Peering an Azure Virtual Network with HashiCorp Cloud Platform (HCP)
The HashiCorp Cloud Platform (HCP) supports network peering with an Azure virtual network. Network peering enables resources in two different networks to communicate with each other. In order for the Consul servers hosted on the HashiCorp Cloud Platform (HCP) to communicate with the resources in your Azure environment, a network peering connection must be established.
In this tutorial, you will create a network peering connection between HashiCorp Cloud Platform and an Azure virtual network.
To accomplish this objective, you will:
- Initialize a peering connection from HCP
- Accept the peering connection in Azure
- Create a route to Azure in HCP
- Configure your network security groups in Azure
Prerequisites
- An Azure Account with permissions to perform the following actions:
- Accept virtual network peering connections
- Create and edit network security groups
- Create virtual network routes
- An Azure virtual network
- Azure CLI
- An HCP Account
- A HashiCorp Virtual Network (HVN)
- Terraform (optional)
Initialize a peering connection from HCP
To start the peering procedure that allows for communication between HashiCorp Cloud Platform (HCP) and Microsoft Azure, you will initiate the peering connection from the HCP Portal.
In your HCP web console, navigate to the left sidebar and click on the HashiCorp Virtual Network tab.
Select the HVN you want to create a peering connection with.
In the selected HVN overview page, navigate to the left sidebar and click on the Peering connections link.
Click on Create connection to create a peering relationship with your Azure virtual network.
Fill in the requested information and click the Create connection button to begin the peering process.
Note
If you are unsure of where to find the required resource IDs, click on the link labeled Where can I find this?. The link provides helpful information and a screenshot of where in the Azure web console this information can be found.
Once the connection has been created, the Peering connections page will show a Pending state for your peering connection (similar to the example screenshot below) until it is accepted in Azure.
Accept the peering connection in Azure
In order for your Azure Web Console to complete the peering connection from HashiCorp Cloud Platform (HCP), you will create some permission-based resources with Terraform or the Azure web console that allow your Azure environment to see the peering request, then you will accept the request.
Click on your peering connection, scroll down to the Peering Instructions area, then copy the customized Terraform code to your clipboard.
Create a local file
main.tf
with your customized Terraform code.Login to your Azure account with the Azure CLI.
Initialize Terraform from the directory where you created
main.tf
.Run Terraform to create the required permission-based Azure resources.
Login to your Azure web console.
Go to the Azure Virtual Network page in the web console, and select your respective Virtual Network.
Click on the Peering option that is on the left sidebar. You should now have an entry in the Peering Status column with a status of Connected.
Note
It may take a few minutes before the peering connection is available and visible.
Tip
You can find additional information regarding Azure virtual network peering connections in the Azure documentation.
Your network peering is now complete between HCP and Azure. This sets the foundation to allow resources in your HCP environment to communicate with resources in your Azure virtual network. In the next section you will create a network route from HCP to Azure.
Create a route to Azure in HCP
BGP Routing
A HashiCorp Virtual Networks have additional restrictions comparatively to a typical Azure Virtual Network. If your network topology requires that the HVN accepts routes propagated with BGP (for instance Azure ExpressRoute), please contact the HCP support team.
In order for HCP to be able to communicate with your Azure resources, a default route to your Azure virtual network must be added on the HCP side.
In your HCP web console, navigate to the left sidebar and click on the HashiCorp Virtual Network tab.
Select the HVN you created an Azure peering connection with.
In the selected HVN overview page navigate to the left sidebar, click on the Route table link, then click the Create route button.
Fill in the respective fields with your desired Route table ID, CIDR Destination (your Azure virtual network CIDR), and your HCP peering connection.
(Optional) Fill in the specific hub-spoke configuration if the HVN is going to be a spoke in a hub-spoke topology.
Click on the Create route button once complete.
A route to your HCP network is automatically created in your Azure environment once the network peering is complete, so no additional routing configuration is necessary on the Azure side.
You now have a network route from HCP to Azure. This will allow resources in your Azure virtual network to communicate with resources in your HCP environment. In the next section, you will create network security groups that allow specific port traffic between Azure and HCP.
Configure your network security groups in Azure
To enable communication between the application network ports, we recommend following the "least privilege" principle to create network security groups in Azure that are as granular and specific as possible.
In your HCP web console, navigate to the left sidebar and click on the HashiCorp Virtual Network tab.
Select the HVN you created an Azure peering connection with.
In the selected HVN overview page, navigate to the left sidebar and click on the Peering connections link.
Click on your peering connection, scroll down to the Updating Network security groups area, then click the Terminal tab.
Insert your Azure network security group ID in the form to generate your custom Azure commands.
After logging into your account via the Azure CLI, copy and run the respective commands in your terminal (or via the Azure Cloud Shell) to create the required Azure network security groups.
Go to the Azure Network Security Groups page in the web console, and select your respective Virtual Network.
Click on your respective network security group. You should now have several entries similar to the screenshot below.
Additional information regarding Azure network security groups can be found in the Azure virtual network documentation.
Your Azure network security group configuration is now complete. This allows network port communication between your Azure resources and HCP resources.
Next steps
In this tutorial, you created a peering connection between a HashiCorp Cloud Platform (HCP) and an Azure virtual network. You accomplished this by creating a network peering from HCP then accepting it on the Azure side. You then created a route in your HCP route table that facilitates network communication between HCP and Azure. Finally, you configured network security groups that alow for application communication between your environments. Upon completion of these steps, your Azure resources can now connect with your HCP resources.
You can also create peering connections between Azure and HCP with the HashiCorp Cloud Platform Terraform Provider. Refer to the HCP Terraform Provider documentation and the Azure Terraform Provider documentation.
Feel free to visit other HCP tutorials to continue your learning journey.