Hashicorp Boundary Ingress worker and egress worker configuration

I am trying to create ingress worker and egress worker in self-hosted VM. My intended approach is to End user (boundary desktop client tool) talks to ingress worker (hosted in DMZ network) and then DMZ ingress worker connect to egress worker (self-hosted in private network, close to the target resource).

  • do I have to use the same enterprise boundary binary for both ingress and egress worker on both VMs.
  • how to setup the configuration of the workers in this fashion?
  • Is this “tags” distinguish between workers (which one is ingress or egress)?
  • is it multi-hop workers which also include multi-hop sessions?

Thank you for your valuable input in advance

We recommend using the same enterprise Boundary binary for workers and controllers.
As far as setup, we have a tutorial here that walks through the process: Manage multi-hop sessions with HCP Boundary | Boundary | HashiCorp Developer
In this tutorial, tags are used for ingress and egress filtering. Docs on filtering workers is here: Filtering - worker tags | Boundary | HashiCorp Developer
Multi-hop workers are used for multi-hop sessions; some more information on that is listed here:Multi-hop sessions | Boundary | HashiCorp Developer

I hope this helps!

I looked at these however something is not clear to me, it is very confusing particularly related to ingress and egress worker requirements and terminology around downstream and upstream. in my case, I have one ingress worker and two egress workers

(ingress worker>1st egress worker>2nd egress worker)

so ingress worker will have "initial_upstreams=“Boundary controller IP” and tagged with “upstream” and then 1st egress work will have initial_upstreams=“Ingress worker IP” and tagged with “downstream or upstream” and then 2nd egress worker will have initial_upstreams=“1st egress worker IP” and tagged with “downstream”

Also, do 1st and 2nd egress workers has to authenticate with boundary controller or ingress worker? (I am taking about KMS “aead” section for worker-auth)

Can you please verify and check if it is correct