»Security Groups
This topic describes the security group settings required to open the virtual firewall between your HVN and your AWS cloud network.
»Introduction
A security group is an entity in AWS that functions as a virtual firewall between your AWS instances. Security groups manage protocol and port permissions for AWS traffic as a means of controlling inbound and outbound traffic. Refer to Control traffic to resources using security groups in the AWS documentation for details.
You must create a security group and configure inbound (ingress) and outbound (egress) rules to establish communication between your HashiCorp Virtual Network (HVN) and your Amazon VPC or Amazon transit gateway.
You can use the AWS console or the aws command line client to configure security group rules.
Note that creating custom security group configurations for your HCP products improves infrastructure security, but may reduce administrative flexibility over time as you introduce multiple service deployments.
»Security Group Rules for HCP Consul
Specify the following inbound (ingress) and outbound (engress) rules on your Amazon VPC or Amazon transit gateway to allow traffic between your Consul cluster and AWS.
»Ingress
Specify the following rules on your Amazon VPC or Amazon transit gateway to allow inbound traffic (ingress) from your HVN.
| Protocol | From Port | To Port | Source | Description |
|---|---|---|---|---|
| TCP | 8301 | 8301 | HVN-CIDR | Used to handle gossip from server |
| UDP | 8301 | 8301 | HVN-CIDR | Used to handle gossip from server |
| TCP | 8301 | 8301 | Security group ID itself | Used to handle gossip between client agents |
| UDP | 8301 | 8301 | Security group ID itself | Used to handle gossip between client agents |
You can issue the authorize-security-group-ingress command to apply the ingress rules to your security group. You must specify the target VPC region, security group ID, and the CIDR block configured for your HVN.
»Egress
Specify the following rules on your Amazon VPC or Amazon transit gateway to allow outbound traffic (engress) from your VPC.
| Protocol | From Port | To Port | Destination | Description |
|---|---|---|---|---|
| TCP | 8300 | 8300 | HVN-CIDR | For RPC communication between clients and servers |
| TCP | 8301 | 8301 | HVN-CIDR | Used to gossip with server |
| UDP | 8301 | 8301 | HVN-CIDR | Used to gossip with server |
| TCP | 8301 | 8301 | Security group ID itself | Used to handle gossip between client agents |
| UDP | 8301 | 8301 | Security group ID itself | Used to handle gossip between client agents |
| TCP | 80 | 80 | HVN-CIDR | Consul API |
| TCP | 443 | 443 | HVN-CIDR | Consul API |
You can issue the authorize-security-group-egress command to apply the egress rules to your security group. You will need to specify the target VPC region, security group ID, and the CIDR block configured for your HVN.
»Security Group Rules for HCP Vault
Specify the following outbound (engress) rules on your Amazon VPC or Amazon transit gateway to allow traffic between your Valut cluster and AWS.
Inbound (ingress) rules are not required to allow traffic from Vault clusters into your VPC or transit gateway.
»Egress
Specify the following rules on your Amazon VPC or Amazon transit gateway to allow outbound traffic (engress) from your VPC.
Add the following outbound (egress) rules to your security group for HCP Vault.
| Protocol | From Port | To Port | Destination | Purpose |
|---|---|---|---|---|
| TCP | 8200 | 8200 | HVN-CIDR | Vault API |
Run the authorize-security-group-egress command to apply this configuration to your security group. You must specify the target VPC region and security group ID in the command.