In the documentation for using Consul as the storage backend for Vault.
At the description for the consul parameter ‘address’ it reads: “It is recommended that you communicate with a local Consul agent; do not communicate directly with a server.”
I was wondering why this is recommended instead of just connecting to the Kubernetes service for the Consul servers? We have a HA setup of the Consul servers so I don’t see any direct reason related to availability.
This isn’t the official answer, I actually don’t know the official answer but to me Consul is all about short latency and distribution of function. Agents are in charge of registering, answering and caching … servers are in charge of “raft” and keeping the HA functionality. It makes sense to me.
My guess (only a guess), is that Vault becomes quite upset if access to the storage fails, and a local Consul agent can manage failover between Consul servers better than a typical network load balancer can.
For example, a local Consul agent, I believe, will buffer and retry the request, whereas HTTP load balancers usually do not.