Boundary Access outside VPC

slucey · June 16, 2022, 2:29pm

I’ve successfully setup a production setup using 1 controller and 1 worker in a public subnet. Access to the controller is then granted through a Network Load Balancer. I can connect through the Boundary Desktop if I’m on a VM within that subnet, however I can’t figure out how to use Boundary successfully from my own home laptop.

My controller config is as follows:

controller {
  name = "boundary-1"
  description = "Boundary Controller"
  public_cluster_addr = "<EC2 public IP>:9201"
  database {
    url = "Database URL"
  }
}

# API listener configuration block
listener "tcp" {
  address = "0.0.0.0:9200"
  purpose = "api"
  tls_disable = true
  cors_enabled = true
  cors_allowed_origins = ["*"]
}

# Data-plane listener configuration block (used for worker coordination)
listener "tcp" {
  address = "0.0.0.0:9201"
  purpose = "cluster"
  tls_disable = true
}

My worker config:

listener "tcp" {
    purpose = "proxy"
    address = "0.0.0.0"
    tls_disable = true
}

worker {
  public_addr = "<EC2 public IP>:9202"
  name = "worker"
  description = "Boundary Worker"
  controllers = [
    "<controller private address>"
  ]
}

I have no issues authenticating with the controller through the Boundary Desktop or listing targets, however when I try to connect it returns a “Error: Would you like to retry?”. I assume it’s some configuration on the worker I’m missing.

Any help would be greatly appreciated…

omkensey · June 16, 2022, 2:36pm

Do your security groups on the VPC allow traffic on port 9202 from your laptop into the VPC?

slucey · June 16, 2022, 2:46pm

Hey omkensey,

Just to test this case, I opened port 9202 to 0.0.0.0/0, but still received the same error. There is no NACL filtering at the VPC level, so it’s all wide open

omkensey · June 16, 2022, 2:55pm

Do you see any log output from the controller or worker indicating that it’s receiving the connection attempt but rejecting it? Can you use the CLI to try to get some more output on your end of the connection attempt?

slucey · June 16, 2022, 3:12pm

Nothing is showing in the logs when I try establish the connection on either the controller or the worker. So it looks like it’s not even receiving the request. Am I missing something with the configuration? It’s just strange that it’ll work then when I’m sitting in the same subnet

omkensey · June 16, 2022, 3:18pm

It really looks like either the VPC security groups or maybe a host firewall is dropping the traffic before Boundary sees it – to verify you could do something like run netcat listening on port 9202 on some other host in the subnet, give it a public IP or add a load balancer listener for it, then see if you can connect to that from your desktop.

slucey · June 17, 2022, 8:49am

Thanks for the help on this. I found the issue in the end. Funny enough my personal desktop was actually blocking the connections. Which explains the logs. Delighted to have this working now. Thanks again