Learn how to establish secure cross-region connections to HCP Vault Dedicated using AWS PrivateLink, avoiding public internet exposure and enhancing your security posture.

By Glenn Chia Jin Wee

»Introduction

AWS PrivateLink provides a secure way to access services privately without exposing traffic to the public internet. HCP Vault now supports AWS PrivateLink connectivity, allowing consumers to securely connect to Vault clusters in different AWS regions while keeping all traffic within the AWS network backbone. This feature requires a HCP Vault Dedicated Essentials or Standard tier cluster. 

In this post, we'll explore how to establish cross-region connections to HCP Vault clusters using AWS PrivateLink, verify the deployed resources, and demonstrate basic Vault operations through the secure connection.

»Understanding cross-region AWS PrivateLink for HCP Vault

Prior to PrivateLink support, accessing an HCP Vault cluster on AWS from a different AWS region required either cross-region VPC peering or transit gateway peering connections between the consumer region and the HCP Vault cluster's region. This approach introduced several challenges:

• CIDR planning: Network administrators had to carefully plan VPC CIDR blocks to avoid overlapping IP ranges

• Route table management: Route tables needed to be correctly configured in both regions

The new PrivateLink feature for HCP Vault solves these challenges. Customers can now directly establish a PrivateLink connection from their VPC in one region to a HCP Vault cluster in another region. PrivateLink works regardless of overlapping CIDR ranges and does not require any route table configurations. It's important to note that PrivateLink is one-directional, allowing connections from your VPC to HCP Vault but not the reverse.

This architecture provides several benefits:

• Enhanced security: Traffic stays within the AWS network and never traverses the public internet

• Simplified networking: Simplifies network configuration by reducing routing management

• Global accessibility: Access your HCP Vault cluster from any supported AWS region

• Reduced attack surface: Minimize exposure by keeping your Vault endpoints private

Note that a private hosted zone is needed with a CNAME record pointing HCP Vault’s private DNS name to the VPC Interface Endpoint's DNS entry. This is essential for certificate validation that requires the Vault DNS name.

»Demo cross-region connectivity with PrivateLink

A simple demo of this architecture can be deployed following the steps in this GitHub repository, which contains all the Terraform code needed to deploy the infrastructure.

»HCP Vault

The Terraform code in the GitHub repository creates a private HCP Vault cluster. For this demo, the Vault cluster is deployed in ap-southeast-1. The private cluster URL is used in the private hosted zone CNAME record and will be resolved to the AWS interface endpoint’s regional DNS entry.

AWS PrivateLink is configured for this Vault cluster. It allows connections from the cross-region, us-east-1. The endpoint service name is used when creating the VPC interface endpoint in the AWS consumer VPC.

»AWS PrivateLink

The VPC interface endpoint is created in the consumer VPC using the service name from the HCP Vault endpoint service.

»Private hosted zone

Private hosted zone created for hashicorp.cloud with a CNAME record pointing HCP Vault's private DNS name to the VPC Interface Endpoint's DNS entry. This is essential for certificate validation that requires the Vault DNS name.

»Connect from an EC2 client

The sample code provided also deploys an EC2 instance to act as the client to validate connections to Vault. Access the EC2 instance and export environment variables needed for Vault connections. Then run vault status to validate connectivity to Vault.

As an additional test, try running several common Vault commands like enabling the kv v2 secrets engine.

»Learn more

In this blog, we covered how AWS PrivateLink enables secure cross-region connectivity to HCP Vault Dedicated clusters on AWS. By leveraging PrivateLink, organizations can maintain all traffic within AWS's private network infrastructure, enhancing security while overcoming several challenges such as CIDR overlaps and routing configurations.

The cross-region PrivateLink capability is particularly valuable for organizations with globally distributed infrastructure that need to access centralized secrets management infrastructure. With this feature, you can provide secure, private access to your Vault Dedicated cluster from consumer VPCs in any supported AWS region without exposing your cluster to the public internet.

For scenarios requiring outbound connections from Vault to other services like databases in isolated VPCs, check out our companion blog post on patterns for connecting Vault to Amazon RDS using Amazon VPC Lattice that demonstrates how to connect Vault to RDS instances privately without needing VPC peering or transit gateway connections between VPCs. This is especially useful when leveraging Vault's database secrets engine to generate dynamic credentials for database access across isolated network environments.