Boundary Production setup questions

I’m trying to set up a production ready Boundary and I’m running into a few issues I’m having a tough time finding any documentation on.

Current setup is: 1 controller and 1 worker node both sitting in same public subnet. Controller pointing externally through a network load balancer on same public subnet directing 443 → 9200.

First issue, I have the security group on Controller 1 allowing access from the NLB. However, the Desktop client fails to connect unless I open port 9200 to 0.0.0.0/0 on Controller 1. Are there hidden addresses needing to be opened to allow access as obviously I don’t want to allow all traffic?

Secondly, I have my controller.hcl file as follows:

# Disable memory lock: https://www.man7.org/linux/man-pages/man2/mlock.2.html
disable_mlock = true

telemetry {
  # prometheus is not currently implemented
  prometheus_retention_time = "24h"
  disable_hostname = true
}

# Controller configuration block
controller {
  name = "boundary-controller"
  description = "Boundary Controller 1"
  public_cluster_addr = "<EC2 public address>"

  database {
    url = "<postresql address>"
  }
}

# API listener configuration block
listener "tcp" {
  address = "<private address:9200>"
  public_addr = "<public address>"
  purpose = "api"
  tls_disable = true
  cors_enabled = true
  cors_allowed_origins = ["*"]
}

# Data-plane listener configuration block (used for worker coordination)
listener "tcp" {
  # Should be the IP of the NIC that the worker will connect on
  address = "<private address:9201>"
  public_addr = "<public address>"
  purpose = "cluster"
  tls_disable = true
}

KMS Keys Below

While logged into the Controller EC2 instance, any boundary command executed (with -keyring-type=none) returns the following error “Error trying to list sessions: error performing client request during List call: Get “http://127.0.0.1:9200/v1/sessions?scope_id=global”: dial tcp 127.0.0.1:9200: connect: connection refused”

Boundary is running as service, as per instructions here: https://www.boundaryproject.io/docs/getting-started/installing/production

This includes trying to authenticate as Admin. (I can log into Desktop and webpage without issue).
Am I missing a step here?

Lastly, is it possible to proxy through Boundary from say, a desktop on my home local network? When I attempt to connect to an instance in a private subnet from my own PC, I get a “would you like to retry” error. However I don’t get this error if I connect from a desktop client within the network Boundary is built on.

Many thanks for the help. Apologies for all the questions, but I’m unable to find much about these topics.

If your listener configuration has the private IP for the address argument, then Boundary will bind specifically to that IP and won’t be listening on localhost. You should be able to use the private IP instead of localhost in the URL in the BOUNDARY_ADDR environment variable or the -addr flag to connect while on the host – you’ll need to set one of those explicitly, as if neither is set the client defaults to connecting to localhost.

For the connectivity issues, a lot depends on the load balancer configuration. If you’re preserving client IPs, then your Internet client IP needs to be allowed through. If you disable client IP preservation, you just need to allow the VPC CIDR or even just the specific load balancer private IPs to connect to the Boundary ports: Register targets with your target group - Elastic Load Balancing

If you’re using an AWS NLB, you have to remember that the NLB itself does not have a security group and the security group on the target instance/IP is what determines if the connection can be made. That’s why when you change to the 0.0.0.0/0 source CIDR being allowed, you can connect through.