Service check keeps failing when registering external service in Consul

I have a Vault cluster on my network (backed by internal storage) which I want to register as external service in Consul.

I’ve read

• Catalog - HTTP API | Consul by HashiCorp
• Register External Services with Consul Service Discovery | Consul - HashiCorp Learn
• Consul and External Services

and the required payload in the examples always seems a bit different. I was able to register the service, but the service health check is failing (I also don’t see any service check output in the Consul UI). Am I missing something?

curl -X PUT -d '{
    "Node": "vault1",
    "Address": "10.1.20.21",
    "Service": {
        "ID": "vault1",
        "Service": "vault"
    },
    "Check": {
        "Definition": {
            "HTTP": "http://10.1.20.21:8200/v1/sys/health",
            "Interval": "10s",
            "Timeout": "2s"
        },
        "Name": "Vault health check",
        "ServiceID": "vault1"
    }
}' http://localhost:8500/v1/catalog/register

I’ve verified that the health check is indeed working:

curl -sS http://10.1.20.21:8200/v1/sys/health | jq
{
  "initialized": true,
  "sealed": false,
  "standby": false,
  "performance_standby": false,
  "replication_performance_mode": "disabled",
  "replication_dr_mode": "disabled",
  "server_time_utc": 1620650997,
  "version": "1.7.1",
  "cluster_name": "vault",
  "cluster_id": "6096700b-ca9e-6bbb-9f0c-8588b4d5f7b9"
}

Hi @fhemberger.

You will have to use Consul-ESM for active HealthCheck for external nodes and services.

The link you shared itself mentions this Register external services with Consul service discovery | Consul | HashiCorp Developer.

Because Consul monitoring requires that a Consul agent be running on the monitored service, health checks are not performed on external services. To enable health monitoring for external services, use Consul External Service Monitor (ESM).

Hi @Ranjandas,

thanks, I overlooked the part about ESM.
I really wanted to avoid deploying yet another service.

Running Consul client agent alongside Vault should be pretty lightweight I believe, and you would get better integration out of the box right?

Yes, but this will become a chicken-and-egg situation in my setup:

I’m using Vault to create and manage TLS certificates for the Consul cluster. So while it’s okay for me that Consul depends on Vault, I don’t want to have a backwards pointing dependency between Vault and Consul.

I also thought about deploying Vault with a Consul backend (both on the same machines) and use it only for storage and registering Vault as a service. But linking those two Consul clusters just for sharing the Vault service is similarly complex.