Vault OSS HA Cluster


I’m new to Hashicorp Vault and need some guidance.

At the moment, I’m looking into Vault OSS and have managed to configure/execute successfully below :

via Vault CLI or Java based client application, I’m able to successfully connect to vault, authenticate and read/write secrets.
FYI, Since it’s a single Vault OSS server, I specify the URL for Java client application to look into.
example: VAULT_URL=

Now, I’m venturing into HA cluster and have minimum of 3 nodes on 2 different machines. Via Vault CLI, I followed above commands to connect, authenticate, read/write secrets. As expected, I do see secrets replicated on all 3 nodes.
• Machine A – Node1
• Machine A– Node 2
• Machine B – Node 3

The question is:
What Vault URL address would I need to specify for the Java client application to connect to ? Should I specify all 3 Urls, incase the machine is down where vault server node is and have logic in Java application layer to move onto next URL incase of failure ?

Appreciate help !!


Vault doesn’t really provide an “in box” answer to this - it is assumed that you will do one of:

  • Use DNS-based service discovery, e.g. Consul, so that one host name rapidly changes to point to appropriate nodes during an outage
  • Use a load-balancer device, which proxies requests to a suitable node
  • Or, yes, you could write each client application to select a working node from a set of URLs, though this is generally not preferred, as it moves more complexity and configuration to every client.

Agree with @maxb – there isn’t a “golden path” here except for the one that includes Consul. If one is only using Vault, that’s some large baggage to carry down the road.

The key concept, I feel, is “service discovery”. Vault has service registration configuration options for Kubernetes and Consul, so if you use those, you will be able to use DNS in the client to look up active.vault.service.consul (in the case of Consul), and you will be returned the active endpoint, if it moves around.

Thank you all for your suggestions.


I have setup cluster of 3 vault nodes on distributed machines with LB in front of it. My client is accessing cluster via load balancer (nginx):

Client connects to

Configurations are:
VaultNode1 ( Machine A):

VaultNode2 (Machine A):

VaultNode3 (Machine B):

Nginx conf:

I have read Vault documentation including some online materials on setting up HA cluster behind LB. However, I’m bit lost in the details at the moment and not quite sure if my configurations are accurate. Would greatly appreciate confirmation in regards to the configuration.

Thank you again.