Connecting privately to HCP Vault and Consul clusters – HashiCorp Help Center

Introduction

This article will provide instructions on how to access the private URL of a Vault or Consul cluster in HCP.

Prerequisites

Establish private connectivity between HashiCorp Cloud Platform and your AWS VPC or Azure VNet.

HVN peering to AWS VPC
- Video walkthrough here.
HVN AWS Transit Gateway Attachment
- Video walkthrough here.
HVN peering to Azure VNet

Connecting from private datacenter or external cloud provider

If you wish to privately connect an on-premise/private datacenter to HCP or a cloud provider which is different from the one the target HCP cluster is in, below are some patterns which may be considered. Each of these options requires VPN connectivity between the cloud provider the HVN is in and the external network. In all cases, you will need to also setup appropriate routing within your HCP HVN and external network and ensure there are no overlapping subnet CIDRs between the HVN and targets which the HVN needs access to within your network.

Connecting external network privately to HCP services in AWS

When using VPC peering with HVN
- https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario-peered.html
When using Transit Gateway Attachment with HVN
- https://docs.aws.amazon.com/vpc/latest/tgw/tgw-vpn-attachments.html
- https://docs.aws.amazon.com/vpc/latest/tgw/tgw-dcg-attachments.html
HCP Vault and Consul on GCP will be available in the future. In the meantime, if you need to connect GCP workloads to private endpoints of HCP services in AWS check out this tutorial.

Connecting external network privately to HCP services in Azure

When using VNet peering with HVN
- Azure HVNs do not currently support transitive peering or VNet-to-VNet VPN gateways, therefore, this pattern may not be possible when needing to privately connect an external network to HCP services in Azure. This may be considered as a future feature.

Testing private connectivity

These are HCP Vault specific examples.

Access via CLI command

From a machine deployed in a network privately connected to the HVN.
Set the VAULT_ADDR, VAULT_TOKEN and VAULT_NAMESPACE environment variables.

export VAULT_ADDR=https://hcpv-your-name.private.vault.def84aba-3536-4894-a627-6d7ed3acc5ff.aws.hashicorp.cloud:8200
export VAULT_NAMESPACE=admin
export VAULT_TOKEN=<REDACTED>

Test connectivity to Vault with vault status command.

~ ❯ vault status
Key Value
--- -----
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 1
Threshold 1
Version 1.8.1+ent
Storage Type raft
Cluster Name vault-cluster-d082b1c1
Cluster ID c27cd9af-56e1-b851-b4e9-9d492e2ddbbd
HA Enabled true
HA Cluster https://10.0.2.34:8201
HA Mode active
Active Since 2021-08-30T17:12:20.90159782Z
Raft Committed Index 3548
Raft Applied Index 3548
Last WAL 808

API call using cURL

Set the VAULT_ADDR and VAULT_TOKEN environment variables.

Test connectivity to Vault using curl.

~ ❯ curl --header "X-Vault-Token: $VAULT_TOKEN" \
--header "X-Vault-Namespace: admin" \
$VAULT_ADDR/v1/sys/seal-status | jq

{
"type": "shamir",
"initialized": true,
"sealed": false,
"t": 1,
"n": 1,
"progress": 0,
"nonce": "",
"version": "1.8.1+ent",
"migration": false,
"cluster_name": "vault-cluster-d082b1c1",
"cluster_id": "c27cd9af-56e1-b851-b4e9-9d492e2ddbbd",
"recovery_seal": true,
"storage_type": "raft"
}

Access via Web UI

Private Vault URLs can be accessed from browser based machines deployed in the VPC connected to HVN.

Additional Information

For additional questions or support, please open a Support ticket.