• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
HashiCorp Cloud Platform
  • Tutorials
  • Documentation
  • Try Cloud(opens in new tab)
  • Sign up
HashiCorp Cloud Platform

Skip to main content
8 tutorials
  • Peering an AWS VPC with HashiCorp Cloud Platform (HCP)
  • Deploy HCP Consul
  • Configure EC2 as a Consul Client for HCP Consul
  • Connect an Elastic Kubernetes Service Cluster to HCP Consul
  • Serverless Consul service mesh with ECS and HCP
  • Admin Partitions with HCP Consul and Amazon Elastic Container Service
  • Configure Azure VM as a Consul Client for HCP Consul
  • Connect an Azure Kubernetes Service Cluster to HCP Consul

  • Resources

  • Tutorial Library
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. HashiCorp Cloud Platform
  3. Tutorials
  4. HashiCorp Cloud Platform
  5. Peering an AWS VPC with HashiCorp Cloud Platform (HCP)

Peering an AWS VPC with HashiCorp Cloud Platform (HCP)

  • 13min

  • HCPHCP

The HashiCorp Cloud Platform (HCP) supports network peering with an AWS VPC. Network peering enables compute resources in two different networks to communicate with each other. In order for the Consul and Vault servers hosted on the HashiCorp Cloud Platform (HCP) to communicate with the clients hosted on your AWS environment, a network peering connection must be established.

This tutorial provides guidance on how to create a network peering connection between HashiCorp Cloud Platform and an AWS VPC.

Prerequisites

  • Access to an AWS Account and user with permission to perform the following:
    • Accept peering connections
    • Create and edit security groups
    • Create VPC routes
    • Create IAM roles (automated method only)
  • AWS CLI installed
  • An HCP Account with an available HVN.

Create a peering connection

There are two methods to create a peering connection between the HCP HVN and AWS VPC - manual or automated.

The automated method connects to your AWS account and launches a CloudFormation template to complete the peering configuration. The CloudFormation template handles creating the peering request, accepting the peering request, and creating the necessary routes between the HVN and VPC.

The manual process will require you to perform each step in your HCP and AWS accounts.

  1. Click HashiCorp Virtual Network in the left navigation menu.

  2. Select the HVN you want to create a peering connection with.

  3. In the selected HVN overview page, click Peering connections.

    Overview of the HVN available

    If you have peering connections available, they are listed in the center of the screen.

  4. Click Create connection. ui-hcp-automate-peering-aws

  5. Select the Quick peering with quick-create links radio button.

  6. Select the VPC region you want to create the peering connection in and click Launch stack creation in AWS CloudFormation. ui-hcp-automate-peering-aws-config

    A new browser tab/page will open. If you are not already authenticated, log into your AWS account.

  7. In the Parameters section, select the VPC you wish to peer with your HCP HVN. ui-aws-cloudformation-select-vpc

  8. Click the I acknowledge that AWS CloudFormation might create IAM resources checkbox and click Create stack. ui-aws-cloudformation-create-stack

  9. Monitor the progress until the status changes to CREATE_COMPLETE. ui-aws-cloudformation-peering-complete

  10. Return to the HCP Portal and click Peering connections in the left navigation menu. The new peering connection is listed. ui-hcp-new-peering-connection

  11. Click Route table in the left navigation menu. In addition to creating, and accepting the peering connection, the automated process also handled route creation to allow traffic between your HCP HVN and AWS VPC. ui-hcp-route-table-aws-peering

    Note: You can delete all resources created by the CloudFormation template by deleting the stack in AWS. ui-aws-cloudformation-delete-stack

Initiate peering connection

  1. Click HashiCorp Virtual Network in the left navigation menu.

  2. Select the HVN you want to create a peering connection with.

  3. In the selected HVN overview page, click Peering connections.

    Overview of the HVN available

    If you have peering connections available, they are listed in the center of the screen.

  4. Click Create connection. ui-hcp-automate-peering-aws

  5. Select the Manual peering using AWS CLI radio button.

  6. Fill in the requested information and click the Create connection button to begin the peering process.

    HVN Peering create form

    If you are unsure of where to find the AWS Account ID or the VPC ID, click on the link labeled Where can I find this?. The link provides helpful information and a screenshot of where in the AWS Console this information can be found.

Accept peering connection

The newly created peering connection is in the pending state. You can accept the connection using the AWS CLI.

  1. Copy the code snippet under Acceptance instructions and run it in a terminal with the AWS CLI configured for the desired AWS account. ui-hcp-accept-peering-cli

    Example output:

    {
        "VpcPeeringConnection": {
            "AccepterVpcInfo": {
                "CidrBlock": "172.31.0.0/16",
                "CidrBlockSet": [
                    {
                        "CidrBlock": "172.31.0.0/16"
                    }
                ],
                "OwnerId": "734750226488",
                "PeeringOptions": {
                    "AllowDnsResolutionFromRemoteVpc": false,
                    "AllowEgressFromLocalClassicLinkToRemoteVpc": false,
                    "AllowEgressFromLocalVpcToRemoteClassicLink": false
                },
                "VpcId": "vpc-8vgu9gugu9090g",
                "Region": "us-west-2"
            },
            "RequesterVpcInfo": {
                "CidrBlock": "172.25.16.0/20",
                "CidrBlockSet": [
                    {
                        "CidrBlock": "172.25.16.0/20"
                    }
                ],
                "OwnerId": "676562983947",
                "VpcId": "vpc-8vgu9gugu9090g",
                "Region": "us-west-2"
            },
            "Status": {
                "Code": "provisioning",
                "Message": "Provisioning"
            },
            "Tags": [],
            "VpcPeeringConnectionId": "pcx-uiovg9f79vu"
        }
    }
    
    1. Wait for the stepper to move to the Configure step before proceeding.

Update security groups

Update the relevant security groups in the target VPC by adding the following rules allowing ingress and egress for the CIDR block of HVN. These rules are valid for applications that are accessing your cluster (DNS and API) via localhost, but your configuration might need to differ.

NOTE: Refer to the AWS official documentation or the HCP Portal help instruction.

  1. From the AWS console, navigate to security groups and copy the Security group ID you wish to update.

  2. Return to the HCP Portal, the peering workflow has moved to the Configure step.

  3. Enter the security group ID you copied from the AWS console in the AWS security group ID textbox. ui-hcp-aws-peering-security-group

  4. Copy the Outbound rules CLI command and run it in a terminal with the AWS CLI configured for the desired AWS account. ui-hcp-peering-security-vault

  1. From the AWS console, navigate to security groups and copy the Security group ID you wish to update.

  2. Return to the HCP Portal, the peering workflow has moved to the Configure step.

  3. Enter the security group ID you copied from the AWS console in the AWS security group ID textbox. ui-hcp-aws-peering-security-group

  4. Click the Consul snippets tab.

  5. Copy the Inbound rules CLI command and run it in a terminal with the AWS CLI configured for the desired AWS account.

  6. Return to the HCP portal, copy the Outbound rules CLI command and run it in a terminal with the AWS CLI configured for the desired AWS account. ui-hcp-peering-security-consul

Update AWS route table

For compute resources to take advantage of the logical network path enabled by the peering connection, a network route must be added to the VPC's routing table. The route table entry directs compute resources to the HashiCorp Cloud Platform (HCP) network. Without a route entry in the VPC's route table, those compute resources cannot connect to HashiCorp Cloud Platform (HCP) resources.

  1. Return to the AWS console. Navigate to Route tables and copy the Route table ID you wish to update.

  2. Return to the HCP portal and click 2. Update route table.

  3. Enter the route table ID you copied from the AWS console in the AWS target VPC route table ID textbox.

  4. Copy the code snippet and run it in a terminal with the AWS CLI configured for the desired AWS account.

    Example code snippet:

    $ aws ec2 --region
        us-west-2
        create-route --route-table-id
        rtb-043ec68d39469bf17
        --destination-cidr-block
        172.25.16.0/20
        --vpc-peering-connection-id
        pcx-07504abe35f63e360
    

Initiate peering connection

  1. Click HashiCorp Virtual Network in the left navigation menu.

  2. Select the HVN you want to create a peering connection with.

  3. In the selected HVN overview page, click Peering connections.

    Overview of the HVN available

    If you have peering connections available, they are listed in the center of the screen.

  4. Click Create connection. ui-hcp-automate-peering-aws

  5. Select the Manual peering using HCP and AWS web console radio button. HVN Peering create form

    If you are unsure of where to find the AWS Account ID or the VPC ID, click on the link labeled Where can I find this?. The link provides helpful information and a screenshot of where in the AWS Console this information can be found.

Accept the peering connection

The newly created peering connection is in pending state. You can accept the connection using the AWS Console.

  1. Launch the Amazon VPC Console, and select Peering Connections from the left navigation menu. You should have an entry in the list with a status of pending acceptance.

    NOTE: It may take a few minutes before the peering connection is available and visible.

  2. Click on Actions, then select Accept request. AWS VPC Peering list

  3. A popup will appear on the screen. Accept the connection in order to establish the peering connection between the VPC and the HashiCorp Cloud Platform (HCP).

    Additional information regarding AWS peering connections can be found in the AWS documentation.

  4. Return to the HCP Portal and wait for the stepper to move to the Configure step before proceeding.

Update security groups

Update the relevant security groups in the target VPC by adding the following rules allowing ingress and egress for the CIDR block of HVN. These rules are valid for applications that are accessing your cluster (DNS and API) via localhost, but your configuration might need to differ.

Select the security group associated with your VPC, and add the following inbound and outbound rules.

NOTE: Also, refer to the AWS official documentation or the HCP Portal help instruction.

HCP Vault requires an outbound (egress) rule to permit traffic from the AWS resources. By default, AWS permits all outbound traffic from a security group. However, if you have removed this rule, or use Terraform to manage AWS security groups, you will need to add a rule to permit Vault traffic.

Outbound (Egress)

The table below documents the egress configuration that must be applied to the security group.

ProtocolFrom PortTo PortDestinationPurpose
TCP82008200HVN-CIDRVault API
  1. From the AWS VPC console, select Security groups from the left navigation menu.

  2. Click the security group you wish to update and click the Outbound rules tab.

  3. Click Edit outbound rules.

  4. Click Add rule.

  5. Set the Type pulldown menu to Custom TCP.

  6. Enter 8200 in the Port range textbox.

  7. Enter the CIDR block for your HVN in the Destination textbox.

  8. Click Save rules.

HCP Consul requires both inbound (ingress) and outbound (egress) rules to permit traffic from the AWS resources. By default, AWS permits all outbound traffic from a security group. However, if you have removed this rule, or use Terraform to manage AWS security groups, you will need to add a rule to permit outbound traffic for Consul.

Inbound (Ingress)

The table below documents the ingress configuration that must be applied to the security group.

ProtocolFrom PortTo PortSourceDescription
TCP83018301HVN-CIDRUsed to handle gossip from server
UDP83018301HVN-CIDRUsed to handle gossip from server
TCP83018301Security group ID itselfUsed to handle gossip between client agents
UDP83018301Security group ID itselfUsed to handle gossip between client agents
  1. From the AWS VPC console, select Security groups from the left navigation menu.

  2. Click the security group you wish to update and click the Inbound rules tab.

  3. Click Edit inbound rules.

  4. Click Add rule.

  5. Set the Type pulldown menu to Custom TCP.

  6. Enter 8301 in the Port range textbox.

  7. Enter the CIDR range for your HVN in the Source textbox.

  8. Repeat the steps above selecting Custom UDP for the Type pulldown menu.

  9. Click Add rule.

  10. Set the Type pulldown menu to Custom TCP.

  11. Enter 8301 in the Port range textbox.

  12. Enter the security group ID in the Source textbox.

  13. Repeat the steps above selecting Custom UDP for the Type pulldown menu.

Outbound (Egress)

The table below documents the egress configuration that must be applied to the security group.

ProtocolFrom PortTo PortDestinationDescription
TCP83008300HVN-CIDRUsed by clients to talk to server
TCP83018301HVN-CIDRUsed to gossip with server
UDP83018301HVN-CIDRUsed to gossip with server
TCP83018301Security group ID itselfUsed to handle gossip between client agents
UDP83018301Security group ID itselfUsed to handle gossip between client agents
TCP8080HVN-CIDRConsul API
TCP443443HVN-CIDRConsul API
TCP85028502HVN-CIDRConsul Dataplane communication with server
  1. Click the Outbound rules tab.

  2. Click Edit outbound rules.

  3. Click Add rule.

  4. Set the Type pulldown menu to Custom TCP.

  5. Enter 8300-8301 in the Port range textbox.

  6. Enter the CIDR block for your HVN in the Destination textbox.

  7. Repeat the steps above, create a new rule for TCP ports 80, 443, and 8502.

  8. Click Add rule.

  9. Set the Type pulldown menu to Custom TCP.

  10. Enter 8301 in the Port range textbox.

  11. Enter the security group ID in the Source textbox.

  12. Click Add rule.

  13. Set the Type pulldown menu to Custom UDP.

  14. Enter 8301 in the Port range textbox.

  15. Enter the CIDR block for your HVN in the Source textbox.

  16. Click Add rule.

  17. Set the Type pulldown menu to Custom UDP.

  18. Enter 8301 in the Port range textbox.

  19. Enter the security group ID in the Source textbox.

  20. Click Save rules.

Update AWS route table

For compute resources to take advantage of the logical network path enabled by the peering connection, a network route must be added to the VPC's routing table. The route table entry directs compute resources to the HashiCorp Cloud Platform (HCP) network. Without a route entry in the VPC's route table, those compute resources cannot connect to HashiCorp Cloud Platform (HCP) resources.

  1. In the Amazon VPC console, select Route Tables from the left sidebar. If you have multiple VPCs, verify that the VPC used to establish the peering connection is selected.

  2. Click Actions and select Edit Routes. AWS Console view that displays all VPC and their respective route tables. An arrow is pointing to the actions button

  3. Click Add route.

  4. Enter the CIDR block for your HVN in the Destination textbox.

  5. Type pcx- in the Target textbox and select the peering connection ID for the HVN.

The manual peering process is now complete.

Next steps

In this tutorial, you created a peering connection between a HashiCorp Cloud Platform (HCP) and an AWS VPC.

HVN Peering connections can also be created using the HashiCorp Cloud Platform Terraform Provider. The HCP Terraform Provider can be found in the Terraform registry.

We encourage you to visit other HCP tutorials and continue to expand your learning.

  • Create a Vault Cluster on HCP
  • Get Started with HCP Consul
  • Connect an Amazon Transit Gateway to your HashiCorp Virtual Network
 Back to Collection
 Next

This tutorial also appears in:

  •  
    12 tutorials
    HCP Vault Operations
    Learn how to provision and connect to HCP Vault clusters.
    • Vault
  •  
    4 tutorials
    HashiCorp Virtual Network
    Learn how to securely connect to your HCP Consul or HCP Vault clusters by connecting your VPC to HashiCorp Virtual Network (HVN).

    On this page

    1. Peering an AWS VPC with HashiCorp Cloud Platform (HCP)
    2. Prerequisites
    3. Create a peering connection
    4. Next steps
    Give Feedback(opens in new tab)
    • Certifications
    • System Status
    • Terms of Use
    • Security
    • Privacy
    • Trademark Policy
    • Trade Controls
    • Give Feedback(opens in new tab)