From d41ef25a27ab03c4097312a6c9388fad180d2003 Mon Sep 17 00:00:00 2001
From: Dan Heath <76443935+Dan-Heath@users.noreply.github.com>
Date: Tue, 24 Jan 2023 09:15:52 -0500
Subject: [PATCH] docs: Update multi-hop docs (#2806)

* docs: Update multi-hop docs

* Apply batch of suggestions from code review

Co-authored-by: Kendall Strautman <36613477+kendallstrautman@users.noreply.github.com>
Co-authored-by: Irena Rindos <irenarindos@users.noreply.github.com>

* docs: Fix spelling

Co-authored-by: Kendall Strautman <36613477+kendallstrautman@users.noreply.github.com>
Co-authored-by: Irena Rindos <irenarindos@users.noreply.github.com>
---
 .../content/docs/concepts/domain-model/targets.mdx   | 12 ++++++++++++
 .../content/docs/configuration/worker/pki-worker.mdx |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/website/content/docs/concepts/domain-model/targets.mdx b/website/content/docs/concepts/domain-model/targets.mdx
index 8a81a934d6..a1a4e3e06b 100644
--- a/website/content/docs/concepts/domain-model/targets.mdx
+++ b/website/content/docs/concepts/domain-model/targets.mdx
@@ -54,10 +54,16 @@ TCP targets have the following additional attributes:
 - `egress_worker_filter` - (optional)
   A boolean expression to [filter][] which egress workers can handle sessions
   for this target.
+  Egress worker filters determine which workers are used to access targets.
+  You can configure an egress filter to enable [multi-hop](/boundary/docs/configuration/worker/pki-worker#multi-hop-workershcp-only) connections.
+  If you do not configure an egress filter, then Boundary uses a single worker to connect to the controller.
 
 - `ingress_worker_filter` - (optional) <sup>HCP Only</sup>
   A boolean expression to [filter][] which ingress workers can handle sessions
   for this target.
+  Ingress worker filters determine which workers you connect with to initiate a session.
+  If you do not configure an ingress filter, Boundary selects a front line worker for the session.
+  A front line worker is any worker directly connected to the control plane; for HCP Boundary this will be an HCP worker.
 
 - `session_connection_limit` - (required)
   The cumulative number of TCP connections allowed during a session.
@@ -91,10 +97,16 @@ SSH targets have the following additional attributes:
 - `egress_worker_filter` - (optional)
   A boolean expression to [filter][] which egress workers can handle sessions
   for this target.
+  Egress worker filters determine which workers are used to access targets.
+  You can configure an egress filter to enable [multi-hop](/boundary/docs/configuration/worker/pki-worker#multi-hop-workershcp-only) connections.
+  If you do not configure an egress filter, then Boundary uses a single worker to connect to the controller.
 
 - `ingress_worker_filter` - (optional) <sup>HCP Only</sup>
   A boolean expression to [filter][] which ingress workers can handle sessions
   for this target.
+  Ingress worker filters determine which workers you connect with to initiate a session.
+  If you do not configure an ingress filter, Boundary selects a front line worker for the session.
+  A front line worker is any worker directly connected to the control plane; for HCP Boundary this will be an HCP worker.
 
 - `session_connection_limit` - (required)
   The cumulative number of TCP connections allowed during a session.
diff --git a/website/content/docs/configuration/worker/pki-worker.mdx b/website/content/docs/configuration/worker/pki-worker.mdx
index 9812306a9c..a7d1966a02 100644
--- a/website/content/docs/configuration/worker/pki-worker.mdx
+++ b/website/content/docs/configuration/worker/pki-worker.mdx
@@ -142,7 +142,7 @@ kms "aead" {
 ```
 [kms workers]: /boundary/docs/configuration/worker/kms-worker
 [target]: /boundary/docs/concepts/domain-model/targets
-[target worker filters]: /boundary/docs/concepts/filtering/worker-tags
+[target worker filters]: /boundary/docs/concepts/filtering/worker-tags#target-worker-filtering
 
 ## Tutorial