Configure private network access
Private networking with HCP Vault Dedicated requires additional configuration within your AWS or Azure account depending on which cloud provider the cluster is deployed in.
HashiCorp Virtual Networks (HVN) can be privately peered or attached as a spoke to a hub network to an AWS or Azure account. The documentation covers private connectivity options using a supported cloud service provider (CSP).
Each option involves three major steps:
- Create the peering connection (AWS and Azure) or transit gateway attachment.
- Configure routes between your HVN and CSP.
- Configure security groups.
Refer to the HVN for AWS and HVN for Azure documentation for additional guideance.
Create peering connection request
- Sign in to the HCP Portal and select your organization.
- From the sidebar, click HashiCorp Virtual Network.
- Click on an HVN in the ID column.
- From the sidebar, click Peering connections.
- Click Create connection.
- Complete the requested fields:
- In the Connection ID field, enter a name for the peering connection. The name can be up to 36 characters and can only include letters, numbers, and dashes.
- Enter your AWS Account ID.
- Select your VPC region.
- Enter your VPC ID.
- Click Create connection.
Complete peering connection request
- Sign in to the HCP Portal and select your organization.
- From the sidebar, click HashiCorp Virtual Network.
- Click on an HVN in the ID column.
- From the sidebar, click Peering connections.
- Click the name of the connection in the ID column.
- Copy the commands for inbound and outbound rules and run each command in your terminal.
Create routes
- Sign in to the HCP Portal and select your organization.
- From the sidebar, click HashiCorp Virtual Network.
- Click on an HVN in the ID column.
- From the sidebar, click Route table. The default table entry routes local traffic. For more details, refer to Route Table Reference.
- Click Create route.
- Complete the requested fields:
- In the Route ID field, enter a name for the route. The route ID can be up to 36 characters and can only include letters, numbers, and dashes.
- In the Destinations field, enter the CIDR range of the AWS resource that the HVN should reach through your target. For more details about how to configure this field, refer to CIDR Block Reference.
- From the Targets field, choose a peering connection.
- To complete the configuration, click Create route.
Configure security groups
To allow outbound traffic from your VPC, add the following rules to your security group for HCP Vault:
Protocol | From Port | To Port | Destination | Purpose |
---|---|---|---|---|
TCP | 8200 | 8200 | HVN-CIDR | Vault API |
TCP | 5696 | 5696 | HVN-CIDR | KMIP server* |
Note
The KMIP port is only necessary if the KMIP secrets engine is being used, which is only available on HCP Vault Plus tier clusters.
To apply this configuration to your security group, run the
authorize-security-group-egress
command. When you issue the command, you must
specify the target VPC region and security group ID.
HCP identity-based proxy
The HCP proxy identity-based proxy provides a publicly accessible proxy endpoint (managed by HCP) which only allows network connections to the cluster from authenticated and authorized HCP identities (users and service principals). This provides an identity-based method to secure connections to the cluster's UI publicly when IP allow list is not possible. This option can be useful for easy access to the cluster's UI for human administrators.
Access the UI using the cluster's proxy endpoint
With proxy enabled, a cluster configured with private network access can allow organization members access their HCP Vault Dedicated clusters' UI directly from within the portal without needing to connect through the cluster's private network. This can be done using the "Launch web UI" button in the top-right corner of the cluster overview page.
Log into the HCP Portal.
From the Vault clusters page, click Launch web UI.
This will launch a new browser or browser tab. Authentication through the HCP Proxy is transparent to the user.
Note
The URL for the Vault UI from the proxy is different than the HCP Vault Dedicated clusters public URL.
Paste a admin token into the Token textbox, or select a configured auth method to log in.
Connect the Vault CLI to the cluster's proxy
Requires Vault CLI 1.16
Connecting to an HCP Vault Dedicated cluster with the CLI through the HCP Proxy address requires the CLI to be at least version 1.16.
The Vault CLI can connect to a private HCP Vault Dedicated cluster using the HCP Proxy endpoint.
You can connect either interactively using a HCP IAM user or non-interactively using a HCP service principal.
Run
vault hcp connect
and follow prompts to choose the cluster you want to connect to.This command may open a browser and prompt you to log into HCP if your machine is not already authenticated. If you only have one HCP Vault Dedicated cluster, the CLI will automatically connect to it.
Set the
VAULT_NAMESPACE
environment variable to the namespace you want to log into and operate in.Log into Vault using the
vault login
command using a configured auth method or set a validVAULT_TOKEN
as an environment variable to execute standard Vault CLI commands.Run
vault hcp disconnect
to terminate the proxied connection from the CLI to the HCP Vault Dedicated cluster.
Use AWS transit gateway as a transit network
Through the supported cloud providers, you can enable common hybrid cloud networking models to support workloads with providers not yet natively supported by HCP using a concept known as a transit network.
Refer to the Connect Google Cloud Platform (GCP) to HCP via AWS Transit Gateway tutorial to learn how to create a Virtual Private Network (VPN) between AWS and Google Cloud Platform (GCP), create a transit gateway connection between HCP and AWS, and configure routing between each of the three platforms to demonstrate this type of connectivity.