Connectors (Overview)

Overview of concepts and abstractions related to the Border0 Connector.

This section goes over the concepts and abstractions related to the Border0 connector. You may use the links below to navigate to specific guides.

  1. Installation Prerequisites
  2. Installing a Connector
  3. Using Plugins
  4. Troubleshooting


Connectors are software that you run in order to connect your sockets to an origin. Using a connector is the recommended approach to productionalizing access to your infrastructure with Border0.

The high-level steps required to setting up a connector are:

  • creating a "connector"
  • creating a "connector token" (this is how the connector authenticates)
  • install the connector program on the machine where you'd like to run it
  • run the connector program (providing the token)
  • configure, manage, and troubleshoot your connector remotely e.g. sockets, plugins, etc; using the portal.



Where you run the connector program depends on how you can (and want) to connect to the target services you wish to expose over Border0. The connector must be able to reach your target resources through the network (or through the use of external tools as is the case with AWS Session Manager targets).

How many connectors you run depends on how many disjoint networks you have with resources that you wish to expose over Border0. Assuming you have N networks each with resources that can only be accessed by other machines in the same network, you will need N connectors (one in each network). If you have a large number of networks but all resources in these networks are accessible through the internet, you only really need one connector.

You may also choose to run more than one connector per network pointed at the same target services for high-availability, or different target services if you simply wish to segment your targets across multiple connectors to minimize the blast radius of a connector machine being compromised. It's totally up to you and your organization!

Connector Tokens

Connector tokens are credentials which are used to authenticate a connector against the Border0 API. These tokens are always associated with one (and only one) connector.

Note that while there can be multiple connector tokens active at the same time, a connector can only have one active connection at a time. Attempting to connect a connector that is already connected will result in the second connection being rejected with an error message mentioning that the connector is already connected.

The reason why multiple tokens for the same connector can be active at the same time is to enable safer, minimal-downtime token rotations for a given connector.

Connector Sockets

Connector sockets refers to Border0 sockets (services) that have been associated with a given connector.

Connector Plugins

Connector plugins can be toggled on/off and have some associated configuration. Plugins enable some form of service discovery e.g. they enable your connector to scan its context (e.g. the network and cloud account) to find potential services to expose as new Border0 sockets. For example, they can be used to discover EC2 instances, RDS or ECS clusters in your AWS account.

Connector Discovered Resources

Connector Discovered Resources refers to a connector's findings after scanning its context through the use of plugins. Example resources that can be discovered today include:

  • AWS Targets: AWS EC2 Instances, AWS ECS Services, AWS RDS DB Instances
  • Network Targets: SSH Servers, HTTP(S) Servers, MySQL Servers, PostgreSQL Servers
  • (Container) Orchestration Targets: Docker Containers, Kubernetes Services

Connector Logs

Connector logs are logs for events occurring locally on the connector program. Example events that will emit a log include:

  • Errors and failures to operate
  • Socket and plugin updates received (e.g. configuration changes, new/removed socket or plugin)
  • Discovered resources (through plugins)

Note that in the case of a failure to authenticate a connector against Border0, the log will not be found in the Border0 API (or the Admin Portal) - this is because successful authentication is a prerequisite for a connector to upload its logs.