Why do we need consul agent for Vault with Consul as HA backend

While deploying Vault with Consul as HA backend, it is recommended to use a local consul agent instead of directly talking to Consul server

We are deploying Vault in Kubernetes and what is the benefit of using consul agents in pod? Can vault directly talk to consul servers ?


I’ve also been trying to find the answer to the same question.

I would like to see a confirmation however, I assume that it’s because if you configure the consul server in Vault directly you can only configure one consul server. If that server goes offline, Vault cannot fallback on another consul server. Instead it will just fail.

The local consul client does have this capability.

Again, I would love if someone could confirm or deny this assumption :slight_smile:

That assumption is correct. I remember checking this with hashicorp support a while back. Local Consul client agents on the Vault servers will communicate with the Consul server cluster for registering health checks, service discovery, and cluster HA failover coordination.