Boundary — Secure Remote Access by HashiCorp

Introduction

Boundary reimagines infrastructure access for the cloud era. Instead of punching holes through firewalls or managing VPN credentials, Boundary authenticates users via identity providers, authorizes access based on roles, and brokers short-lived connections to targets without ever exposing the underlying network.

What Boundary Does

• Brokers authenticated connections to databases, servers, and Kubernetes clusters
• Integrates with identity providers like Okta, Azure AD, and LDAP for SSO
• Provides session recording and audit logs for compliance requirements
• Injects dynamic credentials from Vault so users never see long-lived passwords
• Replaces VPNs with identity-based, just-in-time access to specific resources

Architecture Overview

Boundary has two main components: controllers and workers. Controllers handle authentication, authorization, and the API. Workers proxy user traffic to target resources. The controller stores configuration in PostgreSQL. Workers can be deployed at the edge, close to target infrastructure, and tunnel connections back through the controller without opening inbound ports.

Self-Hosting & Configuration

• Deploy controllers and workers via binary, Docker, or Kubernetes Helm chart
• Configure identity providers (OIDC, LDAP) for single sign-on authentication
• Define scopes, roles, and grants using HCL or Terraform Boundary provider
• Integrate with HashiCorp Vault for dynamic credential injection into sessions
• Place workers in private networks to access targets without public exposure

Key Features

• Identity-based access replaces IP-based firewall rules and VPN tunnels
• Dynamic credential brokering via Vault eliminates standing database passwords
• Session recording captures SSH and database sessions for audit and compliance
• Multi-hop workers allow access to deeply nested private network resources
• Terraform provider enables infrastructure-as-code access management

Comparison with Similar Tools

• Teleport — similar zero-trust access, more opinionated with built-in CA
• Tailscale — mesh VPN for connectivity; Boundary is access control, not networking
• OpenVPN — network-level tunnel; Boundary provides resource-level access only
• HashiCorp Vault — secrets management; Boundary brokers connections using Vault creds
• StrongDM — commercial infrastructure access proxy with similar goals

FAQ

Q: Does Boundary replace a VPN? A: Yes, for infrastructure access. Boundary provides identity-aware, resource-level access without exposing the entire network like a VPN does.

Q: How does Boundary integrate with Vault? A: Boundary can inject dynamic Vault credentials into sessions. When a user connects to a database target, Boundary requests a short-lived credential from Vault and passes it through transparently.

Q: Is Boundary open source? A: The Community Edition is open source under the Business Source License. HCP Boundary is the managed cloud offering from HashiCorp.

Q: Can Boundary handle Kubernetes access? A: Yes. You can configure Kubernetes API targets and use Boundary to broker kubectl access with identity-based authorization.

Sources

• https://github.com/hashicorp/boundary
• https://developer.hashicorp.com/boundary