All posts
October 13, 20251 min read

Deploying HashiCorp Boundary in a VPC Private Subnet with a Proxy

Deploying HashiCorp Boundary inside a VPC private subnet with a proxy gives you fine-grained, secure service-to-service connectivity without opening inbound ports. This approach isolates workloads, eliminates direct internet exposure, and routes all traffic through controlled access points. Why Boundary with a Private Subnet A VPC private subnet prevents direct access from outside the network. Boundary becomes the broker, enforcing authentication, authorization, and session recording before l

Free White Paper

Boundary (HashiCorp) + Database Proxy (ProxySQL, PgBouncer): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Deploying HashiCorp Boundary inside a VPC private subnet with a proxy gives you fine-grained, secure service-to-service connectivity without opening inbound ports. This approach isolates workloads, eliminates direct internet exposure, and routes all traffic through controlled access points.

Why Boundary with a Private Subnet

A VPC private subnet prevents direct access from outside the network. Boundary becomes the broker, enforcing authentication, authorization, and session recording before letting anyone touch sensitive systems. By placing the proxy inside the same subnet as your targets, you cut latency and maintain isolation at the network layer.

Continue reading? Get the full guide.

Boundary (HashiCorp) + Database Proxy (ProxySQL, PgBouncer): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Core Architecture

  1. Boundary Controller – Runs in a public subnet or a reachable management plane.
  2. Boundary Worker Proxy – Deployed in the private subnet to proxy traffic to target resources.
  3. Targets – Databases, services, or SSH endpoints inside the subnet.
  4. VPC Route Tables & Security Groups – Restrict access so only the worker can reach the targets.

Deployment Steps

  1. Create your VPC with separate public and private subnets.
  2. Launch Boundary Workers in the private subnet. Workers need outbound access to the controller using NAT or VPC endpoints.
  3. Configure the worker with a proxy listener in Boundary’s config to forward traffic.
  4. Define host catalogs with target resources that reside inside the private subnet.
  5. Assign roles and permissions in Boundary to control who connects.
  6. Test connectivity using Boundary’s CLI or UI, confirming proxy traffic flows without exposing targets directly.

Security Considerations

  • Use IAM roles and policies to limit worker privileges.
  • Monitor worker health and logs for unauthorized access attempts.
  • Keep controllers patched and isolated.
  • Integrate with Vault for dynamic credential issuance.

Benefits

Deploying HashiCorp Boundary in a VPC private subnet with a proxy ensures secure access without the complexity of VPN tunnels. It centralizes policies, simplifies onboarding, and strengthens compliance posture. With this setup, endpoints remain invisible to the public web, but accessible within seconds to approved identities.

Build it fast. Test it faster. See your own Boundary VPC private subnet proxy deployment live in minutes with hoop.dev.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts