Exposing Vault servers in AKS to other AKS clusters securely

I have deployed an HA Vault cluster on top of 3x Consul servers in AKS.

Both Vault and Consul has TLS configured. Consul also has GossipEncrytpion enabled and ACLs.

I want to expose the Vault servers to agent sidecar injectors in different AKS clusters in a secure manner.

Ideally I would like to use an internal L4 LB for this to avoid exposing the cluster externally.

I have also contemplated mesh connectivity using Consul’s terminating / mesh gateways, but this would create an external IP, and complicate TLS.

Currently, I am unable to see any documentation related to HC Vault’s sites with regards to this type of connectivity setup (AKS with internal LB at L4 to expose Vault for agent injectors in other AKS clusters).

AFAIK, Vault agent injectors also have their own TLS configuration. In my mind, it makes the most sense to use Vault server TLS certificates and configure the agent injectors deployed in the external AKS cluster to point to the internal L4 LB given that there’s vNet peering between the clusters. Yet, I can immediately see this will introduce a range of LB rules to manage (internal LB appears to route via external LB for the AKS cluster). Any advice here would be greatly appreciated.

It should be noted I am using Helm.