Security groups

You can configure security group settings to open the virtual firewall between your HVN and your AWS cloud network.

Overview

A security group is an entity in AWS that functions as a virtual firewall between your AWS instances. Security groups manage protocol and port permissions for AWS traffic in order to control inbound and outbound traffic. For additional information, refer to the AWS documentation Control traffic to resources using security groups.

To establish communication between your HashiCorp Virtual Network (HVN) and your Amazon VPC or Amazon transit gateway, you must:

• Create a security group.
• Configure ingress (inbound) rules.
• Configure egress (outbound) rules.

To configure security group rules, you can use either the AWS console or the AWS Command Line Interface.

Security group rules for HCP Vault Dedicated

To allow traffic between your Vault cluster and AWS, specify egress (outbound) rules on your Amazon VPC or Amazon transit gateway. Ingress rules are not required to allow traffic from Vault clusters into your VPC or transit gateway.

Egress

To allow outbound traffic from your VPC, add the following rules to your security group for HCP Vault:

To apply this configuration to your security group, run the authorize-security-group-egress command. When you issue the command, you must specify the target VPC region and security group ID.

$ aws ec2 --region <TARGET-VPC-REGION> \
   authorize-security-group-egress \
   --<SECURITY-GROUP-ID> \
   --ip-permissions \
   IpProtocol=tcp,FromPort=8200,ToPort=8200,IpRanges='[{CidrIp=172.25.16.0/20}]' \
   IpProtocol=tcp,FromPort=5696,ToPort=5696,IpRanges='[{CidrIp=172.25.16.0/20}]'