Replacing Consul Backend with Raft

Hi all,

Recent Vault releases include a new Raft storage backend, which supports HA deployments and is officially supported by Hashicorp.

Is it time to change the reference architecture to use this backend as the preferred one for clustered deployments ? My understanding is that we can achieve the same benefits of the Consul-backed deployment without the extra burden of an additional cluster to deploy and manage.

Is there a scenario were a Consul-backed deployment would still be a better choice ?

I think this is a great question. It’s something I’ve been wondering about myself since it was announced. I think it really depends on multiple factors, and the specific implementation per environment.

I think I would prefer to use Consul as my backend if my vault nodes were running as containers. Or maybe they are VM’s, and you use Consul to automate the clustering capability for Vault.

I would probably want to use the Vault internal backend if my vault nodes were longer running VM’s that were static and locked down and needed to ensure no other architecture dependencies. This reduces any impacts to Consul and keeps Vault separate from everything else as security concern.

Hi, @mylesw42. Thanks for your answer !

That’s exactly what I was thinking: When would I want something different than that - at least for production environments ?

As I was discussing recently with people looking forward to adopt Vault, one should not underestimate how critical Vault becomes to your infrastructure once you’ve start using it, so one should take all steps to create very, very stable environment.

Anything short of that risks creating availability issues that are even more critical to an organization than the security issues Vault tries to solve.

Please note that I’m not advocating against using Consul as backend (or any other, btw). I’m just wondering whether Raft should be the new reference now that we have this option, unless there’s a very good reason not to do so.

Raft isn’t fully ready for production yet. In 1.2 it was released as a technical preview. This is subject to change but I believe the current plan is it will beta in 1.3 and be fully out in 1.4.

1 Like

Well, now this IS a good reason for not using Raft ;^)

There’s no mention to that in the official docs, apart from a quick mention in the 1.2.0 beta changelog notes.

Thanks for pointing that.

@psevestre Thanks for highlighting the docs omission. A PR to update this has been submitted: https://github.com/hashicorp/vault/pull/7478/files