Query about HA clustering

Query about HA clustering:

For configuration, I have configured the listener tcp:

  • Enable TLS,
  • tls_cert_file
  • tls_key_file.

There are two port 8200 and 8201:

  1. Does the cluster_addr on port 8201 and api_addr on port 8200 use the same tls_cert_file and tls_key_file?

  2. How does the Request Forwarding work? When the request hits the standby vault, how does the request forwarding to master 8200? How does it work with the cluster_addr? Any details?

  3. I want to get some suggestion about how to secure the cluster_addr port 8201. FYI, in our case, the cluster_addr has to be exposed to external network, I have a tcp ELB in front of it. Can someone give me some suggestion?

Nope - https://www.vaultproject.io/docs/concepts/ha.html#server-to-server-communication

8201 should not be exposed. It is for intra-cluster traffic. 8200 is where your clients will see Vault’s API.

Thanks Mike,

We have a very special situation. We are deploying vaults into k8s cluster, in each cluster there are clients to call the vault API internally.

But there are multiple k8s clusters, while we have only a single vault master, in order for the vaults in multiple clusters talk each other, we have to expose the 8201. Currently we tested that is a way working for us.

I am looking for some doc about the security for the cross-cluster traffic, and not find things specific, so it comes to my questions:

  1. How is the default security situation for intra-cluster traffic (for example, if mtls is already enabled, we will not bother it),
  2. And how to secure the traffic if needed?

While reading the link you pasted, for Server-to-Server Communication, it is protected using the MTLS using on-the-fly genearted private key and self-signed cert, that seems prefect! Does this Server-to-Server communication cover the cluster traffic I am referring? It is not clear to me.

Thanks, I think I got the current cross cluster traffic situation.
I read Nick gave some replies at vault google group several months ago, around June this year under this link:

https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!searchin/vault-tool/Securing$20cluster$20communication$20on$20port$208201|sort:date/vault-tool/X4HZyD_Tfx8/o0cDQo8RBgAJ

I’d like to see a picture of the layout of the K8s pods and Vault clusters to be sure, but I think no matter where you place the Vault instances within a cluster, as long as they chat across 8201 you will get the benefit of MTLS for the cluster traffic.
This also is for cluster to cluster traffic if you’re using a performance replica cluster, for example.

I don’t know of a document off hand that explains this in more detail than the earlier doc link. But in general, you won’t need to worry about the traffic within the cluster instances talking to each other for replication and redirect purposes - its secured automatically.
I think if you had an audit team, they’d possibly sniff the traffic to see its encrypted as verification.