There’s a long list here and I’m not sure which one to choose.
Consul would be top of mind as its a HashiCorp product and there are synergies with Vault. However, one should use a decision criteria to choose the most suitable one. Below are some key considerations:
- Using Vault Enterprise?
- Consul is officially supported and tested by HashiCorp. Remaining backends are mostly Community supported with the exception of In-Memory and Filesystem.
- Vault Enterprise replication: Use a transactional backend for replication. Vault Replication Internals documentation states:
“Using replication requires a storage backend that supports transactional updates, such as Consul.”
- Load balancing approach:
- Clients may be using a Load balancer to reach Vault as documented in Reference Architecture; this approach will work with any backend.
- When using Consul, Vault clients can also look up endpoints via Consul’s DNS or Catalog API interface such as:
active.vault.service.consul,performance-standby.vault.service.consuland so on (host names may vary based on configuration). These names are auto-registered by Consul. Applications can benefit from Consul service discovery using this approach.
- High Availability (HA): when using Vault in production, choose a backend that supports HA capability. Note that Databases such as MSSQL and MySQL may themselves support HA, but when used as Vault backend, HA for Vault is not supported.
- Platform: As an example, if deploying Vault on AWS, then Consul, S3, DynamoDB, MySQL etc. are all valid candidates. When running on-prem, choices with HA may be more limited: Etcd, Consul, MySQL etc.
- Scale: Ensure that the backend can be operationalized to ensure scaling in capacity and performance.
3 Likes
In my opinion - the recommended choice is whatever you’ve proven to perform best and with the most reliance and resilience for your given use-case and available resources. The reference architecture @kawsark has linked with Consul is pretty typical - Raft can also be a good option. For a complete list see: docs/configuration/storage as well.
Now that Raft Storage is available which would be better for High Availability? Consul or Raft?
I could not find a definitive answer as both seem to be documented as deployment patterns. I am assuming Consul was the preferred before Raft came along. Both are supported by HashiCorp, but is there some use cases where Consul is more suited than Raft?
2 Likes
IMO, Raft is the best choice, but always this decision will depend on your use cases. Here’s a table comparing both https://developer.hashicorp.com/vault/docs/configuration/storage#integrated-storage-vs-consul-as-vault-storage