Separate Networks connectivity

In isolated networks that i need to connect to, do i need all workers & controllers to be connected or only needs to reach internet?

Workers need to be able to reach all controllers; clients need to be able to reach all controllers (either directly or through a load balancer) and all workers. Controllers don’t initiate outgoing traffic to other controllers, workers or clients, but do need to be able to do so to the Postgres database used for Boundary.

1 Like

@omkensey captures the network access requirements of Boundary workers and controllers well. Workers don’t need access to the public internet but they do need to be accessible to your clients.

One additional item I would add is that the number of workers with connectivity to your isolated network can be limited via worker and targets tags and filters, which can limit the workers used to proxy traffic for a target to only those that match administrator-defined tags and filters.

1 Like

Actually, as @PPacent reminded me of worker filtering, I’ll amend my previous post in one detail – clients need access to all the workers that serve the targets they have permission to access. If you have two distinct sets of clients, each accessing a separate set of targets from each other, with filters applied so that group A’s targets are only ever accessed through a separate group of workers than group B’s targets, and vice-versa, then each client group only needs access to the workers that proxy to its targets. (Imagine, say, domain administrators in a multi-site Active Directory environment, where each site has its own group of admins that manage AD only through their site’s domain controllers.)