Managing HashiCorp Vault and securely restricting access to internal users

It doesn’t appear that HashiCorp vault offers a managed solution and as a result, I will have to roll my own. This is subjective but how are you managing secure access to your internal users?

  1. Are you creating DNS e.g. and restricting access to this through VPN?
  2. Are you creating DNS e.g. and restricting access to this via IP range?

I’m looking for suggestions on securing the vault stack and ensuring that a handful of users can log in and create secrets as needed.


I’m in the same situation in fact.

Did you now that some authentication engines can be configured to allow/deny access based on CIDR? See e.g.

In my case because of integration with an external SAAS product the cluster needs to be accessible online. As a loadbalancer will be in front of the Vault cluster I was thinking of putting several ACLS on the loadbalancer. E.g. /ui endpoint only accessible from certain ranges. I hope the other backends can be protected like that too.

1 Like

thank you! I wasn’t aware of the CIDR option but that’s good to know. I’ve been reading through the documentation.