Secure cluster access with IP allowlist
HashiCorp-managed clusters can use an IP allowlist to restrict communication to a set of IPV4 address ranges. Address outside the ranges in the list are denied access to the cluster's network. This configuration provides an additional layer of security for securing Consul deployments with cluster peering connections.
Background
HashiCorp-managed clusters are hosted in a HashiCorp-managed environment, and they support services hosted in a user-managed environment. In this deployment model, a HashiCorp Virtual Network (HVN) peering connection ensures that internal communications between environments remain secure. However, self-managed clusters do not require HVN peerings, as all network components are hosted in a single user-managed environment. The link between self-managed clusters and HCP Consul is instead secured through the automated exchange of authorization secrets and ACL management tokens.
When using cluster peering connections between HashiCorp-managed and self-managed clusters, configuring HashiCorp-managed clusters to deny requests that come from an IP address that is not part of your network can add additional security to cross-cluster communications.
You can enable and configure an IP allowlist when creating a HashiCorp-managed cluster. You can also enable it later, disable it, or change the range of allowed addresses by editing an existing cluster.
Use IP allowlist
To add an IP address to an existing cluster's allowlist, complete the following steps:
- From the Consul Overview, next to the cluster you want to secure access to, click More (three horizontal dots). Then, click Edit cluster.
- Under "Cluster accessibility", turn on Allow select IPs only.
- Enter the IP address range that is allowed to access the cluster. The address must be in CIDR notation.
- Optionally, enter a description to help you identify the source.
- Click Apply changes to save changes to the IP allowlist.
You can add IP addresses to the allowlist one at a time, or you can click Add another IP address to add up to three addresses.
HCP Consul's allowlist supports three IP address ranges on the allowlist at one time. Click the trash icon to delete an address and its description.