Peering an AWS VPC with HashiCorp Cloud Platform (HCP)

13min
|
HCP

The HashiCorp Cloud Platform (HCP) supports network peering with an AWS VPC. Network peering enables compute resources in two different networks to communicate with each other. In order for the Consul and Vault servers hosted on the HashiCorp Cloud Platform (HCP) to communicate with the clients hosted on your AWS environment, a network peering connection must be established.

This tutorial provides guidance on how to create a network peering connection between HashiCorp Cloud Platform and an AWS VPC.

Prerequisites

Access to an AWS Account and user with permission to perform the following:
- Accept peering connections
- Create and edit security groups
- Create VPC routes
- Create IAM roles (automated method only)
AWS CLI installed
An HCP Account with an available HVN.

Create a peering connection

There are two methods to create a peering connection between the HCP HVN and AWS VPC - manual or automated.

The automated method connects to your AWS account and launches a CloudFormation template to complete the peering configuration. The CloudFormation template handles creating the peering request, accepting the peering request, and creating the necessary routes between the HVN and VPC.

The manual process will require you to perform each step in your HCP and AWS accounts.

Click HashiCorp Virtual Network in the left navigation menu.
Select the HVN you want to create a peering connection with.
In the selected HVN overview page, click Peering connections.
If you have peering connections available, they are listed in the center of the screen.
Click Create connection.
Select the Quick peering with quick-create links radio button.
Select the VPC region you want to create the peering connection in and click Launch stack creation in AWS CloudFormation.
A new browser tab/page will open. If you are not already authenticated, log into your AWS account.
In the Parameters section, select the VPC you wish to peer with your HCP HVN.
Click the I acknowledge that AWS CloudFormation might create IAM resources checkbox and click Create stack.
Monitor the progress until the status changes to CREATE_COMPLETE.
Return to the HCP Portal and click Peering connections in the left navigation menu. The new peering connection is listed.
Click Route table in the left navigation menu. In addition to creating, and accepting the peering connection, the automated process also handled route creation to allow traffic between your HCP HVN and AWS VPC.
Note
You can delete all resources created by the CloudFormation template by deleting the stack in AWS.

Initiate peering connection

Click HashiCorp Virtual Network in the left navigation menu.
Select the HVN you want to create a peering connection with.
In the selected HVN overview page, click Peering connections.
If you have peering connections available, they are listed in the center of the screen.
Click Create connection.
Select the Manual peering using AWS CLI radio button.
Fill in the requested information and click the Create connection button to begin the peering process.
If you are unsure of where to find the AWS Account ID or the VPC ID, click on the link labeled Where can I find this?. The link provides helpful information and a screenshot of where in the AWS Console this information can be found.

Accept peering connection

The newly created peering connection is in the pending state. You can accept the connection using the AWS CLI.

Copy the code snippet under Acceptance instructions and run it in a terminal with the AWS CLI configured for the desired AWS account. ui-hcp-accept-peering-cli

Example output:

{
    "VpcPeeringConnection": {
        "AccepterVpcInfo": {
            "CidrBlock": "172.31.0.0/16",
            "CidrBlockSet": [
                {
                    "CidrBlock": "172.31.0.0/16"
                }
            ],
            "OwnerId": "734750226488",
            "PeeringOptions": {
                "AllowDnsResolutionFromRemoteVpc": false,
                "AllowEgressFromLocalClassicLinkToRemoteVpc": false,
                "AllowEgressFromLocalVpcToRemoteClassicLink": false
            },
            "VpcId": "vpc-8vgu9gugu9090g",
            "Region": "us-west-2"
        },
        "RequesterVpcInfo": {
            "CidrBlock": "172.25.16.0/20",
            "CidrBlockSet": [
                {
                    "CidrBlock": "172.25.16.0/20"
                }
            ],
            "OwnerId": "676562983947",
            "VpcId": "vpc-8vgu9gugu9090g",
            "Region": "us-west-2"
        },
        "Status": {
            "Code": "provisioning",
            "Message": "Provisioning"
        },
        "Tags": [],
        "VpcPeeringConnectionId": "pcx-uiovg9f79vu"
    }
}

Wait for the stepper to move to the Configure step before proceeding.

Update security groups

Update the relevant security groups in the target VPC by adding the following rules allowing ingress and egress for the CIDR block of HVN. These rules are valid for applications that are accessing your cluster (DNS and API) via localhost, but your configuration might need to differ.

NOTE: Refer to the AWS official documentation or the HCP Portal help instruction.

From the AWS console, navigate to security groups and copy the Security group ID you wish to update.
Return to the HCP Portal, the peering workflow has moved to the Configure step.
Enter the security group ID you copied from the AWS console in the AWS security group ID textbox.
Copy the Outbound rules CLI command and run it in a terminal with the AWS CLI configured for the desired AWS account.

From the AWS console, navigate to security groups and copy the Security group ID you wish to update.
Return to the HCP Portal, the peering workflow has moved to the Configure step.
Enter the security group ID you copied from the AWS console in the AWS security group ID textbox.
Click the Consul snippets tab.
Copy the Inbound rules CLI command and run it in a terminal with the AWS CLI configured for the desired AWS account.
Return to the HCP portal, copy the Outbound rules CLI command and run it in a terminal with the AWS CLI configured for the desired AWS account.

Update AWS route table

For compute resources to take advantage of the logical network path enabled by the peering connection, a network route must be added to the VPC's routing table. The route table entry directs compute resources to the HashiCorp Cloud Platform (HCP) network. Without a route entry in the VPC's route table, those compute resources cannot connect to HashiCorp Cloud Platform (HCP) resources.

Return to the AWS console. Navigate to Route tables and copy the Route table ID you wish to update.
Return to the HCP portal and click 2. Update route table.
Enter the route table ID you copied from the AWS console in the AWS target VPC route table ID textbox.

Copy the code snippet and run it in a terminal with the AWS CLI configured for the desired AWS account.

Example code snippet:

$ aws ec2 --region
    us-west-2
    create-route --route-table-id
    rtb-043ec68d39469bf17
    --destination-cidr-block
    172.25.16.0/20
    --vpc-peering-connection-id
    pcx-07504abe35f63e360

Initiate peering connection

Click HashiCorp Virtual Network in the left navigation menu.
Select the HVN you want to create a peering connection with.
In the selected HVN overview page, click Peering connections.
If you have peering connections available, they are listed in the center of the screen.
Click Create connection.
Select the Manual peering using HCP and AWS web console radio button.
If you are unsure of where to find the AWS Account ID or the VPC ID, click on the link labeled Where can I find this?. The link provides helpful information and a screenshot of where in the AWS Console this information can be found.

Accept the peering connection

The newly created peering connection is in pending state. You can accept the connection using the AWS Console.

Launch the Amazon VPC Console, and select Peering Connections from the left navigation menu. You should have an entry in the list with a status of pending acceptance.
Note
It may take a few minutes before the peering connection is available and visible.
Click on Actions, then select Accept request.
A popup will appear on the screen. Accept the connection in order to establish the peering connection between the VPC and the HashiCorp Cloud Platform (HCP).
Additional information regarding AWS peering connections can be found in the AWS documentation.
Return to the HCP Portal and wait for the stepper to move to the Configure step before proceeding.

Update security groups

Select the security group associated with your VPC, and add the following inbound and outbound rules.

NOTE: Also, refer to the AWS official documentation or the HCP Portal help instruction.

HCP Vault requires an outbound (egress) rule to permit traffic from the AWS resources. By default, AWS permits all outbound traffic from a security group. However, if you have removed this rule, or use Terraform to manage AWS security groups, you will need to add a rule to permit Vault traffic.

Outbound (Egress)

The table below documents the egress configuration that must be applied to the security group.

Protocol	From Port	To Port	Destination	Purpose
TCP	8200	8200	HVN-CIDR	Vault API
TCP	5696	5696	HVN-CIDR	KMIP

From the AWS VPC console, select Security groups from the left navigation menu.
Click the security group you wish to update and click the Outbound rules tab.
Click Edit outbound rules.
Click Add rule.
Set the Type pulldown menu to Custom TCP.
Enter 8200 in the Port range textbox.
Enter the CIDR block for your HVN in the Destination textbox.
Click Add rule again.
Set the Type pulldown menu to Custom TCP.
Enter 5696 in the Port range textbox.
Enter the CIDR block for your HVN in the Destination textbox.
Click Save rules.

HCP Consul requires both inbound (ingress) and outbound (egress) rules to permit traffic from the AWS resources. By default, AWS permits all outbound traffic from a security group. However, if you have removed this rule, or use Terraform to manage AWS security groups, you will need to add a rule to permit outbound traffic for Consul.

Inbound (Ingress)

The table below documents the ingress configuration that must be applied to the security group.

Protocol	From Port	To Port	Source	Description
TCP	8301	8301	HVN-CIDR	Used to handle gossip from server
UDP	8301	8301	HVN-CIDR	Used to handle gossip from server
TCP	8301	8301	Security group ID itself	Used to handle gossip between client agents
UDP	8301	8301	Security group ID itself	Used to handle gossip between client agents

From the AWS VPC console, select Security groups from the left navigation menu.
Click the security group you wish to update and click the Inbound rules tab.
Click Edit inbound rules.
Click Add rule.
Set the Type pulldown menu to Custom TCP.
Enter 8301 in the Port range textbox.
Enter the CIDR range for your HVN in the Source textbox.
Repeat the steps above selecting Custom UDP for the Type pulldown menu.
Click Add rule.
Set the Type pulldown menu to Custom TCP.
Enter 8301 in the Port range textbox.
Enter the security group ID in the Source textbox.
Repeat the steps above selecting Custom UDP for the Type pulldown menu.

Outbound (Egress)

The table below documents the egress configuration that must be applied to the security group.

Protocol	From Port	To Port	Destination	Description
TCP	8300	8300	HVN-CIDR	Used by clients to talk to server
TCP	8301	8301	HVN-CIDR	Used to gossip with server
UDP	8301	8301	HVN-CIDR	Used to gossip with server
TCP	8301	8301	Security group ID itself	Used to handle gossip between client agents
UDP	8301	8301	Security group ID itself	Used to handle gossip between client agents
TCP	80	80	HVN-CIDR	Consul API
TCP	443	443	HVN-CIDR	Consul API
TCP	8502	8502	HVN-CIDR	Consul Dataplane communication with server

Click the Outbound rules tab.
Click Edit outbound rules.
Click Add rule.
Set the Type pulldown menu to Custom TCP.
Enter 8300-8301 in the Port range textbox.
Enter the CIDR block for your HVN in the Destination textbox.
Repeat the steps above, create a new rule for TCP ports 80, 443, and 8502.
Click Add rule.
Set the Type pulldown menu to Custom TCP.
Enter 8301 in the Port range textbox.
Enter the security group ID in the Source textbox.
Click Add rule.
Set the Type pulldown menu to Custom UDP.
Enter 8301 in the Port range textbox.
Enter the CIDR block for your HVN in the Source textbox.
Click Add rule.
Set the Type pulldown menu to Custom UDP.
Enter 8301 in the Port range textbox.
Enter the security group ID in the Source textbox.
Click Save rules.

Update AWS route table

In the Amazon VPC console, select Route Tables from the left sidebar. If you have multiple VPCs, verify that the VPC used to establish the peering connection is selected.
Click Actions and select Edit Routes.
Click Add route.
Enter the CIDR block for your HVN in the Destination textbox.
Type pcx- in the Target textbox and select the peering connection ID for the HVN.

The manual peering process is now complete.

Next steps

In this tutorial, you created a peering connection between a HashiCorp Cloud Platform (HCP) and an AWS VPC.

HVN Peering connections can also be created using the HashiCorp Cloud Platform Terraform Provider. The HCP Terraform Provider can be found in the Terraform registry.

We encourage you to visit other HCP tutorials and continue to expand your learning.

Collection Overview

HashiCorp Cloud Platform

Deploy HCP Consul

This tutorial also appears in:

16 tutorials

HCP Vault operations
Learn how to provision and connect to HCP Vault clusters.
- Vault
4 tutorials

HashiCorp Virtual Network
Learn how to securely connect to your HCP Consul or HCP Vault clusters by connecting your VPC to HashiCorp Virtual Network (HVN).