Peering connections

You can create a peering connection between HashiCorp Cloud Platform (HCP) and your virtual private cloud (VPC) in AWS to allow traffic between services.

Overview

HCP Consul Dedicated and HCP Vault Dedicated uses a peering connections to communicate with the clients hosted in your AWS environment.

You can create a peering connections from the HCP Portal or the HCP provider in Terraform. For instructions on how to create peering connections with Terraform, refer to the HCP provider documentation.

For larger environments, we recommend connecting HCP to your VPCs through a transit gateway.

Requirements

An AWS account ID
The ID of the VPC you wish to connect
VPCs must be configured with RFC1918 or RFC6598 specification IP addresses.

Create peering connections

There are two methods to create a peering connection between the HCP HVN and AWS VPC - manual or automated.

The automated method connects to your AWS account and launches a CloudFormation template to complete the peering configuration. The CloudFormation template handles creating the peering request, accepting the peering request, and creating the necessary routes between the HVN and VPC.

The manual process will require you to perform each step in your HCP and AWS accounts.

Click HashiCorp Virtual Network in the left navigation menu.
Select the HVN you want to create a peering connection with.
In the selected HVN overview page, click Peering connections. If you have peering connections available, they are listed in the center of the screen.
Click Create connection.
Select the Quick peering with quick-create links radio button.
Select the VPC region you want to create the peering connection in and click Launch stack creation in AWS CloudFormation.
A new browser tab/page will open. If you are not already authenticated, log into your AWS account.
In the Parameters section, select the VPC you wish to peer with your HCP HVN.
Click the I acknowledge that AWS CloudFormation might create IAM resources checkbox and click Create stack.
Monitor the progress until the status changes to CREATE_COMPLETE.
Return to the HCP Portal and click Peering connections in the left navigation menu. The new peering connection is listed.
Click Route table in the left navigation menu. In addition to creating, and accepting the peering connection, the automated process also handled route creation to allow traffic between your HCP HVN and AWS VPC.
Note
You can delete all resources created by the CloudFormation template by deleting the stack in AWS.

Initiate peering connection

Click HashiCorp Virtual Network in the left navigation menu.
Select the HVN you want to create a peering connection with.
In the selected HVN overview page, click Peering connections.
If you have peering connections available, they are listed in the center of the screen.
Click Create connection.
Select the Manual peering using AWS CLI radio button.
Fill in the requested information and click the Create connection button to begin the peering process.
Note
If you are unsure of where to find the AWS Account ID or the VPC ID, click on the link labeled Where can I find this?. The link provides helpful information and a screenshot of where in the AWS Console this information can be found.

Accept peering connection

The newly created peering connection is in the pending state. You can accept the connection using the AWS CLI.

Copy the code snippet under Acceptance instructions and run it in a terminal with the AWS CLI configured for the desired AWS account.

Example output:

{
    "VpcPeeringConnection": {
        "AccepterVpcInfo": {
            "CidrBlock": "172.31.0.0/16",
            "CidrBlockSet": [
                {
                    "CidrBlock": "172.31.0.0/16"
                }
            ],
            "OwnerId": "734750226488",
            "PeeringOptions": {
                "AllowDnsResolutionFromRemoteVpc": false,
                "AllowEgressFromLocalClassicLinkToRemoteVpc": false,
                "AllowEgressFromLocalVpcToRemoteClassicLink": false
            },
            "VpcId": "vpc-8vgu9gugu9090g",
            "Region": "us-west-2"
        },
        "RequesterVpcInfo": {
            "CidrBlock": "172.25.16.0/20",
            "CidrBlockSet": [
                {
                    "CidrBlock": "172.25.16.0/20"
                }
            ],
            "OwnerId": "676562983947",
            "VpcId": "vpc-8vgu9gugu9090g",
            "Region": "us-west-2"
        },
        "Status": {
            "Code": "provisioning",
            "Message": "Provisioning"
        },
        "Tags": [],
        "VpcPeeringConnectionId": "pcx-uiovg9f79vu"
    }
}

Wait for the stepper to move to the Configure step before proceeding.

Update security groups

Update the relevant security groups in the target VPC by adding the following rules allowing ingress and egress for the CIDR block of HVN. These rules are valid for applications that are accessing your cluster (DNS and API) via localhost, but your configuration might need to differ.

NOTE: Refer to the AWS official documentation or the HCP Portal help instruction.

From the AWS console, navigate to security groups and copy the Security group ID you wish to update.
Return to the HCP Portal, the peering workflow has moved to the Configure step.
Enter the security group ID you copied from the AWS console in the AWS security group ID textbox.
Copy the Outbound rules CLI command and run it in a terminal with the AWS CLI configured for the desired AWS account.

From the AWS console, navigate to security groups and copy the Security group ID you wish to update.
Return to the HCP Portal, the peering workflow has moved to the Configure step.
Enter the security group ID you copied from the AWS console in the AWS security group ID textbox.
Click the Consul snippets tab.
Copy the Inbound rules CLI command and run it in a terminal with the AWS CLI configured for the desired AWS account.
Return to the HCP portal, copy the Outbound rules CLI command and run it in a terminal with the AWS CLI configured for the desired AWS account.

Update AWS route table

For compute resources to take advantage of the logical network path enabled by the peering connection, a network route must be added to the VPC's routing table. The route table entry directs compute resources to the HashiCorp Cloud Platform (HCP) network. Without a route entry in the VPC's route table, those compute resources cannot connect to HashiCorp Cloud Platform (HCP) resources.

Return to the AWS console. Navigate to Route tables and copy the Route table ID you wish to update.
Return to the HCP portal and click 2. Update route table.
Enter the route table ID you copied from the AWS console in the AWS target VPC route table ID textbox.

Copy the code snippet and run it in a terminal with the AWS CLI configured for the desired AWS account.

Example code snippet:

$ aws ec2 --region
    us-west-2
    create-route --route-table-id
    rtb-043ec68d39469bf17
    --destination-cidr-block
    172.25.16.0/20
    --vpc-peering-connection-id
    pcx-07504abe35f63e360

Initiate peering connection

Click HashiCorp Virtual Network in the left navigation menu.
Select the HVN you want to create a peering connection with.
In the selected HVN overview page, click Peering connections.
If you have peering connections available, they are listed in the center of the screen.
Click Create connection.
Select the Manual peering using HCP and AWS web console radio button.
Note
If you are unsure of where to find the AWS Account ID or the VPC ID, click on the link labeled Where can I find this?. The link provides helpful information and a screenshot of where in the AWS Console this information can be found.

Accept the peering connection

The newly created peering connection is in pending state. You can accept the connection using the AWS Console.

Launch the Amazon VPC Console, and select Peering Connections from the left navigation menu. You should have an entry in the list with a status of pending acceptance.
Note
It may take a few minutes before the peering connection is available and visible.
Click on Actions, then select Accept request.
A popup will appear on the screen. Accept the connection in order to establish the peering connection between the VPC and the HashiCorp Cloud Platform (HCP).
Note
Additional information regarding AWS peering connections can be found in the AWS documentation.
Return to the HCP Portal and wait for the stepper to move to the Configure step before proceeding.

Update security groups

Select the security group associated with your VPC, and add the following inbound and outbound rules.

NOTE: Also, refer to the AWS official documentation or the HCP Portal help instruction.

HCP Vault Dedicated requires an outbound (egress) rule to permit traffic from the AWS resources. By default, AWS permits all outbound traffic from a security group. However, if you have removed this rule, or use Terraform to manage AWS security groups, you will need to add a rule to permit Vault traffic.

Vault Dedicated requires inbound (ingress) rule(s) if you intend to use Vault to fulfill workflows, or interact with services in your environment.

Examples workflows may include, but may not be limited to:

Dynamic credential workflows such as generating database credentials or Kubernetes service accounts
Authorization workflows such as utilizing self-managed LDAP services or other IDPs under your control

Outbound (Egress)

The table below documents the egress configuration that must be applied to the security group.

Protocol	From Port	To Port	Destination	Purpose
TCP	8200	8200	HVN-CIDR	Vault API
TCP	5696	5696	HVN-CIDR	KMIP

From the AWS VPC console, select Security groups from the left navigation menu.
Click the security group you wish to update and click the Outbound rules tab.
Click Edit outbound rules.
Click Add rule.
Set the Type pulldown menu to Custom TCP.
Enter 8200 in the Port range textbox.
Enter the CIDR block for your HVN in the Destination textbox.
Click Add rule again.
Set the Type pulldown menu to Custom TCP.
Enter 5696 in the Port range textbox.
Enter the CIDR block for your HVN in the Destination textbox.
Click Save rules.

HCP Consul Dedicated requires both inbound (ingress) and outbound (egress) rules to permit traffic from the AWS resources. By default, AWS permits all outbound traffic from a security group. However, if you have removed this rule, or use Terraform to manage AWS security groups, you will need to add a rule to permit outbound traffic for Consul.

Inbound (Ingress)

The table below documents the ingress configuration that must be applied to the security group.

Protocol	From Port	To Port	Source	Description
TCP	8301	8301	HVN-CIDR	Used to handle gossip from server
UDP	8301	8301	HVN-CIDR	Used to handle gossip from server
TCP	8301	8301	Security group ID itself	Used to handle gossip between client agents
UDP	8301	8301	Security group ID itself	Used to handle gossip between client agents

From the AWS VPC console, select Security groups from the left navigation menu.
Click the security group you wish to update and click the Inbound rules tab.
Click Edit inbound rules.
Click Add rule.
Set the Type pulldown menu to Custom TCP.
Enter 8301 in the Port range textbox.
Enter the CIDR range for your HVN in the Source textbox.
Repeat the steps above selecting Custom UDP for the Type pulldown menu.
Click Add rule.
Set the Type pulldown menu to Custom TCP.
Enter 8301 in the Port range textbox.
Enter the security group ID in the Source textbox.
Repeat the steps above selecting Custom UDP for the Type pulldown menu.

Outbound (Egress)

The table below documents the egress configuration that must be applied to the security group.

Protocol	From Port	To Port	Destination	Description
TCP	8300	8300	HVN-CIDR	Used by clients to talk to server
TCP	8301	8301	HVN-CIDR	Used to gossip with server
UDP	8301	8301	HVN-CIDR	Used to gossip with server
TCP	8301	8301	Security group ID itself	Used to handle gossip between client agents
UDP	8301	8301	Security group ID itself	Used to handle gossip between client agents
TCP	80	80	HVN-CIDR	Consul API
TCP	443	443	HVN-CIDR	Consul API
TCP	8502	8502	HVN-CIDR	Consul Dataplane communication with server

Click the Outbound rules tab.
Click Edit outbound rules.
Click Add rule.
Set the Type pulldown menu to Custom TCP.
Enter 8300-8301 in the Port range textbox.
Enter the CIDR block for your HVN in the Destination textbox.
Repeat the steps above, create a new rule for TCP ports 80, 443, and 8502.
Click Add rule.
Set the Type pulldown menu to Custom TCP.
Enter 8301 in the Port range textbox.
Enter the security group ID in the Source textbox.
Click Add rule.
Set the Type pulldown menu to Custom UDP.
Enter 8301 in the Port range textbox.
Enter the CIDR block for your HVN in the Source textbox.
Click Add rule.
Set the Type pulldown menu to Custom UDP.
Enter 8301 in the Port range textbox.
Enter the security group ID in the Source textbox.
Click Save rules.

Update AWS route table

In the Amazon VPC console, select Route Tables from the left sidebar. If you have multiple VPCs, verify that the VPC used to establish the peering connection is selected.
Click Actions and select Edit Routes.
Click Add route.
Enter the CIDR block for your HVN in the Destination textbox.
Type pcx- in the Target textbox and select the peering connection ID for the HVN.

The manual peering process is now complete.