Boundary
What is Boundary?
HashiCorp Boundary is an identity-aware proxy aimed at simplifying and securing least-privileged access to cloud infrastructure
With Boundary you can:
- Enable single sign-on to target services and applications via external identity providers
- Provide just-in-time network access to private resources
- Enable passwordless access with dynamic credentials via HashiCorp Vault
- Automate discovery of new target systems
- Record and manage privileged sessions
- Standardize your team's access workflow with a consistent experience for any type of infrastructure across any provider
Get started here.
How does Boundary work?
Boundary provides secure access to hosts and critical systems without distributing and managing credentials, configuring firewalls, or exposing the organization's private network. Traditionally, for users to access their resources, it's required that organizations establish and maintain SSH bastion hosts and VPNs.
The video below provides an overview of the Boundary architecture, components, and deployment models. It also gives a brief walkthrough of the end user's experience.
The illustration below displays Boundary's core workflow.
The core Boundary workflow consists of four stages:
- User Authentication: The user logs in with a trusted identity (based on the rules and policies) with a trust identity platform such as Azure Active Directory, Okta, Ping, or any other trust identity platforms supporting OpenID Connect.
- Granular Authorization: Boundary authenticates and authorizes users based on their roles and logical services, and tightly controls access and actions performed against systems.
- User-selected dynamic catalogs: The user selects their application or host from dynamic host catalogs.
- Access: Boundary streamlines connection to hosts by automating discovery and access configuration as workloads are deployed or changed.
Which edition of Boundary is right for me?
- HCP Boundary: a managed Boundary offering with commercial features. HashiCorp hosts Boundary's control plane and you have the option of running private workers within your environment.
- Boundary Enterprise: a self-managed Boundary offering with full feature parity to HCP Boundary.
- Boundary Community Edition: a free, self-managed version of Boundary.
If you're not sure which edition is right for you, we recommend HCP Boundary because it eliminates deployment operations.
Regardless of which server edition of Boundary you use, all editions require the same Desktop and CLI clients, which you can download here.
Feature | Community | HCP | HCP | Enterprise |
---|---|---|---|---|
Standard | Plus | Plus | ||
Just-in-time credential access via HashiCorp Vault | ✓ | ✓ | ✓ | ✓ |
Just-in-time network access for TCP, SSH, RDS, K8s database | ✓ | ✓ | ✓ | ✓ |
Single sign-on access via OIDC and LDAP | ✓ | ✓ | ✓ | ✓ |
Identity provider managed groups | ✓ | ✓ | ✓ | ✓ |
Terraform support for fully automated deployment and configuration | ✓ | ✓ | ✓ | ✓ |
Credential brokering | ✓ | ✓ | ✓ | ✓ |
Automated target discovery | ✓ | ✓ | ✓ | ✓ |
Audit logs | ✓ | ✓ | ✓ | ✓ |
Multi-hop sessions | ✓ | ✓ | ✓ | |
Credential injection | ✓ | ✓ | ✓ | |
Audit log streaming | ✓ | ✓ | ||
Automatic updates | ✓ | ✓ | ||
Disaster recovery | ✓ | ✓ | ||
Push button deployment | ✓ | ✓ | ||
Session recording | ✓ | ✓ |
Get started
Refer to the Boundary tutorials to learn how to set up, configure, and administer Boundary.
Community
We welcome questions, suggestions, and contributions from the community.
- Ask questions in HashiCorp Discuss.
- Read our contributing guide.
- Submit an issue for bugs and feature requests.