Boundary Workers

Hi all,

Question:

Do the boundary workers need public ips or can they be put into a private subnet and only have the boundary controller to connect to them?

I ask this because I do not want to expose the boundary workers to the public.

Hey there, check out our reference architecture for a drawing of how we recommend setting this up.

If you want access from clients in a public network, you’ll need to expose the workers publicly, however, if your clients are on a private network, then the workers can be private too.

Let me know if you have any more questions!

Relating to this topic … I thought I read somewhere about upstream/downstream workers, but I’m not able to find that reference again. It read like we need to expose some workers to clients, but others can reference upstream workers so they are not exposed explicitly. Is this type of thing supported? or do we need to expose all workers directly to the clients? can this be done with both PKI & KMS workers?

For example:

client --> controller
      \--> upstream worker <--> downstream worker --> target

Many thanks

1 Like

Currently downstream workers can authenticate through upstream workers. This is mostly used to have self-managed workers connect to HCP Boundary clusters.

In an upcoming release there will be support for multi-hop session proxying.