Save 10-15% Register for HashiConf and save big when you buy 2+ tickets Get your passes
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Peering connections

You can create a peering connection between HashiCorp Cloud Platform (HCP) and your virtual private cloud (VPC) in Azure to allow traffic between services.

Overview

HCP Consul Dedicated and HCP Vault Dedicated uses a peering connections to communicate with the clients hosted in your Azure environment.

You can create a peering connections from the HCP Portal or the HCP provider in Terraform. For instructions on how to create peering connections with Terraform, refer to the HCP provider documentation.

Requirements

Create peering connections

To set up a peering connection, you need to configure the connection request in HCP and then configure a corresponding request in Azure.

Hub and spoke topology

When peering an HVN with an Azure hub and spoke topology network, there are additional considerations to ensure traffic is properly routed from spoke networks.

Refer to the Hub and spoke options documentation for more information.

Configure the connection request in HCP

To start the peering procedure that allows for communication between HashiCorp Cloud Platform (HCP) and Microsoft Azure, you will initiate the peering connection from the HCP Portal.

  1. In your HCP web console, navigate to the left sidebar and click on the HashiCorp Virtual Network tab.

  2. Select the HVN you want to create a peering connection with.

  3. In the selected HVN overview page, navigate to the left sidebar and click on the Peering connections link.

  4. Click on Create connection to create a peering relationship with your Azure virtual network.

  5. Fill in the requested information and click the Create connection button to begin the peering process.

    Note

    If you are unsure of where to find the required resource IDs, click on the link labeled Where can I find this?. The link provides helpful information and a screenshot of where in the Azure web console this information can be found.

  6. Once the connection has been created, the Peering connections page will show a Pending state for your peering connection (similar to the example screenshot below) until it is accepted in Azure.

The HVN sends a peering connection request to Azure. The peering request expires after seven days. The status of the connection appears as pending until either the connection process is completed or the request expires.

Accept the connection request in Azure

HCP generates terminal commands that you can copy and paste into your Azure CLI to configure the corresponding connection request. HCP also provides links to the Azure documentation if you prefer to use the Azure browser interface.

  1. Click on your peering connection, scroll down to the Peering Instructions area, then click the Azure Cloud Shell tab.

  2. Log into your Azure account.

    $ az login

  3. Create a service principal.

  4. Create a custom role with the following attributes:

  5. Create a role assignment between the custom role and the service principal.

    Background information

    You need to create an Azure service principal in the context of a subscription and a custom Azure role with restricted permissions to accept the peering. Then, associate the service principal with that custom role. This service principal is used to establish the peering from Azure to HCP. This use of a service principal with custom permissions provides a more secure or conservative approach to completing the peering process.

  6. Go to the Azure Virtual Network page in the web console, and select your respective Virtual Network.

  7. Click on the Peering option that is on the left sidebar. You should now have an entry in the Peering Status column with a status of Connected.

    Note

    It may take a few minutes before the peering connection is available and visible.

You can also create the second request from the Azure console. For information about creating VNet peering connections, refer to the Azure documentation.

Next steps

The HVN peering connection does not contain routing information. Once the connection is active, you can add a route for all or part of the VNet CIDR range. For more details, refer to Routes.

Tutorial