aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'test_crypto_rand'
${ noResults }
boundary/website/content/docs/overview/bastion-hosts.mdx

38 lines
2.9 KiB
Raw Permalink Blame History

---
layout: docs
page_title: Boundary vs. bastion hosts
description: >-
Learn how Boundary compares to bastion hosts by providing tightly controlled, just-in-time access to infrastructure using role-based access controls (RBAC).
---
⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️
> [!IMPORTANT]
> **Documentation Update:** Product documentation previously located in `/website` has moved to the [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs) repository, where all product documentation is now centralized. Please make contributions directly to `web-unified-docs`, since changes to `/website` in this repository will not appear on developer.hashicorp.com.
⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️
# Boundary vs. bastion hosts
If you want to set up your cloud environment securely, you may choose to run all of your important workloads behind a NAT Gateway, and provision a DMZ with a set of hardened bastion servers.
Bastion host security groups are often not locked down at the network layer.
Additionally, users who log into a bastion host using SSH are typically dropped into a privileged account.
Maintaining security groups, network ACLs, and IAM controls on a bastion host at a per-user level is nearly impossible, unless you create and maintain multiple bastion hosts per user or group.
IT departments now have to manage updates for another server and the sprawl of infrastructure continues, increasing your attack surface, and requiring your IT department to be perfect.
Boundary is not a traditional bastion host.
Boundary streamlines just-in-time access to privileged sessions for users, and tightly controls access to infrastructure with role-based access controls (RBAC).
Boundary validates a user's identity using your identity provider of choice, and then dynamically grants them access to the resources they need using their associated permissions.
Boundary's worker nodes, the resources that proxy connections to private endpoints, are fundamentally stateless and can be easily scaled elastically using modern development tools.
You can use SSH or RDP to inject the credentials of any target resources that you want to connect to using Boundary, so that the credentials are never exposed to the user while establishing a connection.
Alternatively, Boundary can return brokered credentials back to users (if permitted), which could take the form of API tokens, usernames and passwords, public keys, etc.
**Can Boundary replace a bastion/jumphost access model?**
Yes, in many cases you can use Boundary as a replacement for an existing bastion host-based access model to infrastructure.
The advantages to Boundary's access model are outlined above.
**Can Boundary extend a bastion/jumphost access model?**
Yes, some users may see value in Boundary providing access to an existing bastion host deployment.
Reference in new issue View Git Blame Copy Permalink