The HashiCorp Cloud Platform (HCP) supports network peering with an AWS VPC. Network peering enables compute resources in two different networks to communicate with each other. In order for the Consul and Vault servers hosted on the HashiCorp Cloud Platform (HCP) to communicate with the clients hosted on your AWS environment, a network peering connection must be established.
This tutorial provides guidance on how to create a network peering connection between HashiCorp Cloud Platform and an AWS VPC.
»Prerequisites
- An AWS Account
- AWS CLI installed
- An AWS VPC
- An HCP Account
- An HashiCorp Virtual Network (HVN)
- AWS permissions to perform the follow actions:
- Accept peering connections
- Create and edit security groups
- Create VPC routes
»Create a peering connection
Navigate to the left sidebar and click on the HashiCorp Virtual Network link at the top.
Select the HVN you want to create a peering connection with.
In the selected HVN overview page, navigate to the left sidebar and click on the Peering connections link.
If you have peering connections available, they are listed in the center of the screen.
Click on Create connection to create a peering relationship with your AWS VPC.
Fill in the requested information and click the Create connection button to begin the peering process.
If you are unsure of where to find the AWS Account ID or the VPC ID, click on the link labeled Where can I find this?. The link provides helpful information and a screenshot of where in the AWS Console this information can be found.
»Accept the peering connection
The newly created peering connection is in pending acceptance state. You can accept the connection using the AWS Console or AWS CLI.
Launch the Amazon VPC Console, and select the Peering Connections link that is on the left sidebar. You should have an entry in the list with a status of pending acceptance.
NOTE: It may take a few minutes before the peering connection is available and visible.
Click on Actions, then select Accept request.
A popup will appear on the screen. Accept the connection in order to establish the peering connection between the VPC and the HashiCorp Cloud Platform (HCP).
Additional information regarding AWS peering connections can be found in the AWS documentation.
»Add a route
For compute resources to take advantage of the logical network path enabled by the peering connection, a network route must be added to the VPC's routing table. The route table entry directs compute resources to the HashiCorp Cloud Platform (HCP) network. Without a route entry in the VPC's route table, those compute resources cannot connect to HashiCorp Cloud Platform (HCP) resources.
In the Amazon VPC console, select Route Tables from the left sidebar. If you have multiple VPCs, verify that the VPC used to establish the peering connection is selected.
Click Actions and select Edit Routes.
Return to the HCP Portal. From the HVN peering connection overview page, select View configuration instructions
Scroll down to find the Updating the route table section, add a new route to the route table.
In the AWS console, click Add route and add the destination network CIDR and the peering connection resource.
Click Save changes. Saving the changes will create a route entry in the VPC's routing table that points to HashiCorp Cloud Platform (HCP).
Adding a route to the VPC's route table allows for compute resources to communicate with HashiCorp Cloud Platform (HCP).
»Create an HVN route
In order for HCP to be able to communicate with the AWS VPC resources, a HVN route (default route) has to be added on the HCP side.
In the HCP portal, select the link in the Create a route banner or the Create route link in the Routes list from the peering connections detail page. This will direct you to the create route form.
Fill out the reqested information and click on the Create route button.
If you are unsure of where to find the requested information, please use the link Where can I find this?
When you have filled out all the required information (route id and destination CIDR), click on the Create route button. This will create a default route entery inside of HCP that will enable HCP resources to communicate with your AWS VPC when using the selected HVN it used.
The HVN configuration page contains instructions for creating a security group specific to HCP. This is an optional step, however, we recommend you follow the "least privilege" principle and create security groups that are as granular and specific as possible.
»Update security groups
Update the relevant security groups in the target VPC by adding the following rules allowing ingress and egress for the CIDR block of HVN. These rules are valid for applications that are accessing your cluster (DNS and API) via localhost, but your configuration might need to differ.
Select the security group associated with your VPC, and add the following inbound and outbound rules.
NOTE: Also, refer to the AWS official documentation or the HCP Portal help instruction.
»Outbound (Egress)
The table below documents the egress configuration that must be applied to the security group.
| Protocol | From Port | To Port | Destination | Purpose |
|---|---|---|---|---|
| TCP | 8200 | 8200 | HVN-CIDR | Vault API |
You can use the following command to apply the configuration listed above to your security group.
Example:
»Next steps
In this tutorial, you created a peering connection between a HashiCorp Cloud Platform (HCP) and an AWS VPC. The first step is to create the network peering, accept it on the AWS side. And lastly, we created a route in the VPC's route table that points back to HCP. Upon completion of these steps, compute resources in your AWS account can now connect with HCP resources.
HVN Peering connections can also be created using the HashiCorp Cloud Platform Terraform Provider. The HCP Terraform Provider can be found in the Terraform registry.
We encourage you to visit other HCP Learn tutorials and continue to expand your learning.
