Consul
Connect an Amazon Transit Gateway to your HashiCorp Virtual Network
HashiCorp Cloud Platform (HCP) is a fully managed platform offering HashiCorp Products as a Service (HPaaS) to automate infrastructure on any cloud.
This tutorial will cover the process required to create a transit gateway attachment that enables communication between your HashiCorp Virtual Network (HVN) and your Amazon transit gateway.
The workflow is:
- Create an HVN
- Create a resource share between your HVN and your Amazon transit gateway
- Create a transit gateway attachment from your HVN to your transit gateway
- Configure L3 routing and security
An Amazon transit gateway is a network transit hub that can be used to connect Virtual Private Clouds (VPCs) or on-prem networks even across Amazon regions. Transit gateways can be used to simplify AWS networking by enabling a hub and spoke configuration as opposed to requiring a separate peered connection for resources that need to communicate. Transit gateways use the concept of attachments to describe resources that have been connected to a transit gateway.
Examples of resources that can be attached to a transit gateway include:
- One or more VPCs
- SD-WAN/third-party network appliances
- AWS Direct Connect gateways
- Peering connections with another transit gateways
- VPN connections
Prerequisites
To complete this tutorial, you will need:
- An AWS Account
- The AWS CLI (optional)
- An AWS transit gateway
- An AWS VPC attached to your transit gateway
- An HCP Account
Amazon networking requirements
Since your HVN is part of an AWS VPC, you can create a transit gateway attachment between your HVN and an AWS transit gateway. Your HVN must be in the same region as the transit gateway you wish to attach it to. However, transit gateways created in different regions can be connected to each other. This allows your AWS resources to be multi-region without requiring any additional configuration for your HVN.
Note
To complete this tutorial, your VPC and a transit gateway must be in the same region as your HVN. Refer to the official AWS documentation for guidance on how to create a VPC or a transit gateway
You must also create a transit gateway attachment between your VPC and your transit gateway. Remember that a transit gateway enables a hub and spoke networking model. The transit gateway is the hub, and your VPC will be your first spoke. You can use the AWS Web Console to create the transit gateway attachment now.
Create a HashiCorp Virtual Network (HVN)
Note
Each HashiCorp Virtual Network (HVN) is created in a project based on a user selected region. The HVN hosts other HCP resources such as HCP Vault Dedicated and HCP Consul Dedicated clusters.
Once you have created your VPC, transit gateway, and an attachment between them, you will need to create an HVN from the HCP Portal. You will then create another transit gateway attachment from your HVN to your transit gateway. Your HVN will be the second spoke off of your transit gateway hub. Again, your HVN must be created in the same region as the VPC and transit gateway you wish to attach it to.
In the navigation area of the HCP portal, select HashiCorp Virtual Network from
the navigation menu to load the HVN resource overview page. Then click Create Network
to configure and deploy your HVN. You will have the option to name your HVN, select
a region, and specify the CIDR block value. The default CIDR block value is 172.25.16.0/20
.
Note
You must select a CIDR range that does not overlap with the AWS VPC that you will be peering with later.
Once the HVN is deployed, the status will update to Stable on the HVN overview tab.
Create a transit gateway attachment to your HVN
Once your HVN and your transit gateway have been created, you will need to create a transit gateway attachment that associates your Amazon transit gateway with your HVN. Because your HVN belongs to an AWS organization managed by HashiCorp, you must first define an AWS resource share that allows the two organizations to share resources. You can use the HCP Portal to help you create the resource share using the AWS CLI, or you can create the resource share in the AWS Web Console. Once you have created the resource share, you must enter the resource share ARN, along with the Amazon transit gateway ID into the HCP Portal. This tutorial provides instructions for both processes.
To create a transit gateway attachment, select the Transit gateway attachments tab from your HVN details page.
Click Create attachment.
Select either the Terminal or Web Console tab to create a transit gateway attachment.
The Step 1 section of the terminal input form will prompt you for your:
- AWS Account ID
- Amazon Transit Gateway ID
- Region
Once you enter these values, the form will generate an AWS CLI command that you can copy and paste into your terminal to create the required resource share.
Open a terminal and execute the AWS CLI command.
$ aws ram create-resource-share \
--name [GENERATED-NAME] \
--resource-arns [TARGET-RESOURCE-ARN] \
--principals [PRINCIPAL-ID]
Example output:
{
"resourceShare": {
"resourceShareArn": "arn:aws:ram:us-west-2:xxxxxxxxxxxxx:resource-share/16363aa0-52a3-43dd-aa77-10efb88681e2",
"name": "hcp-hvn-resource-share",
"owningAccountId": "xxxxxxxxxxxxx",
"allowExternalPrincipals": true,
"status": "ACTIVE",
"creationTime": "2021-07-13T13:49:47.533000-07:00",
"lastUpdatedTime": "2021-07-13T13:49:47.533000-07:00"
}
}
The command output includes the resourceShareArn value. Copy this value, and paste it into the Resource share ARN field under the Step 2 section of the form.
Finally, enter the CIDR block targets from your transit gateway. You can find these values in the route table associated with your transit gateway, or in the detailed view of the transit gateway resource. You may add as many CIDR block destinations as as you like, so as long as none of them overlap. HCP will not allow overlapping CIDR blocks. If you provide an overlapping CIDR at TGW attachment creation time, HCP will reject the attempt.
Once you have finished entering the resource share ARN, the Amazon transit gateway ID, and all the destination CIDR blocks, click the Create attachment button to create the transit gateway attachment. The HCP Portal will now show your transit gateway attachment with a status of Pending Acceptance.
Accept the attachment
Now that you have initiated the attachment from the HCP Portal, the attachment shows in your list of transit gateway attachments for your HVN, but the status is set to Pending Acceptance.
Navigate to the Transit Gateway Attachments screen in the AWS Web Console, and accept the attachment that you created.
Once you have accepted the attachment, the status in the HCP Portal changes to Active, and your transit gateway set up will be complete. (This may take a couple of minutes.)
Configure L3 routing and security
Creating a transit gateway attachment is just the first step in establishing network connectivity between your HVN and your Amazon transit gateway. AWS is secure by default. This means that, by default, no routes have been specified and all ports are blocked.
To configure L3 routing that will allow communications between your HVN and your VPC resources you must:
- Configure a security group
- Create a route
- Define ingress and egress rules
Configure a security group
Protocol and port permissions for AWS traffic are managed via security groups. You will need to configure both protocol and port permissions for traffic that will be flowing between your HVN and your Amazon transit gateway. If you have not yet created a security group you must create one now, and make sure it is associated with your VPC. For instructions on how to create a security group from the AWS console, refer to the official documentation.
You can also use the AWS CLI. The following command will create a security group associated with your VPC. You will need your AWS VPC ID to create a security group associated with your AWS VPC.
$ aws ec2 create-security-group --group-name hcp-group --description "HCP security group" --vpc-id [VPC-ID]
{
"GroupId": "[SECURITY-GROUP-ID]"
}
Make note of the security group ID in the output. You will use it in subsequent steps of the tutorial.
Note
If you are planning to connect your HVN to an EKS cluster, you do not need to create a new security group. Instead, you must identify the security group that your cluster instances are secured with, and use that security group specifically for the remainder of the tutorial.
Create a route
You must create a route from your HVN to the Amazon transit gateway. For instructions on how to configure the route from the AWS console, refer to the official documentation.
You can also use the AWS CLI to create a route. You will need:
- The transit gateway ID (available from the transit gateway attachments screen in the HCP Portal's HVC page)
- The route table ID for the route table associated with your VPC (available from the AWS console)
- The CIDR block of the HVN you created in the HCP Portal
Issue the following command to create a route for your transit gateway.
$ aws ec2 create-route --route-table-id [ROUTE-TABLE-ID] --destination-cidr-block [HVN-CIDR] --transit-gateway-id [TRANSIT-GATEWAY-ID]
{
"Return": true
}
Authorize ingress and egress
You must also authorize ingress and egress traffic. To authorize security group ingress and egress, you will need:
- Your Amazon security group ID
- The HVN CIDR
- The Amazon transit gateway region
Vault Dedicated requires inbound (ingress) rule(s) if you intend to use Vault to fulfill workflows, or interact with services in your environment.
Examples workflows may include, but may not be limited to:
- Dynamic credential workflows such as generating database credentials or Kubernetes service accounts
- Authorization workflows such as utilizing self-managed LDAP services or other IDPs under your control
Outbound (Egress)
The table below documents the egress configuration that must be applied to the security group.
Protocol | From Port | To Port | Destination | Purpose |
---|---|---|---|---|
TCP | 8200 | 8200 | HVN-CIDR | Vault API |
You can use the following command to apply the configuration listed above to your security group.
$ aws ec2 --region [TARGET-VPC-REGION] \
authorize-security-group-egress --group-id [SECURITY-GROUP-ID] --ip-permissions \
IpProtocol=tcp,FromPort=8200,ToPort=8200,IpRanges='[{CidrIp=[HVN-CIDR]}]'
Example:
$ aws ec2 --region us-west-2 \
authorize-security-group-egress --group-id --ip-permissions \
IpProtocol=tcp,FromPort=8200,ToPort=8200,IpRanges='[{CidrIp=172.25.16.0/20}]'
Terraform users: Refer to the example Terraform configurations for connecting Amazon Transit Gateway to an Vault Dedicated cluster (Development tier) available from the Terraform Registry.
Tip
If you encounter any issues, review the AWS documentation on how to update security groups.
Next steps
In this tutorial, you used the HCP Portal to create a transit gateway attachment between your HVN and your AWS transit gateway so that you would be able to connect HCP resources with resources in AWS. With the steps complete, the transit gateway should be listed as Active in the HCP Portal. This did not mean packets were actually flowing. HCP has no way to detect if routing is configured correctly in your transit gateway.
You will need to confirm that these steps were performed correctly by connecting HCP resources located in your HVN to other resources connected to your transit gateway. To validate your manual setup, and get hands-on experience with HCP managed features, you can review the following tutorials:
To learn more about how to use Vault on HCP, visit our HCP Vault Dedicated collection.
If you encounter any issues, please contact the HCP team at support.hashicorp.com.