TCP targets

TCP targets represent generic networked services with an associated set of permissions that end users can connect to.

Note

You cannot configure TCP targets to use session recording or credential injection.

You can use a TCP target for any connection with Boundary. This page describes how to configure a generic TCP target type in Boundary.

Refer to the following pages for examples of common configurations for TCP targets:

Databases
- MySQL
- PostgreSQL
Kubernetes clusters
Web targets
SSH (without session recording)
RDP (without session recording)

You can configure any networked service available with an address and port as a TCP target. Boundary must have access to the target to start a session. If your service is not publicly available, you will need to deploy a worker to give Boundary access to the target network.

Create a TCP target

The following examples use a direct target address for simplicity, but HashiCorp recommends that you configure host catalogs and host sets for scaled production deployments.

Complete the following steps to create a TCP target.

Log in to Boundary.
Select an org, and then select the project where you want to create a target.
Select Targets under Project Actions.
Click New Target.
Complete the following fields:
- Name: (Required) A name for identification purposes, such as tcp-target. The name must be unique.
- Description: (Optional) An optional description of the target for identification purposes.
- Type: (Required) Select TCP to create a TCP target.
- Target Address (Optional) If you are not using host catalogs and host sets, you can enter a target address instead to map the target to a single address. This must be a valid IP address or DNS name.
- Default Port (Required) The default port on which to connect, such as 22 for an SSH connection.
- Aliases (Optional) A globally-scoped unique identifier for the target, which makes the target easier to connect to using the CLI or transparent sessions. If you create an alias, click Add to assign it.
Click Save.

Log in to Boundary.
Set the BOUNDARY_PROJECT_ID environment variable, or provide the scope ID (such as p_1234567890) in the next step.
Use the following command to create a TCP target named tcp-target with a direct target address of 10.0.0.10 and a default connection port of 99:
```
$ boundary targets create tcp \
  -scope-id $BOUNDARY_PROJECT_ID \
  -name "tcp-target" \
  -address "10.0.0.10" \
  -default-port 99
```
You must provide the scope-id field when you create a static host catalog.
Refer to the targets domain model documentation for more fields that you can use when you create targets, and the targets create command for all the CLI options.

You can define a target and target alias using the Boundary Terraform provider:

resource "boundary_target" "tcp_target" {
  name         = "tcp-test"
  description  = "Generic TCP target for testing"
  type         = "tcp"
  address      = "10.0.0.10"
  default_port = "99"
  scope_id     = boundary_scope.project.id
}

Configure a brokered application credential

You can configure a brokered application credential for end users to connect to the target. Brokered credentials are exposed to the end user to allow them to authenticate to a target manually, or using connect helpers.

Note

You can configure TCP targets with credential brokering, but not credential injection.

You can configure credentials for the TCP target using:

Static credentials (username_password, ssh_private_key, or username_password_domain)
Vault credential library (username/password or username/private key)
An SSH certificate from a Vault SSH credential library

Refer to the Configure targets with credential brokering page to learn how to configure a target with credential brokering.

Next steps

To learn how to connect to a target, refer to Connection workflows.

To use target aliases to connect to targets: