Introduction
This article will provide instructions on how to access the private URL of a Vault or Consul cluster in HCP.
Prerequisites
Establish private connectivity between HashiCorp Cloud Platform and your AWS VPC or Azure VNet.
-
HVN peering to AWS VPC
- Video walkthrough here.
-
HVN AWS Transit Gateway Attachment
- Video walkthrough here.
- HVN peering to Azure VNet
Connecting from private datacenter or external cloud provider
If you wish to privately connect an on-premise/private datacenter to HCP or a cloud provider which is different from the one the target HCP cluster is in, below are some patterns which may be considered. Each of these options requires VPN connectivity between the cloud provider the HVN is in and the external network. In all cases, you will need to also setup appropriate routing within your HCP HVN and external network and ensure there are no overlapping subnet CIDRs between the HVN and targets which the HVN needs access to within your network.
Note: HCP Vault Dedicated clusters offer an identity-based method to secure connections to the cluster's UI publicly, which only allows network connections to the cluster from authenticated and authorized HCP identities. This feature is limited to UI access only. More information can be found here.
Connecting external network privately to HCP services in AWS
- When using VPC peering with HVN
- When using Transit Gateway Attachment with HVN
- HCP Vault and Consul on GCP will be available in the future. In the meantime, if you need to connect GCP workloads to private endpoints of HCP services in AWS check out this tutorial.
Connecting external network privately to HCP services in Azure
- Currently, only Azure VNet peering (point-to-point) is publicly supported. However, Azure Hub/Spoke architecture is available in private beta using only the Terraform Provider. Please contact HashiCorp Support for details.
Testing private connectivity
These are HCP Vault specific examples.
Access via CLI command
- From a machine deployed in a network privately connected to the HVN.
-
Set the
VAULT_ADDR,VAULT_TOKENandVAULT_NAMESPACEenvironment variables.
export VAULT_ADDR=https://hcpv-your-name.private.vault.def84aba-3536-4894-a627-6d7ed3acc5ff.aws.hashicorp.cloud:8200
export VAULT_NAMESPACE=admin
export VAULT_TOKEN=<REDACTED>
- Test connectivity to Vault with
vault statuscommand.
~ ❯ vault status
Key Value
--- -----
Recovery Seal Type shamir
Initialized true
Sealed false
Total Recovery Shares 1
Threshold 1
Version 1.8.1+ent
Storage Type raft
Cluster Name vault-cluster-d082b1c1
Cluster ID c27cd9af-56e1-b851-b4e9-9d492e2ddbbd
HA Enabled true
HA Cluster https://10.0.2.34:8201
HA Mode active
Active Since 2021-08-30T17:12:20.90159782Z
Raft Committed Index 3548
Raft Applied Index 3548
Last WAL 808
API call using cURL
-
Set the
VAULT_ADDRandVAULT_TOKENenvironment variables.
- Test connectivity to Vault using
curl.
~ ❯ curl --header "X-Vault-Token: $VAULT_TOKEN" \
--header "X-Vault-Namespace: admin" \
$VAULT_ADDR/v1/sys/seal-status | jq
{
"type": "shamir",
"initialized": true,
"sealed": false,
"t": 1,
"n": 1,
"progress": 0,
"nonce": "",
"version": "1.8.1+ent",
"migration": false,
"cluster_name": "vault-cluster-d082b1c1",
"cluster_id": "c27cd9af-56e1-b851-b4e9-9d492e2ddbbd",
"recovery_seal": true,
"storage_type": "raft"
}
Access via Web UI
- Private Vault URLs can be accessed from browser based machines deployed in the VPC connected to HVN.
Additional Information
As an alternative for HCP Vault Dedicated clusters, you can consider using the IP allowlist functionality. It allows you to whitelist IP addressed and/or CIDR ranges that will be permitted to access the clusters public endpoint. More information can be found here.
For additional questions or support, please open a Support ticket.