aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Multihop workers doc (#2772)

Browse Source 
Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com>
Co-authored-by: XingLu Wang <95828202+xingluw@users.noreply.github.com>
pull/2786/head
Irena Rindos 3 years ago committed by GitHub
parent f3e23f485f
commit d15bd5507e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File

25
website/content/docs/configuration/worker/pki-worker.mdx
Unescape View File

@ -78,6 +78,29 @@ kms "aead" {
workers. These fields are only valid for [KMS Workers][]. `name` and
`description` can only be set for PKI workers through the API.
# Multi-Hop Workers<sup>HCP Only</sup>
You can use the `initial_upstreams` field to configure PKI workers to either connect directly to the control plane
or to other workers, when set to the worker's `public_addr`.
A multi-hop configuration is when two or more workers are connected, and there are multiple “hops” from a worker to
the controller. There are no limits on the amount of workers allowed in a multi-hop configuration.
The multi-hop configuration introduces the concepts of “upstream” and “downstream” workers. If you view controllers
as the “top” of a multi-hop chain, downstream workers reside below a worker in the chain, while upstream workers reside
above a worker in the chain. For example, in the diagram below, Worker 2s upstream is Worker 1, and its
downstream is Worker 3.
![multi-hop workers](/img/multi-hop-workers.png)
You can deploy multi-hop workers in scenarios where inbound network traffic is not allowed. A worker in a private
network can send outbound communication to its upstream worker, and create a reverse proxy to establish a session.
You can configure [target worker filters][] with multi-hop workers to allow for fine-grained control on which workers handle
ingress and egress for session traffic to a [target][]. Ingress worker filters determine which
workers you connect with to initiate a session, and egress worker filters determine which workers are
used to access targets.
# Complete Configuration Example
```hcl
@ -118,6 +141,8 @@ kms "aead" {
```
[kms workers]: /docs/configuration/worker/kms-worker
[target]: /docs/concepts/domain-model/targets
[target worker filters]: /docs/concepts/filtering/worker-tags
## Tutorial

BIN
website/public/img/multi-hop-workers.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

Write Preview
Loading…
Cancel
Save