Network Security Groups
You can configure network security group settings to open the virtual firewall between your HVN and your Azure cloud network.
Overview
A network security group is an entity in Azure that functions as a virtual firewall between your Azure instances. Security groups manage protocol and port permissions for Azure traffic in order to control inbound and outbound traffic. For additional information, refer to the Azure documentation on How network security groups filter network traffic.
To establish communication between your HashiCorp Virtual Network (HVN) and your Azure VNet, you must:
- Create a security group.
- Configure ingress (inbound) rules.
- Configure egress (outbound) rules.
To configure security group rules, you can use either the Azure portal or the Azure Command Line Interface.
Tip: Creating custom security group configurations for your HCP products improves infrastructure security. However, administrative flexibility may reduce over time as you introduce multiple service deployments.
Update Network Security Groups
- Sign in to the HCP Portal and select your organization.
- From the sidebar, click HashiCorp Virtual Network
- Click on an HVN in the ID column.
- From the sidebar, click Peering connections.
- Enter your Azure Network security group ID.
- Copy the code generated on HCP, then run it in Azure.
Network Security Group Rules for HCP Consul Reference
Inbound rules
To allow inbound traffic from your HVN, specify the following rules on your Azure VNet:
| Priority | Name | Port | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|---|
| 400 | ConsulServerInbound | 8301 | Any | HVN-CIDR | VirtualNetwork | Allow |
| 401 | ConsulClientInbound | 8301 | Any | VirtualNetwork | VirtualNetwork | Allow |
Outbound rules
| Priority | Name | Port | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|---|
| 400 | ConsulServerOutbound | 8300-8301 | Any | VirtualNetwork | HVN-CIDR | Allow |
| 401 | ConsulClientOutbound | 8301 | Any | VirtualNetwork | VirtualNetwork | Allow |
| 402 | HTTPOutbound | 80 | Any | VirtualNetwork | HVN-CIDR | Allow |
| 403 | HTTPSOutbound | 443 | Any | VirtualNetwork | HVN-CIDR | Allow |
Network Security Group Rules for HCP Vault Reference
To allow traffic between your Vault cluster and Azure, specify egress (outbound) rules on your Azure VNET. Ingress rules are not required to allow traffic from Vault clusters.
Egress
To allow outbound traffic from your VNet, add the following rules to your security group for HCP Vault:
| Priority | Name | Port | Protocol | Source | Destination | Action |
|---|---|---|---|---|---|---|
| 400 | VaultClientOutbound | 8200 | TCP | VirtualNetwork | HVN-CIDR | Allow |