Vault UI setup and balancing

Hi All,

I am currently working on a cluster of 3 Vaults ( and 5 consuls as backend) servers and trying to find the best approach of how to access the Vault UI. I have read that Hashicorp does not advice in the use of Load balancer for this. There’s also the option of using consul service discovery but I have little knowledge on this matter. Could you kindly give your suggestions or direct to the best approach, Thanks!

Hi there!

I have read that Hashicorp does not advice in the use of Load balancer for this.

I wonder where this has been adviced?
It is actually mentioned in the docs how to setup Vault in case there is a LB in front of a Vault cluster: https://www.vaultproject.io/docs/concepts/ha.html#behind-load-balancers

Cheers,
Michel

Well its definitely not a guide on “how to setup Vault in case there is a LB”, it is more about to bring awareness of what can go wrong.

For instance if internal forwarding for some reason breaks and your LB is not configured to handle 307, or not configurable LB, then your request will fail.

@Dimbu-Afonso article says that to have Load Balancer address in api_addr is not recommended way due to complicated configuration and possible loops, but its not that they do not recommend.

We use a load balancer in front of vault, and haven’t had any issues. Just make sure your certificate files for Vault have both your load balancer dns name, as well as your server names. Then you can hit each server or the LB and not have to worry about the cert message.