HashiCorp Developer AI Private beta now available Sign up today
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Secure cluster access with IP allowlist

HCP Consul Dedicated clusters can use an IP allowlist to restrict communication to a set of IPV4 address ranges. Address outside the ranges in the list are denied access to the cluster's network. This configuration provides an additional layer of security for securing Consul deployments with cluster peering connections.

Background

HCP Consul Dedicated clusters are hosted in a HCP Consul Dedicated environment, and they support services hosted in a user-managed environment. In this deployment model, a HashiCorp Virtual Network (HVN) peering connection ensures that internal communications between environments remain secure. However, self-managed Community and Enterprise clusters do not require HVN peerings, as all network components are hosted in a single user-managed environment. The link between self-managed Community and Enterprise clusters and HCP Consul Central is instead secured through the automated exchange of authorization secrets and ACL management tokens.

When using cluster peering connections between HCP Consul Dedicated and self-managed Community and Enterprise clusters, configuring HCP Consul Dedicated clusters to deny requests that come from an IP address that is not part of your network can add additional security to cross-cluster communications.

You can enable and configure an IP allowlist when creating a HCP Consul Dedicated cluster. You can also enable it later, disable it, or change the range of allowed addresses by editing an existing cluster.

Use IP allowlist

To add an IP address to an existing cluster's allowlist, complete the following steps:

  1. From the Consul Overview, next to the cluster you want to secure access to, click More (three horizontal dots). Then, click Edit cluster.
  2. Under "Cluster accessibility", turn on Allow select IPs only.
  3. Enter the IP address range that is allowed to access the cluster. The address must be in CIDR notation.
  4. Optionally, enter a description to help you identify the source.
  5. Click Apply changes to save changes to the IP allowlist.

You can add IP addresses to the allowlist one at a time, or you can click Add another IP address to add up to three addresses.

HCP Consul Dedicated's allowlist supports three IP address ranges on the allowlist at one time. Click the trash icon to delete an address and its description.