»Security Groups

As part of the workflow to establish communication between your HashiCorp Virtual Network (HVN) and your Amazon VPC or Amazon Transit Gateway, one of the steps within the workflow requires that you create a security group.

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic, where protocol and port permissions for AWS traffic are managed through these security groups. The HCP portal UI provides an easy way for all HCP products to set up a security group once, and without requiring additional implementation steps. However, HCP will allow you to customize your security group configurations to be specific to the HCP product you have deployed.

»Authorize ingress and egress

On your Amazon VPC or Amazon Transit Gateway, add the following rules to allow the inbound traffic from HVN, and a separate set of rules that control the outbound traffic to HVN to your security group.

»HCP Vault

For HCP Vault, the following outbound (egress) configuration required.

»Outbound (Egress)

ProtocolFrom PortTo PortDestinationPurpose
TCP82008200HVN-CIDRVault API

You can use the following command to apply the configuration listed above to your security group.

$ aws ec2 --region <TARGET-VPC-REGION> \
   authorize-security-group-egress \
   --<SECURITY-GROUP-ID> \
   --ip-permissions \
   IpProtocol=tcp,FromPort=8200,ToPort=8200,IpRanges='[{CidrIp=172.25.16.0/20}]'
$ aws ec2 --region <TARGET-VPC-REGION> \   authorize-security-group-egress \   --<SECURITY-GROUP-ID> \   --ip-permissions \   IpProtocol=tcp,FromPort=8200,ToPort=8200,IpRanges='[{CidrIp=172.25.16.0/20}]'

»HCP Consul

For HCP Consul, the following inbound (ingress) and outbound (egress) rules must be applied to your security group.

»Inbound (Ingress)

The table below documents the inbound (ingress) configuration required.

ProtocolFrom PortTo PortSourceDescription
TCP83018301HVN-CIDRUsed to handle gossip from server
UDP83018301HVN-CIDRUsed to handle gossip from server
TCP83018301Security group ID itselfUsed to handle gossip between client agents
UDP83018301Security group ID itselfUsed to handle gossip between client agents

You can use the following command to apply the configuration listed above to your security group.

$ aws ec2 --region <TARGET-VPC-REGION> \
   authorize-security-group-ingress --<Security group ID> --ip-permissions \
   IpProtocol=tcp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
   IpProtocol=udp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
   IpProtocol=tcp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]' \
   IpProtocol=udp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]'
$ aws ec2 --region <TARGET-VPC-REGION> \   authorize-security-group-ingress --<Security group ID> --ip-permissions \   IpProtocol=tcp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \   IpProtocol=udp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \   IpProtocol=tcp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]' \   IpProtocol=udp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]'

»Outbound (Egress)

The table below documents the egress configuration required.

ProtocolFrom PortTo PortDestinationDescription
TCP83008300HVN-CIDRFor RPC communication between clients and servers
TCP83018301HVN-CIDRUsed to gossip with server
UDP83018301HVN-CIDRUsed to gossip with server
TCP83018301Security group ID itselfUsed to handle gossip between client agents
UDP83018301Security group ID itselfUsed to handle gossip between client agents
TCP8080HVN-CIDRConsul API
TCP443443HVN-CIDRConsul API

You can use the following command to apply the configuration listed above to your security group.

$ aws ec2 --region <TARGET-VPC-REGION> \
   authorize-security-group-egress --<Security group ID> --ip-permissions \
   IpProtocol=tcp,FromPort=8300,ToPort=8300,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
   IpProtocol=tcp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
   IpProtocol=udp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
   IpProtocol=tcp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]' \
   IpProtocol=udp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]' \
   IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=<HVN-CIDR>}]' \
   IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges='[{CidrIp=<HVN-CIDR>}]'
$ aws ec2 --region <TARGET-VPC-REGION> \   authorize-security-group-egress --<Security group ID> --ip-permissions \   IpProtocol=tcp,FromPort=8300,ToPort=8300,IpRanges='[{CidrIp=<HVN-CIDR>}]' \   IpProtocol=tcp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \   IpProtocol=udp,FromPort=8301,ToPort=8301,IpRanges='[{CidrIp=<HVN-CIDR>}]' \   IpProtocol=tcp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]' \   IpProtocol=udp,FromPort=8301,ToPort=8301,UserIdGroupPairs='[{GroupId=<SECURITY-GROUP-ID>}]' \   IpProtocol=tcp,FromPort=80,ToPort=80,IpRanges='[{CidrIp=<HVN-CIDR>}]' \   IpProtocol=tcp,FromPort=443,ToPort=443,IpRanges='[{CidrIp=<HVN-CIDR>}]'

»Learn

Refer to the following tutorials for a step-by-step guide: