A new platform for documentation and tutorials is launching soon.
We are migrating Boundary documentation into HashiCorp Developer, our new developer experience.
»What is Boundary?
HashiCorp Boundary is a tool for managing identity-based access for modern, dynamic infrastructure. Boundary’s workflow layers security controls and integrations on multiple levels monitoring and managing user access through:
- Tightly scoped identity-based permissions
- "Just-in-time" network and credential access for sessions via HashiCorp Vault
- Single sign-on to target services and applications via external identity providers
- Access-as-code to automate the configuration of user permissions
- Automated discovery of target systems
- Session monitoring and management for access created via Boundary.
Boundary's foundation is based on the following important concepts.
- Zero Trust Security: Zero-Trust is an identity-based access model where the user access is continuously authenticated. Access is only authorized when the established rules and policies tied to the user’s identity are verified.
- Consistent Workflow for Access: Once the user is verified and granted access, Boundary securely connects the user securely to their infrastructure regardless of cloud platform, target environment, or identity provider. This foundation provides continuous user authentication and authorization workflows within ephemeral sessions, which administrators can monitor and manage securely.
- Extensibility with the Ecosystem: Modern organizations often require a multilayered access matrix constructed of identity providers, policy engines, secrets management tools, target types, and cloud providers that integrate and allow users to reside within access workflows requiring vendor lock-in. Boundary does not require vendor lock-in and supports the user's vendor-of-choice.
»How does Boundary work?
Boundary provides secure access to hosts and critical systems without distributing and managing credentidals, configuring firewalls, or exposing the organization's private network. Traditionally, for users to access their resources, it's required that organizations establish and maintain SSH bastion hosts and VPNs. The illustration below displays Boundary's core workflow.
The core Boundary workflow consists of four stages:
- User Authentication: The user logs in with a trusted identity (based on the rules and policies) with a trust identity platform such as Azure Active Directory, Okta, Ping, or any other trust identify platforms supporting OpenID Connect.
- Granular Authorization: Boundary authenticates and authorizes users based on their roles and logical services, and tightly controls access and actions performed against systems.
- User-selected dynamic catalogs: The user selects their application or host from dynamic host catalogs.
- Access: Boundary streamlines connection to hosts by automating discovery and access configuration as workloads are deployed and changed.
With the many varying infrastructure services and tooling used in increasingly dynamic environments, organizations must have secure access to all targets within and beyond their perimeter.
Boundary provides a simple way for verified users to have secure access to cloud and self-managed infrastructures without exposing networks or managing credentials. Boundary's workflow enables "just-in-time", role-based access for dynamic infrastructure.
The key features and concepts of Boundary include:
»Identity & Permission Management
Identity is a core concept in Boundary. Identity is represented by two types of resources, mapping to common security principals:
- Users, which represent distinct entities that can be tied to authentication accounts
- Groups, which are collections of users that allow for easier access management
Boundary enables flexible management of the hosts and services to broker access. Boundary administrators define host catalogs containing information about hosts. The cataloged hosts are collected into host sets that represent sets of equivalent hosts. Finally, targets tie together host sets with connection information. Access to a resource is granted via roles that provide authorization to create sessions against these targets.
Parts of Boundary support filters for various purposes. For a description of the filter syntax, see the filtering page. See the docs pages for the individual resources or capabilities where filters are supported for the specific inputs and examples with those inputs.
Tip: Learn more about Boundary use cases.
»What is HCP Boundary?
Boundary offers two types of deployment options. A first option is an OSS self-managed deployment solution as discussed above. A self-managed approach enables organizations to proxy all session data through their own network while still providing the convenience of a managed service. A second option is an HCP-managed deployment solution where both the control plan and worker nodes are managed by HashiCorp. With this managed solution, an option of private workers is offered. HCP Boundary is a fully-managed, cloud-based workflow that enables secure connections to remote hosts and critical systems across cloud and on-premise environments. Refer to the HCP Boundary documentation to learn more.
Hands On: Try the Create a Boundary Instance on HCP tutorial to deploy an HCP Boundary instance.
Refer to the Boundary tutorials to learn how to set up, configure, and administer Boundary.
We welcome questions, suggestions, and contributions from the community.