HashiCorp Cloud Platform
Security groups
You can configure security group settings to open the virtual firewall between your HVN and your AWS cloud network.
Overview
A security group is an entity in AWS that functions as a virtual firewall between your AWS instances. Security groups manage protocol and port permissions for AWS traffic in order to control inbound and outbound traffic. For additional information, refer to the AWS documentation Control traffic to resources using security groups.
To establish communication between your HashiCorp Virtual Network (HVN) and your Amazon VPC or Amazon transit gateway, you must:
- Create a security group.
- Configure ingress (inbound) rules.
- Configure egress (outbound) rules.
To configure security group rules, you can use either the AWS console or the AWS Command Line Interface.
Tip: Creating custom security group configurations for your HCP products improves infrastructure security. However, administrative flexibility may reduce over time as you introduce multiple service deployments.
Security group rules for HCP Consul Dedicated
To allow traffic between your Consul cluster and AWS, specify ingress (inbound) and egress (outbound) rules on your Amazon VPC or Amazon transit gateway.
Ingress
To allow inbound traffic from your HVN, specify the following rules on your Amazon VPC or Amazon transit gateway:
| Protocol | From Port | To Port | Source | Description |
|---|---|---|---|---|
| TCP | 8301 | 8301 | HVN-CIDR | Used to handle gossip from server |
| UDP | 8301 | 8301 | HVN-CIDR | Used to handle gossip from server |
| TCP | 8301 | 8301 | Security group ID itself | Used to handle gossip between client agents |
| UDP | 8301 | 8301 | Security group ID itself | Used to handle gossip between client agents |
To apply the ingress rules to your security group, you can issue the authorize-security-group-ingress command. Specify the following information in the command:
- Target VPC region
- Security group ID
- CIDR block configured for your HVN
$ aws ec2 --region <TARGET-VPC-REGION> \
authorize-security-group-ingress --<SECURITY GROUP ID> --ip-permissions \
IpProtocol=tcp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
IpProtocol=udp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
IpProtocol=tcp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]' \
IpProtocol=udp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]'
Egress
To allow outbound traffic from your VPC, specify the following rules on your Amazon VPC or Amazon transit gateway:
| Protocol | From Port | To Port | Destination | Description |
|---|---|---|---|---|
| TCP | 80 | 80 | HVN-CIDR | Consul API |
| TCP | 443 | 443 | HVN-CIDR | Consul API |
| TCP | 8300 | 8300 | HVN-CIDR | For RPC communication between clients and servers |
| TCP | 8301 | 8301 | HVN-CIDR | Used to gossip with server |
| UDP | 8301 | 8301 | HVN-CIDR | Used to gossip with server |
| TCP | 8301 | 8301 | Security group ID itself | Used to handle gossip between client agents |
| UDP | 8301 | 8301 | Security group ID itself | Used to handle gossip between client agents |
| TCP | 8502 | 8502 | HVN-CIDR | For gRPC communication to servers |
To apply the egress rules to the security group, you can issue the authorize-security-group-egress command. Specify the following information in the command:
- Target VPC region
- Security group ID
- CIDR block configured for your HVN
$ aws ec2 --region <TARGET-VPC-REGION> \
authorize-security-group-egress --<SECURITY GROUP ID> --ip-permissions \
IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
IpProtocol=tcp,FromPort=8300,ToPort=8300,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
IpProtocol=tcp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
IpProtocol=udp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
IpProtocol=tcp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]' \
IpProtocol=udp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]' \
IpProtocol=tcp,FromPort=8502,ToPort=8502,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]'
Security group rules for HCP Vault Dedicated
To allow traffic between your Vault cluster and AWS, specify egress (outbound) rules on your Amazon VPC or Amazon transit gateway. Ingress rules are not required to allow traffic from Vault clusters into your VPC or transit gateway.
Egress
To allow outbound traffic from your VPC, add the following rules to your security group for HCP Vault:
| Protocol | From Port | To Port | Destination | Purpose |
|---|---|---|---|---|
| TCP | 8200 | 8200 | HVN-CIDR | Vault API |
| TCP | 5696 | 5696 | HVN-CIDR | KMIP server* |
Note
The KMIP port is only necessary if the KMIP secrets engine is being used, which is only available on HCP Vault Plus tier clusters.
To apply this configuration to your security group, run the
authorize-security-group-egress command. When you issue the command, you must
specify the target VPC region and security group ID.
$ aws ec2 --region <TARGET-VPC-REGION> \
authorize-security-group-egress \
--<SECURITY-GROUP-ID> \
--ip-permissions \
IpProtocol=tcp,FromPort=8200,ToPort=8200,IpRanges='[{CidrIp=172.25.16.0/20}]' \
IpProtocol=tcp,FromPort=5696,ToPort=5696,IpRanges='[{CidrIp=172.25.16.0/20}]'