Connecting Cloudhub to HCP Vault
HashiCorp released Vault on HashiCorp Cloud Platform (HCP) on April 7, 2021, so getting Vault set up is easier than ever. HCP also decreases the cost of operating a Vault cluster; the price for a single node development instance is $0.03/hour, and a production instance starts at $1.578/hour. See HashiCorp’s pricing page for more details.
Vault can be used to store secrets and also provides encryption as a service. These capabilities can be leveraged from MuleSoft via the API or AVIO’s HashiCorp Vault Connector for Mule 4.
Now that it’s possible to have a hosted Vault cluster, how do we get our MuleSoft applications connected to it when running on Cloudhub? There are four steps necessary to getting your Cloudhub applications connected to HCP Vault:
- Create a VPC in Cloudhub
- Create a HashiCorp Virtual Network (HVN) in HCP
- Peer your HVN with your VPC
- Connect your application
This is what the network will look like after the peering is complete:
Create a VPC in Cloudhub
The first thing you need to do is create a VPC in Cloudhub, where you will deploy your applications. Likely, you have already created a VPC in Cloudhub with VPN connections or VPC peering to your company’s network. If you do not have a VPC already, you’ll need to create one and associate it with environments you want to connect to Vault. Multiple peering connections may be configured, so you can have multiple VPCs configured for your Cloudhub environments.
Create an HVN in HCP
One of the first things you’ll need to do in HashiCorp Cloud Platform is to create a HashiCorp Virtual Network (HVN) in which you will deploy your Vault cluster. The HVN should be located in the same region as the Cloudhub VPC if possible and must be configured with a CIDR block that does not overlap with Cloudhub VPC’s CIDR or the CIDRs of other networks to which you are connected.
Peer the VPC and the HVN
After your VPC and HVN have been created, it is time to peer the connections. Typically, when peering a Cloudhub VPC with another Amazon VPC, you must fill out MuleSoft’s Excel template and include the VPC ID and AWS Account ID Cloudhub VPC will connect to. Since HashiCorp will be initiating the peering request with Cloudhub, you will need to submit a ticket to MuleSoft support requesting the VPC ID of your Cloudhub VPC and the AWS Account ID. You must fill out the template with all of the information that you do have (Cloudhub VPC Amazon Region, Cloudhub VPC Name, Cloudhub VPC CIDR, and HVN CIDR) so the MuleSoft Support Technician can configure the network ACL properly.
Once MuleSoft support responds with the AWS account ID and VPC ID, you can initiate the peering request from HCP. The Connection ID is a name you can specify, and the VPC regions will be the region where your Cloudhub VPC resides.
After the connection is created, notify MuleSoft support via your initial ticket, and they will complete the peering request. Voila! Your networks are connected.
Since Vault does not initiate any requests into the Cloudhub network, it is not necessary to configure any firewall rules in the Cloudhub VPC. HashiCorp automatically configures its network to allow traffic to Vault on port 8200.
Connect Your Application
To connect your MuleSoft application to Vault, you can make use of AVIO’s Vault Connector. The Vault cluster URL is available on your Vault cluster’s Overview page. Since you have a VPC peering connection setup, you should always use the Private cluster URL.
Another thing to consider is that HCP runs Vault Enterprise, so you must think of the namespace when connecting to Vault. In the screenshot above, the default namespace configured is admin, so by default, that is the namespace I must specify when interacting with Vault. You can configure your namespaces as well.
Your MuleSoft application will need to authenticate with Vault, then retrieve a secret. After retrieving the secret, it can use the information to make calls to other services or use the data directly. This diagram represents the typical interaction.
The introduction of Vault on HashiCorp Cloud Platform has made it simple to set up a Vault cluster. After peering your HVN with a Cloudhub VPC, you’ll be retrieving secrets in your MuleSoft applications in no time.