• Terraform Cloud
    • HCP Vault
    • HCP Consul
    • HCP Packer
  • Pricing
  • Documentation
  • Tutorials
  • Community
Sign InTry cloud for free
    • What is HCP?
      • AWS
      • Overview
        • Create and Manage HVN
        • Peering Connections
        • Transit Gateway Attachements
        • Routes
        • Security Groups
        • Overview
        • Users
        • Service Principals
        • Organizations
        • Single Sign-On
        • Multi-Factor Authentication
        • Overview
        • Payment
        • Flex Billing
      • Support
    • What is HCP Consul?
    • Specifications
      • Overview
      • Clusters
      • Clients
      • Federation
      • Upgrades
      • Audit Logs
      • Snapshots
      • Tutorials
      • Consul Documentation
      • Forums
    • Overview
    • Security Overview
    • Get Started
    • Login MFA
    • High Availability and Disaster Recovery
    • Performance Replication
    • Version Management
    • RBAC Permissions
    • Administrative Capabilities
    • Audit Log Management
      • Overview
      • FAQ
    • Metrics
    • Constraints and Known Issues
    • Migrate to HCP Vault
    • What is HCP Packer?
    • Get Started
      • Template Configuration
      • Image Metadata
      • Image Buckets
      • Image Channels and Revocation
      • Terraform Cloud Run Tasks
    • Reference Image Metadata
    • Manage Registry
    • API Reference
    • Packer Documentation
  • Glossary
  • Changelog
Type '/' to Search

»Security Groups

This topic describes the security group settings required to open the virtual firewall between your HVN and your AWS cloud network.

»Introduction

A security group is an entity in AWS that functions as a virtual firewall between your AWS instances. Security groups manage protocol and port permissions for AWS traffic as a means of controlling inbound and outbound traffic. Refer to Control traffic to resources using security groups in the AWS documentation for details.

You must create a security group and configure inbound (ingress) and outbound (egress) rules to establish communication between your HashiCorp Virtual Network (HVN) and your Amazon VPC or Amazon transit gateway.

You can use the AWS console or the aws command line client to configure security group rules.

Note that creating custom security group configurations for your HCP products improves infrastructure security, but may reduce administrative flexibility over time as you introduce multiple service deployments.

»Security Group Rules for HCP Consul

Specify the following inbound (ingress) and outbound (engress) rules on your Amazon VPC or Amazon transit gateway to allow traffic between your Consul cluster and AWS.

»Ingress

Specify the following rules on your Amazon VPC or Amazon transit gateway to allow inbound traffic (ingress) from your HVN.

ProtocolFrom PortTo PortSourceDescription
TCP83018301HVN-CIDRUsed to handle gossip from server
UDP83018301HVN-CIDRUsed to handle gossip from server
TCP83018301Security group ID itselfUsed to handle gossip between client agents
UDP83018301Security group ID itselfUsed to handle gossip between client agents

You can issue the authorize-security-group-ingress command to apply the ingress rules to your security group. You must specify the target VPC region, security group ID, and the CIDR block configured for your HVN.

$ aws ec2 --region <TARGET-VPC-REGION> \
   authorize-security-group-ingress --<SECURITY GROUP ID> --ip-permissions \
   IpProtocol=tcp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
   IpProtocol=udp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
   IpProtocol=tcp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]' \
   IpProtocol=udp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]'
$ aws ec2 --region <TARGET-VPC-REGION> \   authorize-security-group-ingress --<SECURITY GROUP ID> --ip-permissions \   IpProtocol=tcp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \   IpProtocol=udp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \   IpProtocol=tcp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]' \   IpProtocol=udp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]'

»Egress

Specify the following rules on your Amazon VPC or Amazon transit gateway to allow outbound traffic (engress) from your VPC.

ProtocolFrom PortTo PortDestinationDescription
TCP83008300HVN-CIDRFor RPC communication between clients and servers
TCP83018301HVN-CIDRUsed to gossip with server
UDP83018301HVN-CIDRUsed to gossip with server
TCP83018301Security group ID itselfUsed to handle gossip between client agents
UDP83018301Security group ID itselfUsed to handle gossip between client agents
TCP8080HVN-CIDRConsul API
TCP443443HVN-CIDRConsul API

You can issue the authorize-security-group-egress command to apply the egress rules to your security group. You will need to specify the target VPC region, security group ID, and the CIDR block configured for your HVN.

$ aws ec2 --region <TARGET-VPC-REGION> \
   authorize-security-group-egress --<SECURITY GROUP ID> --ip-permissions \
   IpProtocol=tcp,FromPort=8300,ToPort=8300,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
   IpProtocol=tcp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
   IpProtocol=udp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
   IpProtocol=tcp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]' \
   IpProtocol=udp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]' \
   IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
   IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges='[{CidrIp=<HVN-CIDR>}]'
$ aws ec2 --region <TARGET-VPC-REGION> \   authorize-security-group-egress --<SECURITY GROUP ID> --ip-permissions \   IpProtocol=tcp,FromPort=8300,ToPort=8300,IpRanges='[{CidrIp=<HVN-CIDR>}]' \   IpProtocol=tcp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \   IpProtocol=udp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \   IpProtocol=tcp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]' \   IpProtocol=udp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]' \   IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=<HVN-CIDR>}]' \   IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges='[{CidrIp=<HVN-CIDR>}]'

»Security Group Rules for HCP Vault

Specify the following outbound (engress) rules on your Amazon VPC or Amazon transit gateway to allow traffic between your Valut cluster and AWS.

Inbound (ingress) rules are not required to allow traffic from Vault clusters into your VPC or transit gateway.

»Egress

Specify the following rules on your Amazon VPC or Amazon transit gateway to allow outbound traffic (engress) from your VPC.

Add the following outbound (egress) rules to your security group for HCP Vault.

ProtocolFrom PortTo PortDestinationPurpose
TCP82008200HVN-CIDRVault API

Run the authorize-security-group-egress command to apply this configuration to your security group. You must specify the target VPC region and security group ID in the command.

$ aws ec2 --region <TARGET-VPC-REGION> \
   authorize-security-group-egress \
   --<SECURITY-GROUP-ID> \
   --ip-permissions \
   IpProtocol=tcp,FromPort=8200,ToPort=8200,IpRanges='[{CidrIp=172.25.16.0/20}]'
$ aws ec2 --region <TARGET-VPC-REGION> \   authorize-security-group-egress \   --<SECURITY-GROUP-ID> \   --ip-permissions \   IpProtocol=tcp,FromPort=8200,ToPort=8200,IpRanges='[{CidrIp=172.25.16.0/20}]'
  • Learn about HCP

    • Blog
    • Press Release
  • Resources

    • Tutorials
    • Documentation
  • Help

    • Community
    • Support
    • Contact Us
  • Terms of Service
  • SLA
  • Shared Responsibility Model
  • Privacy
  • Security
  • Press Kit
©2021 HashiCorp, Inc. All rights reserved