How to run Vault without NAT / outbound?

queglay · June 4, 2021, 12:08pm

I’ve been using GitHub - hashicorp/terraform-aws-vault: A Terraform Module for how to run Vault on AWS using Terraform and Packer as a basis for my vault deployment with consul, and S3 backend, KMS auto unseal. Amazing stuff!

Since it resides in its own VPC, the cost of the NAT gateway does make up a fair chunk of my AWS bill, and it’s pretty unnecessary for the most part.

What would I have to do to operate without any outbound access? I tried it, but found an initial deployment failed at the point when I tried to unseal or ensure consul was functional.

Thank you for any ideas!

stuart-c · June 4, 2021, 3:33pm

It really depends what is making use of the NAT gateway (check your flow logs for full details). If it is just calls to AWS services then you could look to use PrivateLink/VPC Endpoints. Note that there is a charge for those too.

queglay · June 6, 2021, 12:14pm

Thanks @stuart-c. Maybe as an experiment it wouldn’t pay off, hard to say at this stage.