I reading through here and have hard time to understand how to proper setup Load Balancer on front of Vault in AWS. As per documentation I have to setup client_addr to point to AWS Load Balance DNS?
Thing is that I want to create a Lambda function that will use Vault API to complete some task, DNS Interface is unavailable in this scenario, so I decided to create private hosted name and internal load balancer for this purpose. But I find hard to understand complications and proper configuration. As per here I could not identify any non-standard configs, but they still not recommend to use it.
Have you seen the Vault Reference Architecture? I also did a webinar once on best practices using Terraform and Vault together here that is rather lengthy, but does show some examples of how to quickly use Terraform to spin up a best practices AWS cluster, which might also help.
Hello Becca,
Thank you for your reply. I did phrase my question wrongly, apologies. I have hard not to setup cluster or Load Balancer, I haver hard times to configure and understand what are potential drawbacks and errors might appear.
So, I have Lambda application, that does not run either Vault or Consul client (and it cant), so Consul DNS Interface is not an option.
Lambda talks to AWS ALB that is attached to Vault Cluster. Since July 2018, ALB supports redirects, but I could not find what rules are proper to setup, or default will work.
I want to use forwarding instead of redirect, but documentation says that if forwarding will fail, it will fallback to redirect I still find confusing under what circumstances it will fallback.
As per configuration here, to enable forwarding all I need is to setup one listener for vault, and rest be propagated and forwarding is enabled per default.
I understand that AWS ALB is something not Vault related, but nowadays in serverless apps is something good to know if anyone encountered and how configured it, also what most worries is under what circumstances Vault can stop forwarding and start redirecting.
Hi! I would point you to someone, but the question is more of an AWS implementation-specific one, rather than one regarding core Vault functionality. A great place to try asking might be in the Vault forum. It receives a lot of traffic from folks using Vault in many different ways, and may have people who’ve gone down a similar path.
@tyrannosaurus-becks I am interested to know under what circumstances internal forwarding can fail and use client-redirect as a fallback. What are most common cases?
What @jbayer said.
In case you’re going to setup a DR I’d recommend setting up two targets, 443->{any node} and 8200 & 8201->{active node) so that you can connect to the active node.
You can use /sys/health - HTTP API | Vault by HashiCorp to monitor which node is the active node.
I have an AWS ALB in front of vault. It was pointed to the vault service in the ingress. After I updated the ingress to point at the service that points to the active pod the errors went away.