In Boundary, a target alias is a simple, powerful tool. It lets you connect to infrastructure using a memorable name instead of a random, generated ID. It gives developers something intuitive to work with. But those aliases lived exclusively at the global scope. They must be globally unique across your entire deployment.
As infrastructure scales, so does everything around it.
More teams. More environments. More cloud accounts. More services.
What doesn't scale well is centralization. Especially when it shows up in places you don't expect — like naming.
With our 1.0 release, Boundary introduces target aliases at the project scope level. Teams can now independently create, manage, and use aliases within their own project boundaries, aligned with how they already map their deployment structures.
»The enterprise scale problem: alias collisions
At small scale, a global alias makes sense. It's simple:
Define an alias once
Ensure it's unique
Use it with any target under any scope in Boundary
But at enterprise scale, this model starts to break down. The infrastructure spreads locally, across targets, teams, projects and environments. And those units repeat patterns.
Every network project needs an ssh-jumper.
Every data center org needs an api-gateway.
Every staging environment has a postgres.db.
In a global namespace, only one team can claim those intuitive names. Everyone else is locked out. When a global alias forces all of these to be unique, you don't get clarity—you get friction:
Teams invent increasingly complex naming conventions for aliases
Simple workflows depend on global administrators
Visibility expands beyond what's necessary for governance
The system remains correct, but it stops being scalable across projects and teams.
»Decentralizing naming with project boundaries
This is a simple shift, but an important one: Alias ownership now lives where the infrastructure lives. Instead of managing aliases globally:
Project teams create and manage their own aliases
Project admins see only what belongs to their scope
Global admins retain oversight across all projects
This aligns Boundary with how organizations actually operate today — not as a single system, but as a collection of independent, parallel systems that share a common platform.
»From namespace conflicts to independent execution
In large environments, coordination is often the hidden cost.
Two teams want to onboard similar infrastructure: same service type, same naming preference, completely different contexts. In a global model, they compete for the same namespace. In a project-scoped model, they don't.
Each team can define db, api, ssh-bastion within their own scope, without conflict.
The result isn't just cleaner naming. It's faster onboarding. Fewer dependencies. Less operational overhead.
»Solving the constraint: global uniqueness
There's a reason aliases were global in the first place. They need to resolve unambiguously.
The challenge is simple: How do you allow teams to reuse names locally while keeping them distinct globally?
»Introducing structured suffixes
The answer is not more rules. It's better structure.
Aliases are now automatically constructed as: <alias>.<project-suffix>.<org-suffix>
By introducing structured suffixes with aliases at both the project and organization levels, we are bringing a natural, DNS-style hierarchy mimicking the Boundary deployment structure directly to your access paths.
This lets you preserve the simplicity of local naming, while maintaining global uniqueness.
For example:
Db.payments.dc-canada
Db.marketing.dc-spain
Both teams can use db. The system ensures these aliases remain globally distinct.
»Why this Hierarchy works
This isn't just about avoiding collisions. It introduces a naming model that scales with the organization.
Natural hierarchy for enterprise infrastructure: Organizations structure infrastructure hierarchically — data centers, teams, environments. This suffix model mirrors that structure in names, making connections more intuitive.
Reduced namespace collisions: Org suffixes scope project suffix uniqueness within each org. Multiple orgs can safely reuse dev, prod, payments, or ml without conflicts. Each org owns its namespace.
Better deployment structure: The hierarchy aligns with enterprise org structures, creating clearer namespace ownership and governance boundaries. Teams know their aliases are isolated within their own scope.
Scalability for multi-tenant deployments: No risk of exhausting globally unique project suffixes. As you add more orgs and projects, the namespace grows naturally without conflicts.
Transparent sessions integration: For transparent sessions users, a structure like myhost.proj.org is more natural to connect to than myhost.uniquesuffix.
Key behaviors
Both suffixes are mandatory for project-level aliases:. Configure org suffix first, then project suffix.
Project suffixes validated within the org: No two projects in the same org can use the same suffix.
Suffix updates are non-breaking: Existing aliases keep the old suffix. New aliases use the updated suffix.
Real-time conflict detection: Boundary validates uniqueness immediately and throws an error if the name is taken.
Instant UI/CLI feedback: Fully qualified name displayed immediately after creation. No surprises.
»Real-world example: global enterprise deployment
Consider a large enterprise structuring Boundary across geographic regions and business departments. Organizations represent physical regional data centers:
Org ID | Description |
DC-INDIA | India datacenter |
DC-CANADA | Canada datacenter |
DC-NA | North America datacenter |
DC-SPAIN | Spain datacenter |
Within these orgs, projects are grouped to map directly to internal business teams: Marketing, R&D, and sales. With project-scoped aliases, the same alias name works across contexts:
Aspect | DC-INDIA / Marketing | DC-SPAIN / R&D | DC-CANADA / R&D |
Org suffix | .dc-india | .dc-spain | .dc-canada |
Project suffix | .marketing | .rnd | .rnd |
Alias name | postgres-db | postgres-db | postgres-db |
Fully qualified | postgres-db.marketing.dc-india | postgres-db.rnd.dc-spain | postgres-db.rnd.dc-canada |
Now imagine 30 datacenters across the globe with 10 different departments in each DC. Every account can use postgres-db without conflicts.
»Configuring grants
To support this new workflow, two new actions are introduced that will enable users with project admin and org admin roles to create or remove suffixes at project scope and org scopes respectively.
For org admin roles, create a role in the global scope if it does not exist, then assign the following grant:
boundary roles add-grants \
-id <role_id> \
-grant "ids=*;type=scope;actions=set-alias-suffix,remove-alias-suffix" For project admin roles, create a role in the parent org scope if it does not exist, then assign the following grant:
boundary roles add-grants \
-id <role_id> \
-grant "ids=*;type=scope;actions=set-alias-suffix,remove-alias-suffix" Alternately you can use the all-new grant builder now live with Boundary release 1.0 with Project access and Org access role templates to manage suffixes at project and org scopes respectively.
»Boundary scales with you
Project-scoped aliases are a step toward a more natural model of access — one that scales with your organization instead of constraining it. As infrastructure grows, Boundary evolves with it — removing friction without compromising control.
See Boundary in action
Create a free HCP account and deploy Boundary for your environment.
View aliases details in our documentation.
Check out our many tutorials on Boundary.
Download the latest version of Boundary installer to try it out yourself.
