HCP Vault Outbound Network Traffic

For certain dynamic/rotational Vault secrets engines (i.e. database, cloud credentials, ssh key signing) that require access to UofM resources, there are two different paths over which that network traffic can take depending on if it is a RFC1918 private IP destination or Public IP destination:

flowchart TD
    A[UMN HCP Vault] --> | AWS Tunnel | B[<b>UMN RFC1918 IP Space</b><br> 10.0.0.0/8<br> 172.16.0.0/12<br> 192.168.0.0/16]
    A --> | Public Internet | C[<b>UMN Owned Public IP Space</b><br> 128.101.0.0/16<br> 131.212.0.0/16<br> 134.84.0.0/16<br> 146.57.0.0/16<br> 160.94.0.0/16<br>]
    A --> | Public Internet | D[<b>Public IP Space</b>]

Vault Source IP's and Firewalls

Note

For traffic utilizing the AWS Tunnel route, you will also need to submit a ticket to secrets-team@umn.edu to have this traffic allowed across the tunnel.

For traffic utilizing the AWS Tunnel route, you will need to allow the 10.74.8.0/24 and 10.75.8.0/24 (DR cluster) ranges to access the resource that Vault's dynamic/rotation secrets engine needs to access..

For traffic utilizing the Public Internet route, you will need to allow all us-east-2 AWS ranges from this list. In practicality, that option may not be feasible or secure so Secrets Management recommends utilizing private endpoints when possible.