HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Boundary Home

Overview of targets

Targets are Boundary resources that represent a networked service that end-users with appropriate permissions can connect to.

Target aliases are global references for targets that simplify connecting to targets with a Boundary client.

How you configure a target determines what connection workflows you can use to connect to the target.

Target types

A target allows Boundary users to define an endpoint with a default port and a protocol to establish a session. Targets require a network address, which can be directly defined on the target for quick access or one-off connections, or host sets for deployments at scale. Hosts within host sets are considered the same from an access management perspective. Boundary will choose one host in the host set to connect to at random.

To learn more about creating hosts and host sets, refer to the Host management in Boundary page.

In Boundary the following target types are available:

  • TCP
  • SSH
  • RDP

SSH and RDP targets enable some features like session recording. You must use these target types if you want to record and audit session activity using Boundary.

To learn how to configure a worker for session recording, refer to the Configure workers for session recording page.

TCP targets

TCP targets use the TCP protocol to establish sessions. They represent generic targets in that they use a network address and a port to connect on, and use the TCP protocol to handle network traffic.

A TCP target can be a database, SSH server, HTTP endpoint, Kubernetes cluster, or a Windows server. TCP targets are not aware of the details for any server you are connecting to. TCP targets are only aware of the address and port you define for sessions to connect with.

Different connection workflows exist for end users, such as the Boundary Desktop Client, the boundary connect command, and transparent sessions. Boundary also includes connect helpers for the CLI to make connecting to TCP targets easier.

To learn how to create and manage TCP targets, refer to the Create a TCP target page.

SSH targets

SSH targets enable session recording and auditing by using a worker to intercept the SSH data stream and upload the recording into a storage backend. Configuring session recording is not required to use SSH target types.

To learn how to create and manage SSH targets, refer to the Create an SSH target page.

RDP targets

RDP targets enable session recording and auditing by using a worker to intercept the RDP data stream and upload the recording into a storage backend. Configuring session recording is not required to use RDP target types.

To learn how to create and manage RDP targets, refer to the Create an RDP target page.

Target aliases and transparent sessions

An alias is a globally unique, DNS-like string you can associate with a destination resource, like a target. You can establish a session to a target by referencing its alias, instead of having to provide a target ID or target name and scope ID.

If you configure a target alias, you can use transparent sessions to connect to targets using the Boundary Desktop Client.

You can configure aliases in the global and project scopes. If you configure an alias in a project scope, it requires suffixes. You must create suffixes for both the containing org scope and the project scope in which the alias resides.

Note

You must create org and project suffixes before you can create an alias in the target's project scope. Otherwise, you can only create the alias in the global scope.

To learn how to set up suffixes for scopes, refer to Create an alias suffix for a scope.

To learn how to set up a target alias, refer to Create target aliases.

Edit this page on GitHub