Manage public network access
Newly deployed HCP Vault Dedicated clusters are created with default network settings depending on the tier of the cluster. For Development tier clusters, public networking is the default and for all other tiers, private networking is the default.
To learn more about architecture of this network model, please refer to the HCP Data Plane documentation.
The cluster's network settings can be edited any time after a cluster is created to suit your networking requirements.
Enable public network access
The public network accessibility option enables a publicly accessible endpoint where the cluster UI and API can be accessed. You can configure an IP allow list to limit the source IP range(s) that can connect to the cluster's public endpoint.
When the public network accessibility option is selected, private networking is also available and can be accssed by enabling a supported private network connection such as an AWS transit gateway or Microsoft Azure peering connection.
Log into the HCP Portal.
From the Vault clusters page, click the Vault cluster you want to enable public access for.
Click Cluster networking in the left navigation menu.
Click Edit.
Under Cluster accessibility select Public.
Click Save.
Manage IP allow list
When public access is enabled, we recommend using the IP allow list to manage which public IP address can access the HCP Vault Dedicated cluster. The IP allow list is disabled by default for all new clusters.
Log into the HCP Portal.
From the Vault clusters page, click the Vault cluster you want to enable public access for.
Click Cluster networking in the left navigation menu.
Click Edit.
Under Cluster accessibility toggle the Allow select IPs only switch.
There are two options for managing allowed IP addresses: individually and by pasting a comma seaprated value (CSV) list.
Under the Add individually tab enter an IP address in CIDR notation.
Note
The IP address must be a valid, routable public IP address.
Under the Paste CSV tab paste a list of comma separate IP addresses in CIDR notation.
Click Save.
Disable public network access
When the private network accessibility option is selected, the cluster API can be only be accssed by enabling a supported private network connection such as an AWS transit gateway or Microsoft Azure peering connection. The UI can still be accessed using the HCP Proxy by an HCP IAM user, if enabled.
Log into the HCP Portal.
From the Vault clusters page, click the Vault cluster you want to enable public access for.
Click Cluster networking in the left navigation menu.
Click Edit.
Under Cluster accessibility select Private. This will disable public network access.
Click Save.