Connect Vault to Consul server service instead of local Consul client


I have a quick question.

In the documentation for using Consul as the storage backend for Vault.
At the description for the consul parameter ‘address’ it reads: “It is recommended that you communicate with a local Consul agent; do not communicate directly with a server.”

I was wondering why this is recommended instead of just connecting to the Kubernetes service for the Consul servers? We have a HA setup of the Consul servers so I don’t see any direct reason related to availability.

Thanks in advance!

This isn’t the official answer, I actually don’t know the official answer but to me Consul is all about short latency and distribution of function. Agents are in charge of registering, answering and caching … servers are in charge of “raft” and keeping the HA functionality. It makes sense to me.

My guess (only a guess), is that Vault becomes quite upset if access to the storage fails, and a local Consul agent can manage failover between Consul servers better than a typical network load balancer can.

For example, a local Consul agent, I believe, will buffer and retry the request, whereas HTTP load balancers usually do not.