diff --git a/cookbooks/vault/setup.rb b/cookbooks/vault/setup.rb
index 39d71a4..222d87d 100644
--- a/cookbooks/vault/setup.rb
+++ b/cookbooks/vault/setup.rb
@@ -38,3 +38,18 @@ remote_file '/etc/logrotate.d/vault' do
   group 'root'
   mode '644'
 end
+
+
+%w(8200 8201).each do |port|
+  execute "ufw allow #{port}" do
+    user 'root'
+
+    not_if "LANG=c ufw status | grep #{port}"
+
+    notifies :run, 'execute[ufw reload-or-enable]'
+  end
+end
+
+service 'vault' do
+  action [:enable, :start]
+end