The HashiCorp Cloud Platform (HCP) supports network peering with an AWS VPC. Network peering enables compute resources in two different networks to communicate with each other. In order for the Consul and Vault servers hosted on the HashiCorp Cloud Platform (HCP) to communicate with the clients hosted on your AWS environment, a network peering connection must be established.
This tutorial provides guidance on how to create a network peering connection between HashiCorp Cloud Platform and an AWS VPC.
»Prerequisites
- An AWS Account
- AWS CLI installed
- An AWS VPC
- An HCP Account
- An HashiCorp Virtual Network (HVN)
- AWS permissions to perform the follow actions:
- Accept peering connections
- Create and edit security groups
- Create VPC routes
»Create a Peering Connection
To create a peering connection, navigate to the left sidebar and click on the "HashiCorp Virtual Network" link at the top. Next, select the HVN you want to create a peering connection with. In the selected HVN overview page, navigate to the left sidebar and click on the "Peering connections" link.
If you have peering connections available, they are listed in the center of the screen. Click on “Create connection” to create a peering relationship with your AWS VPC.
Fill in the requested information and click the “Create connection” button to begin the peering process. If you are unsure of where to find the AWS Account ID or the VPC ID, click on the link labeled “Where can I find this?”. The link provides helpful information and a screenshot of where in the AWS Console this information can be found.
»Accept the peering connection
The newly created peering connection is in pending acceptance state. You can accept the connection using the AWS Console or AWS CLI.
Go to your AWS account's console, navigate to the VPC service, and click on the "Peering Connections" link that is on the left sidebar. You should have an entry in the list with a status of “pending acceptance”.
NOTE: It may take a few minutes before the peering connection is available and visible.
Next, click on "Actions", then select "Accept Request".
A popup will appear on the screen. Accept the connection in order to establish the peering connection between the VPC and the HashiCorp Cloud Platform (HCP).
Additional information regarding AWS peering connections can be found in the AWS documentation.
»Add a route
For compute resources to take advantage of the logical network path enabled by the peering connection, a network route must be added to the VPC's routing table. The route table entry directs compute resources to the HashiCorp Cloud Platform (HCP) network. Without a route entry in the VPC's route table, those compute resources cannot connect to HashiCorp Cloud Platform (HCP) resources.
In the AWS Console, open the VPC service screen, and click on the "Route Tables" link on the left sidebar. If you have multiple VPCs, verify that the VPC used to establish the peering connection is selected.
Click the "Actions" button and select "Edit Routes".
Using the information provided in the HVN configuration page, add a new route to the route table.
Click "Add route" and add the destination network CIDR and the peering connection resource.
Saving the changes will create a route entry in the VPC's routing table that points to HashiCorp Cloud Platform (HCP).
Adding a route to the VPC's route table allows for compute resources to communicate with HashiCorp Cloud Platform (HCP). Next, in order for HCP to be able to communicate with the AWS VPC resources, a HVN route (default route) has to be added on the HCP side.
To create an HVN route for your new peering connection, select the link in the “Create a route” banner or the “Create route” link in the Routes list from the peering connections detail page. This will direct you to the create route form.
Fill out the reqested information and click on the "Create route" button. If you are unsure of where to find the requested information, please use the link "Where can I find this?"
When you have filled out all the required information (route id and destination CIDR), go ahead and click on the "Create route" button. This will create a default route entery inside of HCP that will enable HCP resources to communicate with your AWS VPC when using the selected HVN it used.
The HVN configuration page contains instructions for creating a security group specific to HCP. This is an optional step, however, we recommend you follow the "least privilege" principle and create security groups that are as granular and specific as possible.
»Next Steps
In this tutorial, you created a peering connection between a HashiCorp Cloud Platform (HCP) and an AWS VPC. The first step is to create the network peering, accept it on the AWS side. And lastly, we created a route in the VPC's route table that points back to HCP. Upon completion of these steps, compute resources in your AWS account can now connect with HCP resources.
HVN Peering connections can also be created using the HashiCorp Cloud Platform Terraform Provider. The HCP Terraform Provider can be found in the Terraform registry.
We encourage you to visit other HCP Learn tutorials and continue to expand your learning.
