spot_imgspot_imgspot_imgspot_img
HomeArchitectureBoundary 0.2 enters its truculent twos

Boundary 0.2 enters its truculent twos

-

Hashicorp has had a busy week, with the release of their latest version of Vault, on their Cloud platform as a managed service, the release to GA for version 0.15 of Terraform coupled with the update to Terraform Cloud, we nearly missed their update to their edge management solution Boundary which has just entered the truculent twos. So what’s new in Boundary 0.2?

Boundary enters the truculent 0.2's
Boundary enters the truculent 0.2s and spawns a sibling

Boundary is HashiCorp’s product to allow a simple but secure method of allowing access to the dynamic infrastructure that is prevalent in modern cloud-based applications and environments.

Traditional approaches like SSH Bastion hosts and VPNs require the managing and distributing of credentials, the configuration of Firewalls to protect your boundary walls, Boundary provides a method to allow access to host, critical systems and services without having to manage credentials or exposing your network.

It uses three identifiers to define access:

  • Identity-based access controls: represented by two types or resources, Users and Groups. Roles map users and Groups to a set of Grants
  • Access Automation: your perimeters are defined from resources, identities, and access controls as code using a fully-instrumented Terraform provider, REST API, CLI and SDK. This allows the discovery of new resources and the enforcement of existing policies as resources are provisioned.
  • Session Visibility: Your security Administrators can monitor and manage privileged sessions that have been established with Boundary, all logs can be exported to your favorite analytics tool.

As a 0.15 was released we spoke about the new features but for completeness will be highlighting them again below.

  • Worker tags and filters: were introduced to enable traffic to be logically “tied” to a defined set of workers with worker tags, thereby forcing the session to occur through specified workers for a specific target. Workers are defined to apply locality enforcement on traffic.
  • Upgrades and database migrations: At the release of Boundary there was obviously no simple method of providing an easy upgrade path this was introduced providing fail-safes in the event of migration issues.
  • Resource filtering and listing improvements: Also introduced was the ability to allows users to navigate their resources more easily by filtering list actions based on resource information.
  • Improvements for Kubernetes access, the function “boundary connect kube” allowed an under the hood forking of the kubectl to allow the gating of API calls to your Kubernetes clusters with Boundary. Allowing you to manage access to your Kubernetes APIs and kube services.
  • Reference architectures: Finally reference architectures were introduced to help with deploying Boundary against a large proportion of popular platforms, including KubernetesAmazon Web Services (AWS)Microsoft AzureGoogle Cloud, and Docker.

So what is new in Boundary 0.2

This release’s focus is twofold. Firstly there is a focus on authentication methods and secondly the introduction of a sibling in the form of Boundary Desktop. We will investigate each feature individually starting with the introduction of the ability to leverage external identity providers to authenticate into a boundary-protected environment. To fulfill this request from users Hashicorp has integrated an OpenID connect which is a simple overlay to the OAuth 2.0 protocol. This addition has allowed the product to integrate with many popular identity providers like Azure AD, Okta, and Cloud management systems like AWS IAM.

Boundary loved OIDC
Boundary integrates OIDC into its authentication path

This release allows users to create, read, update and delete an OIDC authentication method and use it to login via the CLI, the newly released Boundary Desktop and also the Admin Console.

One enhancement that has been announced is that HashiCorp will be integrating the OIDC configuration into their Boundary Terraform Provider but this feature is unfortunately not ready yet.

OIDC auth method configuration is initially available via the command line, and in upcoming releases, we’ll also be integrating OIDC configuration into Boundary’s Terraform Provider as well as the Boundary administration console. To get you started with Boundary and OIDC check out the new Boundary OIDC learn tutorial.

The second major announcement of this release is about the introduction of Boundary Desktop for Mac

Desktop Client GA

The Boundary desktop provides a simple interface to enable, currently only Mac users, to browse and connect to their authorized targets from their local computer. Effectively making their desktop device into a secure Boundary endpoint.

Installation is simple, Mac users can either download the binary from the release page or they can install it via brew using the command “brew install hashicorp-boundary-desktop

This GA version has introduced OIDC authentication and the ability to auto-update the application as and when new versions are released.

The introduction of an OIDC integrated login is a nice touch and allows easy integration with your Boundary infrastructure.

BoundaryDesktopAuthentication
Boundary Desktop Authentication

Once you have logged in you will be presented to your potential targets, connection to your resources is as simple as clicking connect. No need to remember multiple usernames of passwords, no requirement to store and share SSH keys across environments and the associated pain with updating them.

Boundary Targets
Boundary Targets

If you have a Mac you can Get started with Boundary Desktop here. One rather unfortunate situation is that this release is only for Mac Users, Linux and Windows users are coming but there is no timeline for release, further, I do feel that this is a just around the corner release as currently there is no public beta for either of these platforms.

Summary

Boundary is an interesting product, it is well featured for a 0.2 release status, but it suffers from a lack of marketing focus within HashiCorp, hidden as it is by the coronas of the Terraform, Vault, and Consul suns. It is one of those, we also do products which is a shame as it has a lot to offer with regards to securing a modern edge it is well suited to the dynamic nature of modern cloud-native applications and services. I do hope it gets the focus it deserves within the HashiCorp marketing teams they need to raise the messaging surrounding it as a product, but for now, Boundary 0.2 is a solid release.

NEWSLETTER

Sign up to receive our top stories directly in your inbox


LET'S CONNECT