From bbb564b0286e5fa7fcb941675c48205341540137 Mon Sep 17 00:00:00 2001 From: dannyjknights Date: Tue, 13 Aug 2024 15:05:02 +0000 Subject: [PATCH 1/6] backport of commit 4d1769659ea1a8f8f91954b8eed7a0a8320819c6 --- .../docs/concepts/connection-workflows/multi-hop.mdx | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/website/content/docs/concepts/connection-workflows/multi-hop.mdx b/website/content/docs/concepts/connection-workflows/multi-hop.mdx index cfb3d6863b..512f7cd81b 100644 --- a/website/content/docs/concepts/connection-workflows/multi-hop.mdx +++ b/website/content/docs/concepts/connection-workflows/multi-hop.mdx @@ -14,6 +14,16 @@ inbound traffic to route through multiple network enclaves to reach the target s Multi-hop sessions allow you to chain together two or more workers across multiple networks to form reverse proxy connections between the user and the target, even in complex networks with strict outbound-only policies. +## Remove the requirement for inbound network rules + +With a multi-hop deployment, all connections are initiated outbound from the most downstream worker in the chain. When the connection is established between the workers, the proxied connections go over the established connection. +These persistent TCP connections result in the requirement for only outbound connectivity. + +In the scenario where there may be a firewall(s) sitting inbetween ingress and egress workers, organizations do not need to create additional inbound rules to facilitate a Boundary multi-hop deployment. This not only helps to +simplify existing infrastructure configuration within your environment, but also ensures that your current security posture is not weakened or compromised. + +## Multi-hop worker types + In multi-hop scenarios, there are typically three types of workers: 1. **Ingress worker** - An ingress worker is a worker that is accessible by the client. The client initiates the connection to the ingress worker. 1. **Intermediary worker** - An optional intermediary worker sits between ingress and egress workers as part of a multi-hop chain. There can be multiple intermediary workers as part of a multi-hop chain. From 960b4d3903cd02f4e9f5d1607759a74287102b0f Mon Sep 17 00:00:00 2001 From: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> Date: Tue, 20 Aug 2024 16:07:35 +0000 Subject: [PATCH 2/6] backport of commit d067f3babeaf414ca6eae58c7a2625677bbc8884 --- .../content/docs/concepts/connection-workflows/multi-hop.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/content/docs/concepts/connection-workflows/multi-hop.mdx b/website/content/docs/concepts/connection-workflows/multi-hop.mdx index 512f7cd81b..45a0a29434 100644 --- a/website/content/docs/concepts/connection-workflows/multi-hop.mdx +++ b/website/content/docs/concepts/connection-workflows/multi-hop.mdx @@ -17,9 +17,9 @@ across multiple networks to form reverse proxy connections between the user and ## Remove the requirement for inbound network rules With a multi-hop deployment, all connections are initiated outbound from the most downstream worker in the chain. When the connection is established between the workers, the proxied connections go over the established connection. -These persistent TCP connections result in the requirement for only outbound connectivity. +These persistent TCP connections result in the requirement for only outbound connectivity. -In the scenario where there may be a firewall(s) sitting inbetween ingress and egress workers, organizations do not need to create additional inbound rules to facilitate a Boundary multi-hop deployment. This not only helps to +In the scenario where there may be a firewall(s) sitting between ingress and egress workers, organizations do not need to create additional inbound rules to facilitate a Boundary multi-hop deployment. This not only helps to simplify existing infrastructure configuration within your environment, but also ensures that your current security posture is not weakened or compromised. ## Multi-hop worker types From d17edc9f3ace8a02c96789b0cacbc3f4e25afb98 Mon Sep 17 00:00:00 2001 From: Danny Knights <48058211+dannyjknights@users.noreply.github.com> Date: Wed, 9 Oct 2024 12:42:35 +0000 Subject: [PATCH 3/6] backport of commit 5b1c64f30acb220190c0a9215e6d7a8f108f190e --- .../content/docs/concepts/connection-workflows/multi-hop.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/concepts/connection-workflows/multi-hop.mdx b/website/content/docs/concepts/connection-workflows/multi-hop.mdx index 45a0a29434..96d2d3cf90 100644 --- a/website/content/docs/concepts/connection-workflows/multi-hop.mdx +++ b/website/content/docs/concepts/connection-workflows/multi-hop.mdx @@ -19,7 +19,7 @@ across multiple networks to form reverse proxy connections between the user and With a multi-hop deployment, all connections are initiated outbound from the most downstream worker in the chain. When the connection is established between the workers, the proxied connections go over the established connection. These persistent TCP connections result in the requirement for only outbound connectivity. -In the scenario where there may be a firewall(s) sitting between ingress and egress workers, organizations do not need to create additional inbound rules to facilitate a Boundary multi-hop deployment. This not only helps to +If you have one or more firewalls sitting between the ingress and egress workers, you do not need to create additional inbound networking rules to facilitate a Boundary multi-hop deployment. This not only helps to simplify existing infrastructure configuration within your environment, but also ensures that your current security posture is not weakened or compromised. ## Multi-hop worker types From bdc75a8fbe325a0e92f1f161dd6a23ec9e1d5e4f Mon Sep 17 00:00:00 2001 From: Danny Knights <48058211+dannyjknights@users.noreply.github.com> Date: Wed, 9 Oct 2024 12:42:49 +0000 Subject: [PATCH 4/6] backport of commit f45a5882285fff62ad2f1763409ec57777c46adc --- .../content/docs/concepts/connection-workflows/multi-hop.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/concepts/connection-workflows/multi-hop.mdx b/website/content/docs/concepts/connection-workflows/multi-hop.mdx index 96d2d3cf90..eeb742ee81 100644 --- a/website/content/docs/concepts/connection-workflows/multi-hop.mdx +++ b/website/content/docs/concepts/connection-workflows/multi-hop.mdx @@ -14,7 +14,7 @@ inbound traffic to route through multiple network enclaves to reach the target s Multi-hop sessions allow you to chain together two or more workers across multiple networks to form reverse proxy connections between the user and the target, even in complex networks with strict outbound-only policies. -## Remove the requirement for inbound network rules +## Inbound network rules With a multi-hop deployment, all connections are initiated outbound from the most downstream worker in the chain. When the connection is established between the workers, the proxied connections go over the established connection. These persistent TCP connections result in the requirement for only outbound connectivity. From b4a4ba05ab89f8f9afc27cc4dc25d27cd0865c09 Mon Sep 17 00:00:00 2001 From: Danny Knights <48058211+dannyjknights@users.noreply.github.com> Date: Wed, 9 Oct 2024 12:43:10 +0000 Subject: [PATCH 5/6] backport of commit a0a21f82ca40d2504b3c002f38ccf1b922262d5a --- .../content/docs/concepts/connection-workflows/multi-hop.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/concepts/connection-workflows/multi-hop.mdx b/website/content/docs/concepts/connection-workflows/multi-hop.mdx index eeb742ee81..9552a63ad8 100644 --- a/website/content/docs/concepts/connection-workflows/multi-hop.mdx +++ b/website/content/docs/concepts/connection-workflows/multi-hop.mdx @@ -20,7 +20,7 @@ With a multi-hop deployment, all connections are initiated outbound from the mos These persistent TCP connections result in the requirement for only outbound connectivity. If you have one or more firewalls sitting between the ingress and egress workers, you do not need to create additional inbound networking rules to facilitate a Boundary multi-hop deployment. This not only helps to -simplify existing infrastructure configuration within your environment, but also ensures that your current security posture is not weakened or compromised. +simplify your infrastructure configuration, but also ensures that your security posture is not weakened or compromised. ## Multi-hop worker types From c588f96b71aeb64bc8f482ec0f30e2c96f0618a8 Mon Sep 17 00:00:00 2001 From: Danny Knights <48058211+dannyjknights@users.noreply.github.com> Date: Wed, 9 Oct 2024 19:53:09 +0000 Subject: [PATCH 6/6] backport of commit f295c4554a02af2e294bc645ec92db11ae9ca72a --- .../content/docs/concepts/connection-workflows/multi-hop.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/concepts/connection-workflows/multi-hop.mdx b/website/content/docs/concepts/connection-workflows/multi-hop.mdx index 9552a63ad8..31d0db89f9 100644 --- a/website/content/docs/concepts/connection-workflows/multi-hop.mdx +++ b/website/content/docs/concepts/connection-workflows/multi-hop.mdx @@ -16,7 +16,7 @@ across multiple networks to form reverse proxy connections between the user and ## Inbound network rules -With a multi-hop deployment, all connections are initiated outbound from the most downstream worker in the chain. When the connection is established between the workers, the proxied connections go over the established connection. +With a multi-hop deployment, all connections are initiated outbound from the most downstream worker in the chain. After Boundary establishes the initial connection between the workers, it uses the established connection for any subsequent connections. These persistent TCP connections result in the requirement for only outbound connectivity. If you have one or more firewalls sitting between the ingress and egress workers, you do not need to create additional inbound networking rules to facilitate a Boundary multi-hop deployment. This not only helps to