Does Boundary controller need to be able to access the worker

For a bit of context before I ask the question, we want to deploy Boundary in hybird cloud.
For example, we want to deploy controller in one of AWS regions, and controller might be in same region/other region/other cloud provider.

In this case, thought every region should have public LB for worker to connect to private VPC.
But cross-regional network may not be easy, which means we may need to choose a “central” region to deploy the controller.

While I was looking for hybird cloud case, this Github Issue has one point.

Regarding worker -> controller communication. The communication needs to be in both directions:

1. The worker needs to be able to connect to the controller to register itself.
2. The controller needs to be able to connect to the worker to handle session establishment for a given client.

So my question is, so far, does boundary controoler need to be able to acees the worker?

I have two guesses. One of them is that it has always been like this but has not been mentioned obviously, and the other is that it has been optimized in the current version because I did not see the controller connect to the worker in any model diagram

The controller doesn’t need to access the workers, but the clients do. Also, the workers need to access the controllers.


To be clear – the initial connection direction is from worker → controller. That connection stays established and they then run bidirectional communication over it. But the controller does not reach out to the worker for an initial connection.