HashiConf All virtual session recordings now available. Watch now
HashiCorp Cloud Platform
HashiCorp Cloud Platform

Deploy HCP Consul

  • 9min
  • |
  • HCP
  • Consul

HashiCorp Cloud Platform (HCP) Consul is a fully managed Service Mesh as a Service (SMaaS) version of Consul that allows you to quickly deploy Consul servers in AWS. As a fully managed service, HCP allows you to leverage Consul for service discovery and service mesh across a mix of VM, on-premises, hybrid, or Kubernetes environments, while offloading the operational burden of maintaining the Consul servers to the Site Reliability Engineering (SRE) experts at HashiCorp.

In this tutorial, you will:

  • Create a HashiCorp Virtual Network (HVN)
  • Deploy HCP Consul
  • Peer your HVN and AWS VPC
  • Configure L3 routing and security

To learn how to automate this manual process using Terraform, check out the Deploy HashiCorp Cloud Platform (HCP) Consul using Terraform tutorial.

Prerequisites

To get started, you will need an HCP account. You should also have familiarity with the following tools, technologies, and concepts.

  • Consul
  • AWS VPC
  • AWS Peering Connections
  • AWS Security Groups
  • AWS Routes
  • AWS Ingress & Egress

Create a HashiCorp Virtual Network (HVN)

Before you can deploy HCP Consul, you must deploy an HVN. HCP Consul must be deployed into an HVN. In the HCP portal, in the left navigation, select HashiCorp Virtual Network to be directed to the HVN resource overview page. Click the Create network button at the top right of the page to configure and deploy your HVN.

Once the HVN configuration screen loads, you will have the ability to name your HVN, select a region, and specify the CIDR block value for the network. The default CIDR block value is 172.25.16.0/20.

Note

You must set a CIDR range that does not overlap with the AWS VPC that you will be peering with later.

Once the HVN is deployed, the status will update to Stable on the HashiCorp Virtual Network overview tab.

Deploy HCP Consul

Now that you have created an HVN, you are ready to deploy HCP Consul. The HCP Consul servers deployed with HCP are fully managed by HashiCorp.

Navigate to the Consul resource page in the HCP Portal. Select Create cluster at the top right of the page to configure your deployment. On the configuration page, you will have the ability to name your HCP Consul cluster, select a Consul version, and enable a public IP. Enabling a public IP will allow you to quickly access your HCP Consul cluster by making the Consul UI and API available over a public IP address, however, it is not recommended for production because it is a less secure configuration.

Note

You cannot connect Consul clients to the HCP Consul deployment using the public IP.

By default, an extra-small (XS) cluster size will be deployed. This cluster size is capable of handling approximately 50 service instances and is only recommended for development workloads. To deploy larger production size clusters, a credit card is required. This will open the ability to deploy the following cluster tiers:

HCP Consul deployment tiers

Note

For more information on sizing and pricing, see the HCP Consul pricing guide.

For this tutorial, you can leave all the defaults, including the private IP option and the latest version of Consul. Scroll to the bottom of the page and click the Create cluster button to create your Consul cluster. This process may take a few minutes.

Once the process completes, your HCP Consul cluster servers are fully deployed. You will still need to deploy Consul clients to a peered VPC to make use of Consul's features. The clients will need an L3 route configured in AWS that allows them to access the HCP Consul cluster's private endpoint.

Peer your HVN and VPC

To peer the networks, you must know your AWS account ID and have a VPC to peer with. You can either create a new VPC, or use an existing one. This VPC must be peered with the HVN that you provisioned through the HCP Portal.

On your HVN's overview page, select the Peering connections tab, and then click the Create peering connection link to create a peering relationship with your AWS VPC. Provide the following information, and then click the Create connection button to begin the peering process.

  • AWS account ID
  • VPC ID
  • VPC region
  • VPC CIDR block

Once you start the peering process you will be directed to a screen that shows the peering status as Creating. You will need to accept the connection from the AWS console.

Navigate to the Peering Connections area of your AWS Console. You should have an entry in the list with a status of Pending Acceptance. Confirm acceptance in the AWS console by clicking Actions -> Accept Request. The status should change to active on the AWS console.

You can return to this screen at any time to delete the peering relationship. However, deleting this peering relationship means you will no longer be able to communicate with your HVN.

Configure L3 routing and security

Creating a peering connection is just the first step in establishing network connectivity between your HVN and your VPC. AWS is secure by default. This means that, by default, no routes have been specified and all ports are blocked. You will need to:

  • Create a security group
  • Create a route
  • Define ingress and egress rules

Create a security group

You must create a security group associated with your AWS VPC. For instructions on how to create a security group from the AWS console, refer to the official documentation.

You can also use the AWS CLI. The following command will create a security group associated with your VPC. You will need your AWS VPC ID to create a security group associated with your AWS VPC.

$ aws ec2 create-security-group --group-name hcp-group --description "HCP security group" --vpc-id <VPC_ID>
{
    "GroupId": "[SECURITY_GROUP_ID]"
}

Make note of the security group ID in the output. You will use it in subsequent steps of the tutorial.

Note

: If you are planning to connect your HVN to an EKS cluster, you do not need to create a new security group. Instead, you must identify the security group that your cluster instances are secured with, and use that security group specifically for the remainder of the tutorial.

Create a route

You must create a route from your HVN to the peered AWS VPC. For instructions on how to configure the route from the AWS console, refer the official documentation.

You can also use the AWS CLI. To create a route between your HVN and your transit gateway, you will need:

  • The VPC peering connection ID (available from the Peering connections tab in the HCP Portal's HVC page)
  • The route table ID for the route table associated with your VPC (available from the AWS console)
  • The CIDR block of the HVN you created in the HCP Portal

Issue the following command to create a route for your VPC peering connection.

$ aws ec2 create-route --route-table-id <ROUTE_TABLE_ID> --destination-cidr-block [HVN_CIDR] --vpc-peering-connection-id <VPC_PEERING_CONNECTION_ID>
{
    "Return": true
}

Authorize ingress and egress

Now that you have a security group and a route, you must authorize ingress and egress traffic. To authorize security group ingress and egress, you will need:

  • Your security group ID
  • The HVN CIDR
  • The VPC region

The table below documents the ingress configuration that must be applied to the security group.

Inbound (Ingress)

ProtocolFrom PortTo PortSourceDescription
TCP83018301HVN_CIDRUsed to handle gossip from server
UDP83018301HVN_CIDRUsed to handle gossip from server
TCP83018301Security group ID itselfUsed to handle gossip between client agents
UDP83018301Security group ID itselfUsed to handle gossip between client agents

You can use the following command to apply the configuration listed above to your security group.

export REGION="us-west-2"
export SECURITY_GROUP_ID="sg-0266467fd1adad0ae"
export HVN_CIDR="172.25.16.0/20"

aws ec2 --region $REGION authorize-security-group-ingress --group-id $SECURITY_GROUP_ID --ip-permissions \
IpProtocol=tcp,FromPort=8301,ToPort=8301,IpRanges="[{CidrIp=$HVN_CIDR}]" \
IpProtocol=udp,FromPort=8301,ToPort=8301,IpRanges="[{CidrIp=$HVN_CIDR}]" \
IpProtocol=tcp,FromPort=8301,ToPort=8301,UserIdGroupPairs="[{GroupId=$SECURITY_GROUP_ID}]" \
IpProtocol=udp,FromPort=8301,ToPort=8301,UserIdGroupPairs="[{GroupId=$SECURITY_GROUP_ID}]"

Outbound (Egress)

The table below documents the egress configuration that must be applied to the security group.

ProtocolFrom PortTo PortSourceDescription
TCP83008300HVN_CIDRUsed by clients to talk to server
TCP83018301HVN_CIDRUsed to gossip with server
UDP83018301HVN_CIDRUsed to gossip with server
TCP83018301Security group ID itselfUsed to handle gossip between client agents
UDP83018301Security group ID itselfUsed to handle gossip between client agents
TCP443443HVN_CIDRTLS encryption

You can use the following command to apply the configuration listed above to your security group.

export REGION="us-west-2"
export SECURITY_GROUP_ID="sg-0266467fd1adad0ae"
export HVN_CIDR="172.25.16.0/20"

aws ec2 --region $REGION authorize-security-group-egress --group-id $SECURITY_GROUP_ID --ip-permissions \
IpProtocol=tcp,FromPort=8300,ToPort=8301,IpRanges="[{CidrIp=$HVN_CIDR}]" \
IpProtocol=tcp,FromPort=8301,ToPort=8301,IpRanges="[{CidrIp=$HVN_CIDR}]" \
IpProtocol=udp,FromPort=8301,ToPort=8301,IpRanges="[{CidrIp=$HVN_CIDR}]" \
IpProtocol=udp,FromPort=443,ToPort=443,IpRanges="[{CidrIp=$HVN_CIDR}]" \
IpProtocol=tcp,FromPort=8301,ToPort=8301,UserIdGroupPairs="[{GroupId=$SECURITY_GROUP_ID}]" \
IpProtocol=udp,FromPort=8301,ToPort=8301,UserIdGroupPairs="[{GroupId=$SECURITY_GROUP_ID}]"

If you encounter any issues, review the AWS documentation on how to update security groups.

Next steps

In this tutorial, you manually configured and deployed HCP Consul. You also peered your HVN with an AWS VPC so that you would be able to connect Consul clients. With the steps complete, the route should be listed as active in the AWS console. This does not mean packets are actually flowing. It just means that the route is stored in the route table. HCP has no way to detect if routing is configured correctly in your VPC. You will need to confirm that these steps were performed correctly by connecting Consul clients located in your VPC to the servers running in the Consul cluster on HCP.

To validate your manual setup and get hands-on experience with Consul's service discovery and service mesh features, you can review the following tutorials to learn how to deploy connect Consul clients on:

To learn how to automate the manual process you just completed using Terraform check out the Deploy HashiCorp Cloud Platform (HCP) Consul using Terraform tutorial.

If you encounter any issues, please contact the HCP team at support.hashicorp.com.

Previous

Peer AWS VPC with HCP

 Next

Configure EC2 for HCP

This tutorial also appears in:

  • 11 tutorials
    HCP Consul Deployment
    Deploy managed Consul in AWS or Azure. Connect Consul clients running on Azure Virtual Machines (VMs), Elastic Compute Cloud (EC2), Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), and/or Elastic Container Service (ECS).
    • Consul