Overview:
The users deploying HashiCorp Cloud Platform (HCP) Vault Dedicated may need to configure firewalls to allow traffic to and from their HVD cluster as needed when setting up the environment. This article explains the concepts of ingress and egress IPs in HCP Vault Dedicated and their behavior in different scenarios.
Ingress IPs:
Ingress IPs are the public or private IP addresses associated with the load balancer (LB) in front of HCP Vault Dedicated clusters that we get by resolving the public or private cluster DNSs. These IPs handle incoming traffic to the cluster, such as clients or applications connecting to Vault via the cluster’s public or private DNS.
Note: For the Standard and Plus-tier of the HCP Vault Dedicated clusters, ingress IPs are now static.
Disaster Recovery (DR) Scenario:
- If the cluster has a DR replica and a failover occurs in the primary region. In that case, the cluster’s DNS will update to point to the load balancer (LB) in the secondary region.
- Users should include both the primary and secondary region LB IPs in their firewall rules.
- To obtain the DR replica IPs, customers must open a support ticket with HashiCorp Support.
Egress IPs:
Egress IPs are the public IPs HCP Vault Dedicated nodes use to send outbound traffic, such as logs or metrics streaming to external systems (e.g., AWS CloudWatch, Azure Monitor).
The egress IPs for the HCP Vault Dedicated clusters change approximately every 3 days as part of periodic cluster updates. This behavior makes egress IPs dynamic and unsuitable for static IP-based firewall rules.