Using the database secret engine in Vault with Consul Connect


I’m trying to follow the tutorial on integrating Vault and Nomad. In this step, it mentions configuring the Postgres instance with the database engine in vault. I have two questions here:

  1. This only works when Vault can directly reach the Postgres (whether it was deployed by Nomad or not) instance, right?
  2. How can I use Consul Connect to tunnel traffic from Vault to the database (which I deploy using Nomad)? Do I need to start a proxy service on the Vault server for every database server I want to manage using Vault?

Thanks for any pointers here!