Create an HCP Vault Dedicated cluster

The HashiCorp Cloud Platform (HCP) allows you to deploy a Vault Enterprise cluster in a supported public cloud provider. As a fully managed service, you can use HCP Vault Dedicated as a central secret management service while offloading the operational burden to the Site Reliability Engineering (SRE) experts at HashiCorp.

Previous experience with Vault and Vault Enterprise is not required to deploy a Vault cluster in HCP.

In this tutorial, you will play the role of Oliver from HashiCups as they deploy a Vault Enterprise cluster guided by the HCP portal.

Prerequisites

• Access to an HCP account.

Create a Vault cluster

(Persona: operations)

1. Launch the HCP Portal and log in.

   If you have logged in before, the portal opens the last project you were in. Navigate back to the organization level from the breadcrumbs, or click on the HashiCorp icon at the top-left to choose another organization.

2. Click on the HashiCorp icon to list your organizations, and select the organization to create an HCP Vault cluster in.

   

   HashiCorp Cloud Platform (HCP) provides your account with an organization. Your account may invite others to join your organization or you may be invited to join other organizations.

3. Click View projects, and select the target project.

   If you don't have a project

   1. Click + Create project.
   2. Enter the Project name and Project description.
   3. Click Create project to complete.

   You can use projects to separate access within an organization, such as by team, use cases, or environment (for example, development, staging, production, etc.).

4. From the Overview page, click Get started with Vault Dedicated.

5. From the Vault overview page, you have the option to deploy HCP Vault using a template, which deploys Vault with a sample configuration, or you can choose to Start from scratch which deploys a standard Vault instance with no existing configuration.

   For the purposes of these tutorials and learning about Vault, click the Create cluster button under Start from scratch.

6. Select your preferred cloud provider.

   HCP Vault supports deployment on AWS and Azure. You do not need an AWS or Azure account - HashiCorp manages the underlying cloud resources.

7. Click the Vault tier pull-down menu and select Development.

   Tip

   Do not use the development tier for production workloads.

8. Click the Cluster size pull-down menu and select Extra Small.

   For the development tier, Extra Small is the only available cluster size.

9. Under the Network section, accept or edit the Network ID, Region selection, and CIDR block for the HVN.

   Note

   You can learn how to connect to a private HCP Vault cluster on AWS in the Connect an Amazon Transit Gateway to your HashiCorp Virtual Network or Peering an AWS VPC with HashiCorp Cloud Platform (HCP) documentation, or the Peering an Azure Virtual Network with HashiCorp Cloud Platform (HCP) documentation for Azure.

10. Under the Basics section, accept or edit the default Cluster ID (vault-cluster).

    Each HCP Vault cluster you deploy requires a unique cluster ID within your project.

11. Under Templates, select Start from scratch. Templates give sample configurations for various use cases.

12. Click Create cluster.

13. Wait for the cluster to initialize before proceeding.

14. Once cluster provisioning completes, refresh the page.

Vault cluster overview

(Persona: operations)

The Overview page displays information about the Vault cluster. The Cluster Details pane shows you information about your cluster. The Vault usage pane shows information about your HCP Vault consumption, such as the number of clients.

1. Review the Cluster details pane.

   The Cluster details pane gives helpful information about your HCP Vault cluster such as the version, cluster ID, and whether replication is active. The information in this pane varies based on your HCP Vault cluster tier.

2. Review the Quick actions pane. The Quick actions pane provides details for accessing your new HCP Vault cluster. You can use the Cluster URLs links to copy the public or private addresses, and use the Generate token link to generate a new admin token to perform the initial configuration of the HCP Vault cluster.

3. Click Networking in the left navigation menu. The cluster networking page allows you to configure whether the cluster is publicly accessible.

   By default, all development tier clusters are publicly accessible. All production tier clusters turn off public access by default.

4. Under Cluster accessibility, click Edit cluster.

   You can change the cluster's accessibility settings to either Public or Private based your requirements.

   Enabling Allows select IPs only allows you to add specific IP addresses or CIDR ranges that can access the HCP Vault cluster's public endpoint (if you enabled public access).

5. Click Cancel to return to the Networking page.

   You can also enable or disable the HCP Proxy. The HCP proxy is an identity aware proxy that allows you to access the Vault cluster using the UI and CLI if you do not enable public access. You must have an account in the HCP organization where the cluster is running to authenticate to the HCP proxy.

   Note

   The URL to access the HCP Vault cluster through the proxy is different than the clusters public URL.

   Use the Vault CLI's hcp subcommand to connect to the HCP proxy using the CLI.

6. Click Overview to return to the Vault cluster overview page.

Summary

You created a HCP Vault cluster using the HCP Portal and reviewed details about the cluster.

Next steps

Now that Oliver created a Vault cluster, they will learn how to access the cluster to perform the initial configuration.