Restricting HCP Boundary Access to Specific IP Ranges

Requirement

The requirement is to restrict HCP Boundary access (including the desktop app) to specific IP ranges, such as office IP addresses and Zscaler IP ranges. Users should only be able to log in and work on HCP Boundary if their requests originate from these specified IP ranges.

Key Insight

HCP Boundary does not currently offer a direct method to restrict access based on the request's originating IP address.

Solution: Using OIDC Authentication and Conditional Access Policies

This requirement can be met by leveraging OIDC authentication in HCP Boundary with an Identity Provider (IdP) such as Okta or Azure AD. Conditional access policies in these IdPs allow authentication requests to be restricted based on specific IP ranges.

Steps to Achieve IP-Based Access Restriction

1. Set Up OIDC Authentication in HCP Boundary

   • Integrate HCP Boundary with an OIDC-compliant Identity Provider (e.g., Okta, Azure AD).

   • Refer to the following resources for guidance:

     • Integrate HCP Boundary with Okta

     • Integrate HCP Boundary with Azure AD

2. Configure Conditional Access Policies in Azure AD

   • Navigate to Azure AD > Security > Conditional Access.

   • Create a new policy to restrict authentication to HCP Boundary based on IP ranges:

     • Include allowed IP ranges, such as office IPs and Zscaler IP ranges.

     • Deny access from all other IPs.

3. Configure Network Zones in Okta

   • Navigate to Okta Admin > Security > Network > Zones.

   • Define the IP ranges (e.g., office and Zscaler IP ranges).

   • Create a policy to restrict access to HCP Boundary based on these defined network zones.

Additional Notes

• Ensure the IP ranges are correctly defined and updated as needed to accommodate changes in the office or Zscaler network configurations.

• Test the configuration thoroughly to verify that only users from the specified IP ranges can access HCP Boundary.

By implementing these steps, you can effectively restrict HCP Boundary access to specific IP ranges, ensuring compliance with your organization's security requirements.

References:-

https://developer.hashicorp.com/boundary/tutorials/identity-management/oidc-azure 

https://developer.hashicorp.com/boundary/tutorials/identity-management/oidc-okta