I’m having a little bit of a hard time understanding how the infrastructure is supposed to be set up.
Let’s say I have one AWS account with Boundary, and I want to use that Boundary deployment to connect to some remote AWS account.
From my understanding, this is how a very very basic deployment might look like, right?
Basically the client connects to a controller in a public subnet, which does identify verification, and establishes a connection with a worker in the other AWS account in a public subnet. That connection is returned to the client who uses it to connect directly to the worker and to the target.
I’m a little uneasy on this, as you would need to put both the controller and workers in public subnets open completely to the public. You wouldn’t be able to protect them with any sort of Layer 4 Security Groups since the client can be any IP. Is this really secure?
Is Boundary essentially just a jump box with an identity provider and specific session management? That’s my understanding so far.