Configure private network access

Private networking with HCP Vault Dedicated requires additional configuration within your AWS or Azure account depending on which cloud provider the cluster is deployed in.

HashiCorp Virtual Networks (HVN) can be privately peered or attached as a spoke to a hub network to an AWS or Azure account. The documentation covers private connectivity options using a supported cloud service provider (CSP).

Each option involves three major steps:

Create the peering connection (AWS and Azure) or transit gateway attachment.
Configure routes between your HVN and CSP.
Configure security groups.

Refer to the HVN for AWS and HVN for Azure documentation for additional guideance.

Create peering connection request

Sign in to the HCP Portal and select your organization.
From the sidebar, click HashiCorp Virtual Network.
Click on an HVN in the ID column.
From the sidebar, click Peering connections.
Click Create connection.
Complete the requested fields:
- In the Connection ID field, enter a name for the peering connection. The name can be up to 36 characters and can only include letters, numbers, and dashes.
- Enter your AWS Account ID.
- Select your VPC region.
- Enter your VPC ID.
Click Create connection.

Complete peering connection request

Sign in to the HCP Portal and select your organization.
From the sidebar, click HashiCorp Virtual Network.
Click on an HVN in the ID column.
From the sidebar, click Peering connections.
Click the name of the connection in the ID column.
Copy the commands for inbound and outbound rules and run each command in your terminal.

Create routes

Sign in to the HCP Portal and select your organization.
From the sidebar, click HashiCorp Virtual Network.
Click on an HVN in the ID column.
From the sidebar, click Route table. The default table entry routes local traffic. For more details, refer to Route Table Reference.
Click Create route.
Complete the requested fields:
- In the Route ID field, enter a name for the route. The route ID can be up to 36 characters and can only include letters, numbers, and dashes.
- In the Destinations field, enter the CIDR range of the AWS resource that the HVN should reach through your target. For more details about how to configure this field, refer to CIDR Block Reference.
- From the Targets field, choose a peering connection.
To complete the configuration, click Create route.

Configure security groups

To allow outbound traffic from your VPC, add the following rules to your security group for HCP Vault:

Protocol	From Port	To Port	Destination	Purpose
TCP	8200	8200	HVN-CIDR	Vault API
TCP	5696	5696	HVN-CIDR	KMIP server*

Note

The KMIP port is only necessary if the KMIP secrets engine is being used, which is only available on HCP Vault Plus tier clusters.

To apply this configuration to your security group, run the authorize-security-group-egress command. When you issue the command, you must specify the target VPC region and security group ID.

$ aws ec2 --region <TARGET-VPC-REGION> \
   authorize-security-group-egress \
   --<SECURITY-GROUP-ID> \
   --ip-permissions \
   IpProtocol=tcp,FromPort=8200,ToPort=8200,IpRanges='[{CidrIp=172.25.16.0/20}]' \
   IpProtocol=tcp,FromPort=5696,ToPort=5696,IpRanges='[{CidrIp=172.25.16.0/20}]'

Create transit gateway attachment

Sign in to the HCP Portal and select your organization.
From the sidebar, click HashiCorp Virtual Network.
Click on an HVN in the ID column.
Click Transit gateway attachments and then Create attachment.

Complete transit gateway attachment

Click the Web console tab and complete the requested fields:
- In the AttachmentID field, enter a name for the peering connection.The name can be up to 36 characters and can only include letters, numbers, and dashes.
- Enter your AWS Account ID.
- Enter your Transit gateway ID.
- Select your VPC region.
- Enter your Resource share ARN.
Click Create attachment.

Create routes

Sign in to the HCP Portal and select your organization.
From the sidebar, click HashiCorp Virtual Network.
Click on an HVN in the ID column.
From the sidebar, click Route table. The default table entry routes local traffic. For more details, refer to Route Table Reference.
Click Create route.
Complete the requested fields:
- In the Route ID field, enter a name for the route. The route ID can be up to 36 characters and can only include letters, numbers, and dashes.
- In the Destinations field, enter the CIDR range of the AWS resource that the HVN should reach through your target. For more details about how to configure this field, refer to CIDR Block Reference.
- From the Targets field, choose a peering connection.
To complete the configuration, click Create route.

Configure security groups

To allow outbound traffic from your VPC, add the following rules to your security group for HCP Vault:

Protocol	From Port	To Port	Destination	Purpose
TCP	8200	8200	HVN-CIDR	Vault API
TCP	5696	5696	HVN-CIDR	KMIP server*

Note

The KMIP port is only necessary if the KMIP secrets engine is being used, which is only available on HCP Vault Plus tier clusters.

To apply this configuration to your security group, run the authorize-security-group-egress command. When you issue the command, you must specify the target VPC region and security group ID.

$ aws ec2 --region <TARGET-VPC-REGION> \
   authorize-security-group-egress \
   --<SECURITY-GROUP-ID> \
   --ip-permissions \
   IpProtocol=tcp,FromPort=8200,ToPort=8200,IpRanges='[{CidrIp=172.25.16.0/20}]' \
   IpProtocol=tcp,FromPort=5696,ToPort=5696,IpRanges='[{CidrIp=172.25.16.0/20}]'

Create peering connection request

Sign in to the HCP Portal and select your organization.
From the sidebar, click HashiCorp Virtual Network.
Click on an HVN in the ID column.
From the sidebar, click Peering connections.
Click Create connection.
Complete the requested fields. In the Connection ID field, enter a name for the peering connection. The name can be up to 36 characters and can only include letters, numbers, and dashes. Then, enter your Azure Tenant ID, Azure Subscription ID, Resource group name, and Azure VNet name.
(Hub-spoke topology only) Select if the HVN should allow traffic forwarded from the remote virtual network. This is required if the HVN is part of hub-spoke topology and a network virtual appliance is used for routing between spokes.
(Hub-spoke topology only) Select if the HVN should allow remote gateway. This is required if the remote virtual network is a hub in a hub-spoke topology and a remote gateway is used for routing between spoke.
Click Create connection.

Complete peering connection request

Sign in to the HCP Portal and select your organization.
From the sidebar, click HashiCorp Virtual Network.
Click on an HVN in the ID column.
From the sidebar, click Peering connections.
Click the name of the connection in the ID column.
Under “Peering Instructions,” click the tab for Azure Cloud Shell.
Follow the instructions to run the sequence of commands.

Create routes

Sign in to the HCP Portal and select your organization.
From the sidebar, click HashiCorp Virtual Network.
Click on an HVN in the ID column.
From the sidebar, click Route table. The default table entry routes local traffic. For more details, refer to Route Table Reference.
Click Create route.
Complete the requested fields. In the Route ID field, enter a name for the route. The route ID can be up to 36 characters and can only include letters, numbers, and dashes. In the Destinations field, enter the CIDR range of the Azure resource that the HVN should reach through your target. For more details about how to configure this field, refer to CIDR Block Reference. From the Targets field, choose a peering connection.
(Hub-spoke topology only) Enable Azure hub-and-spoke options if the route is used in a hub-spoke network topology.
(Hub-spoke topology only) Select Next Hop Type between "Virtual Appliance" or "Virtual Network Gateway". Fill in the Next Hop IP Address with the NVA IP address (if applicable).
To complete the configuration, click Create route.

Configure security groups

Sign in to the HCP Portal and select your organization.
From the sidebar, click HashiCorp Virtual Network
Click on an HVN in the ID column.
From the sidebar, click Peering connections.
Enter your Azure Network security group ID.
Copy the code generated on HCP, then run it in Azure.

To allow outbound traffic from your VNet, add the following rules to your security group for HCP Vault Dedicated:

Priority	Name	Port	Protocol	Source	Destination	Action
400	VaultClientOutbound	8200	TCP	VirtualNetwork	HVN-CIDR	Allow

HCP identity-based proxy

The HCP proxy identity-based proxy provides a publicly accessible proxy endpoint (managed by HCP) which only allows network connections to the cluster from authenticated and authorized HCP identities (users and service principals). This provides an identity-based method to secure connections to the cluster's UI publicly when IP allow list is not possible. This option can be useful for easy access to the cluster's UI for human administrators.

Access the UI using the cluster's proxy endpoint

With proxy enabled, a cluster configured with private network access can allow organization members access their HCP Vault Dedicated clusters' UI directly from within the portal without needing to connect through the cluster's private network. This can be done using the "Launch web UI" button in the top-right corner of the cluster overview page.

Log into the HCP Portal.
From the Vault clusters page, click Launch web UI.
This will launch a new browser or browser tab. Authentication through the HCP Proxy is transparent to the user.
Note
The URL for the Vault UI from the proxy is different than the HCP Vault Dedicated clusters public URL.
Paste a admin token into the Token textbox, or select a configured auth method to log in.

Connect the Vault CLI to the cluster's proxy

Requires Vault CLI 1.16

Connecting to an HCP Vault Dedicated cluster with the CLI through the HCP Proxy address requires the CLI to be at least version 1.16.

The Vault CLI can connect to a private HCP Vault Dedicated cluster using the HCP Proxy endpoint.

You can connect either interactively using a HCP IAM user or non-interactively using a HCP service principal.

Run vault hcp connect and follow prompts to choose the cluster you want to connect to.

This command may open a browser and prompt you to log into HCP if your machine is not already authenticated. If you only have one HCP Vault Dedicated cluster, the CLI will automatically connect to it.

$ vault hcp connect
------------------------
Available organizations:
Organization name: HashiCorp
Organization name: Test-Organization
Choose a organization:  Test-Organization
-------------------
Available projects:
Project name: dev-project
Project name: prod-project
Choose a project:  prod-project
-------------------
Available clusters:
Cluster identification: primary-cluster
Cluster identification: replication-secondary-cluster
Choose a cluster: primary-cluster
Connected to cluster via an HCP proxy. Login with 'vault login' or export a VAULT_TOKEN to access this Vault cluster.

Set the VAULT_NAMESPACE environment variable to the namespace you want to log into and operate in.
```
$ export VAULT_NAMESPACE=admin
```
Log into Vault using the vault login command using a configured auth method or set a valid VAULT_TOKEN as an environment variable to execute standard Vault CLI commands.
```
$ vault login...
```
Run vault hcp disconnect to terminate the proxied connection from the CLI to the HCP Vault Dedicated cluster.
```
$ vault hcp disconnect
```

Create a service principal and key in your HCP organization with Viewer role.
Copy the client id and client secret or set them as an environment variable to pass to the CLI command.
```
$ export HCP_CLIENT_ID=<actual-client-id> HCP_CLIENT_SECRET=<actual-client-secret>
```
Copy the organization id and project id UUIDs which can be obtained from HCP portal/url or set them as an environment variable to pass tot he CLI command.
```
$ export HCP_ORG_ID=<actual-org-id> HCP_PROJECT_ID=<actual-project-id>
```
Copy the cluster id (the name of the cluster) or set it as an environment variable to pass tot he CLI command.
```
1. export HCP_CLUSTER_ID=<actual-cluster-id>
```

Run vault hcp connect and set the required context to connect to your HCP Vault cluster’s API.

vault hcp connect \
   -client-id $HCP_CLIENT_ID \
   -secret-id $HCP_CLIENT_SECRET \
   -organization-id $HCP_ORG_ID \
   -project-id $HCP_PROJECT_ID \
   -cluster-id $HCP_CLUSTER_ID

Example output:

HCP Vault Cluster: vault-cluster

Connected to cluster via an HCP proxy. Login with 'vault login' or export a VAULT_TOKEN to access this Vault cluster.

Set the VAULT_NAMESPACE environment variable to the namespace you want to log into and operate in.
```
$ export VAULT_NAMESPACE=admin
```
Log into Vault using the vault login command using a configured auth method or set a valid VAULT_TOKEN as an environment variable to execute standard Vault CLI commands.
```
$ vault login...
```
Run vault hcp disconnect to terminate the proxied connection from the CLI to the HCP Vault Dedicated cluster.
```
$ vault hcp disconnect
```

Use AWS transit gateway as a transit network

Through the supported cloud providers, you can enable common hybrid cloud networking models to support workloads with providers not yet natively supported by HCP using a concept known as a transit network.

Refer to the Connect Google Cloud Platform (GCP) to HCP via AWS Transit Gateway tutorial to learn how to create a Virtual Private Network (VPN) between AWS and Google Cloud Platform (GCP), create a transit gateway connection between HCP and AWS, and configure routing between each of the three platforms to demonstrate this type of connectivity.

Tutorial

HashiCorp Virtual Network tutorials