support proxied connections cleanly. GUI tools that require direct database connections may need additional configuration.
• Session recording generates significant storage. Plan for log retention and cleanup.
• Review the official documentation before deploying to production to ensure compatibility with your specific environment and requirements.
• Start with default settings and customize incrementally. Changing too many configuration options at once makes debugging harder.