There’s a long list here and I’m not sure which one to choose.
Consul would be top of mind as its a HashiCorp product and there are synergies with Vault. However, one should use a decision criteria to choose the most suitable one. Below are some key considerations:
- Using Vault Enterprise?
- Consul is officially supported and tested by HashiCorp. Remaining backends are mostly Community supported with the exception of In-Memory and Filesystem.
- Vault Enterprise replication: Use a transactional backend for replication. Vault Replication Internals documentation states:
“Using replication requires a storage backend that supports transactional updates, such as Consul.”
- Load balancing approach:
- Clients may be using a Load balancer to reach Vault as documented in Reference Architecture; this approach will work with any backend.
- When using Consul, Vault clients can also look up endpoints via Consul’s DNS or Catalog API interface such as:
performance-standby.vault.service.consuland so on (host names may vary based on configuration). These names are auto-registered by Consul. Applications can benefit from Consul service discovery using this approach.
- High Availability (HA): when using Vault in production, choose a backend that supports HA capability. Note that Databases such as MSSQL and MySQL may themselves support HA, but when used as Vault backend, HA for Vault is not supported.
- Platform: As an example, if deploying Vault on AWS, then Consul, S3, DynamoDB, MySQL etc. are all valid candidates. When running on-prem, choices with HA may be more limited: Etcd, Consul, MySQL etc.
- Scale: Ensure that the backend can be operationalized to ensure scaling in capacity and performance.