Skip to main content
In this guide, you’ll learn how to:
  • Create and peer an HCP Virtual Network with your AWS VPC
  • Deploy a managed Consul cluster on HCP
  • Download client configuration and CA certificates
  • Join an EC2 instance as a Consul client
  • Verify cluster membership and use the Consul KV store

1. Access the HCP Dashboard

Log in to the HashiCorp Cloud Platform to get started. From the Overview page, you can create managed Consul or Vault clusters.
Consul is GA and available at a low hourly rate for development environments. Vault remains in beta.
The image shows a dashboard interface for HashiCorp Cloud Platform, featuring options to create Consul and Vault clusters, a cost summary, tutorials, and support contact information.

2. Review Your HCP Virtual Network

Before you deploy Consul, navigate to HashiCorp Virtual Network to confirm your network details. In this example:
  • Region: us-west-2
  • CIDR block: 172.25.16.0/20
The image shows a HashiCorp Virtual Network interface displaying network details such as the network ID, cloud provider (AWS), region (us-west-2), status (stable), and CIDR block. The sidebar includes options for resources, Consul, Vault, Terraform, and settings.

3. Peer Your AWS VPC

Under Peerings, review existing connections between your AWS VPC and the HCP Virtual Network:
The image shows a HashiCorp Virtual Network interface displaying peering connections, with one active connection listed, including details like destination VPC, region, and CIDR block.
To add a new peering:
  1. Click Create peer and connection
  2. Enter your AWS Account ID, VPC ID, region, and CIDR block
  3. Submit the request
The image shows a web interface for creating a peering connection between an Amazon VPC and a HashiCorp Virtual Network, with fields for AWS Account ID, VPC ID, VPC region, and VPC CIDR block. The interface includes options to create or cancel the connection.
Then, accept the peering in the AWS console and update your VPC route table to send traffic for 172.25.16.0/20 to the new connection.
Refer to the AWS VPC Peering documentation when updating route tables.

4. Create a Managed Consul Cluster

With peering in place, navigate to Consul » Create cluster and configure:
  • Cluster ID: A unique name for your cluster
  • Virtual Network: Select your HCP VNet
  • Tier & Region: Choose the development tier and target region
  • Public Connectivity: Enable if you need public API access
  • Consul Version: Pick the desired version
The image shows a web interface for creating a Consul cluster on the HashiCorp Cloud Platform, with options for setting a cluster ID, selecting a virtual network, and choosing a consul tier.
Click Create cluster. Provisioning usually completes in 5–10 minutes.

5. Explore the Cluster Management Interface

After provisioning, open the cluster dashboard to:
  • Generate ACL tokens
  • Download client configuration
  • Take snapshots or delete the cluster
The image shows a web interface for managing a Consul cluster, with options for configuration, generating tokens, and accessing documentation. The sidebar includes navigation links for resources like HashiCorp Virtual Network, Vault, and Terraform.
Under the Cluster tab, view details such as ID, creation date, status, and network assignment:
The image shows a HashiCorp Cloud Platform interface displaying details of a Consul cluster, including its ID, creation date, status, and assigned network. The cluster is running and is part of the development tier.

6. Download Client Configuration

Click Download client configuration to obtain two files:
FileDescription
config.jsonConsul client agent settings
ca.pemCertificate Authority (CA)
Save both files to use on your EC2 instance.

6.1 Inspect config.json

Open the file to review settings for ACLs, gossip encryption, datacenter, and retry join: 
{
  "acl": {
    "enabled": true,
    "down_policy": "async-cache",
    "default_policy": "deny"
  },
  "ca_file": "./ca.pem",
  "verify_incoming": true,
  "verify_outgoing": true,
  "datacenter": "dc1",
  "encrypt": "q0b43cBhvsbORfN0Qc=",
  "encrypt_verify_incoming": true,
  "encrypt_verify_outgoing": true,
  "server": false,
  "ui": true,
  "retry_join": [
    "consul-cluster.private.consul.11eb0f4c-5d68-49bf-8aa6-0242ac110005.aws.hashicorp.cloud"
  ],
  "auto_encrypt": {
    "tls": true
  }
}

6.2 Inject the Agent ACL Token

  1. In the HCP console, click Generate token under ACL.
  2. Copy the Agent Token.
  3. Update config.json to include the token:
{
  "acl": {
    "enabled": true,
    "down_policy": "async-cache",
    "default_policy": "deny",
    "tokens": {
      "agent": "b05a5a39-3885-7712-9bcd-c582c7b92dfb"
    }
  },
  "ca_file": "/etc/consul.d/ca.pem",
  "verify_incoming": true,
  "verify_outgoing": true,
  "datacenter": "dc1",
  "encrypt": "q0b43cBhvsbORfN0Qc=",
  "encrypt_verify_incoming": true,
  "encrypt_verify_outgoing": true,
  "server": false,
  "ui": true,
  "retry_join": [
    "consul-cluster.private.consul.11eb0f4c-5d68-49bf-8aa6-0242ac110005.aws.hashicorp.cloud"
  ],
  "auto_encrypt": {
    "tls": true
  }
}

7. Prepare Your EC2 Instance

On your EC2 host, install Consul and then configure the client:
TaskCommand
Create config directorysudo mkdir -p /etc/consul.d
Upload config.jsonsudo tee /etc/consul.d/config.json > /dev/null <<EOF ... EOF
Upload CA certificate ca.pemsudo tee /etc/consul.d/ca.pem > /dev/null <<EOF ... EOF
Enable & start Consul servicesudo systemctl enable consul && sudo systemctl start consul
Set CLI authentication tokenexport CONSUL_HTTP_TOKEN="b05a5a39-3885-7712-9bcd-c582c7b92dfb"
Verify cluster membershipconsul members
Test KV storeconsul kv put app/Bryan Woods
If you encounter errors about invalid ACL keys, ensure tokens (not token) is under the "acl" section and that boolean keys (encrypt_verify_incoming, etc.) match the HCP-generated config.

8. Validate Membership & Interact with KV

After starting the Consul agent and exporting the token, run: 
consul members
You should see HCP-managed server nodes along with your EC2 client. Then test the KV store: 
consul kv put app/Bryan Woods
This confirms your EC2 instance is successfully connected to your HCP Consul cluster.

Watch Video