Set up performance replication
Enterprise feature
This tutorial covers Performance Replication, a Vault Enterprise feature that requires a Vault Enterprise Premium license.
Scaling your Vault cluster to meet performance demands is critical to ensure workloads operate efficiently. Vault Enterprise and HCP Vault Dedicated support multi-region deployments so you can replicate data to regional Vault clusters to support local workloads.
Vault Enterprise offers two types of replication - disaster recovery and performance replication. If you are unfamiliar with Vault replication concepts, please review the Vault enterprise replication documentation.
Challenge
Your organization runs workloads in different regions. When operating a Vault cluster in a single region you observed increased latency from remote workloads causing delays and performance issues.
Solution
Vault Enterprise Performance Replication replicates data to Vault clusters in other regions allowing workloads in those regions to authenticate and consume Vault with reduced latency compared to accessing a Vault over long distances.
Vault performance replication starts with a primary cluster, and replicates to one or more secondary clusters. Unlike disaster recovery replication, secondary clusters maintain their own tokens and leases while sharing the Vault configuration from the primary cluster.
Prerequisites
This intermediate tutorial assumes that you have some knowledge of working with Vault and Docker.
You will need the following resources to complete the tutorial's hands-on scenario:
- A Vault Enterprise license
- Vault Enterprise binary installed on your
PATH
for CLI operations. - Docker installed.
Lab setup
Create a working directory to store files used in this tutorial.
Switch to the new directory. All steps in this tutorial should be run from this directory.
Create directories for the Vault configuration an integrated storage data for each cluster.
Create an environment variable with your Vault Enterprise license.
Example:
Create a Docker network to use for this tutorial. This network is created to replicate two Vault clusters with network connectivity between them.
Start primary cluster
Create a configuration file for the primary cluster.
Start the primary cluster.
Example output:
Verify the primary cluster container has started.
Initialize the primary cluster and write the unseal keys to a file.
Writing the unseal key to a file is used to simplify the tutorial steps. For production clusters, the unseal keys must be kept secure.
Export an environment variable with the primary clusters unseal key.
The unseal key is printed to ensure the value was properly set. If no key is returned, verify the key is present in the
.init
file.Export an environment variable with the primary clusters root token.
The root token is printed to ensure the value was properly set. If no token is returned, verify the key is present in the
.init
file.Unseal the primary cluster.
Example output:
The
Sealed
status is nowfalse
, the cluster is unsealed and ready to be configured.Export an environment variable with the address of the primary cluster.
Start secondary cluster
Create a configuration file for the primary cluster.
Start the secondary cluster.
Example output:
Verify the secondary cluster container has started.
Initialize the secondary cluster and write the unseal keys to a file.
Export an environment variable with the secondary clusters unseal key.
Export an environment variable with the secondary clusters root token.
Unseal the secondary cluster.
Example output:
The
Sealed
status is nowfalse
, the cluster is unsealed and ready to be configured.Export an environment variable with the address of the secondary cluster.
Configure the primary cluster
Before enabling performance replication, create a superpolicy
policy and enable
userpass auth method with superuser
user on the primary cluster.
Log into the primary cluster.
Create create a
superpolicy
policy.Example output:
Enable the
userpass
auth method.Create a new user named
superuser
in userpass and attach thesuperpolicy
policy.Enable the
k/v
secrets engine namedreplicatedkv
.When you configure performance replication, Vault will replicate this mount to the secondary cluster.
Enable the
k/v
secrets engine namedlocalkv
, and mark the secret engine as local.When you configure performance replication, this mount is not replicated to the secondary cluster because you marked as local only using the
-local
flag.Enable performance replication on the primary cluster.
Create a secondary bootstrap token on the primary cluster and store the token as a variable. The token value will be returned as part of the tutorial to ensure the command completed successfully.
The value for
id
is opaque to Vault and can be any identifying value you want. You can use theid
to revoke the secondary. You can see the `id when you read the replication status on the primary. You will get back a wrapped response, except that the token will be a JWT instead of UUID-formatted random bytes.
Configure the secondary cluster
Log into the secondary cluster.
Activate a secondary using the token generated on the primary cluster.
Warning
This command will destroy all existing data stored on the secondary cluster.
The secondary will use the address embedded in the bootstrap token, which is the primary's redirect address to make a connection to the primary. If the primary has no redirect address (for instance, if it's not in an HA cluster), you'll need to set the
primary_api_addr
parameter to specify the primary's API address at secondary enable time.Once the secondary is activated and has bootstrapped, it will be ready for service and will maintain state with the primary. It is safe to seal/shutdown the primary and/or secondary; when both are available again, they will synchronize back into a replicated state.
Authenticate to the secondary cluster using the
userpass
auth method you previously enabled on the primary cluster. EntervaultMagic
when prompted for the password.On a production system, after a secondary is activated, enabled auth methods should be used to get tokens with appropriate policies, as policies and auth method configuration are replicated.
Verify the replication status.
The replication status shows this is a
secondary
cluster and the address of theprimaries
.List the enabled secrets engines.
The
replicatedkv
secret engine, which you enabled on the primary cluster is replicated to the secondary cluster.The
localkv
secret engine is not available on the secondary because you marked it as a local only mount using the-local
flag.
Manage replicated mounts
There are many regional data sovereignty requirements that must be taken into consideration when using replication. Consider a scenario where secrets stored on the primary cluster need to remain in the region where the cluster operates.
Path filters allow you to control which mounts are replicated across clusters and physical regions. With a path filter you can select which mounts will be replicated as part of a performance replication relationship.
By default, all non-local mounts and associated data are moved as part of replication. The paths filter feature enables users restrict which mounts are replicated, thereby allowing users to further control the movement of secrets across their infrastructure.
Path filters are also applied to mounts that have already been replicated. In
this tutorial the replicatedkv
secret engine was replicated from the primary
cluster to the secondary.
You have just been given a new requirement that states the replicatedkv
secret
engine must now stay only on the primary cluster. You can add a path filter
which will remove the replicated mount from the secondary.
Log back in to the primary cluster.
Add a path filter to deny the
replicatedkv
secret engine from being replicated.Example output:
The ID
secondary
at the end of the path must match the ID used when configuring performance replication on the primary cluster.Log back in to the secondary cluster. Enter
vaultMagic
when prompted for the password.List the secret engines.
The
replicatedkv
secret engine is no longer available on the secondary cluster.
Considerations for performance replication
Vault's performance replication model is intended to allow horizontally scaling Vault's functions rather than to act in a strict Disaster Recovery (DR) capacity.
As a result, Vault performance replication acts on static items within Vault, meaning information that is not part of Vault's lease-tracking system. In a practical sense, this means that all Vault information is replicated from the primary to secondaries except for tokens and secret leases.
Because token information must be checked and possibly rewritten with each use (e.g. to decrement its use count), replicated tokens would require every call to be forwarded to the primary, decreasing rather than increasing total Vault throughput.
Secret leases are tracked independently for two reasons: one, because every such lease is tied to a token and tokens are local to each cluster; and two, because tracking large numbers of leases is memory-intensive and tracking all leases in a replicated fashion could dramatically increase the memory requirements across all Vault nodes.
We believe that this performance replication model provides significant utility for horizontally scaling Vault's functionality. However, it does mean that certain principles must be kept in mind.
Always use the local cluster
First and foremost, when designing systems to take advantage of replicated Vault, you must ensure that they always use the same Vault cluster for all operations, as only that cluster will know about the client's Vault token.
Enabling a secondary wipes storage
Replication relies on having a shared keyring between primary and secondaries and also relies on having a shared understanding of the data store state. As a result, when replication is enabled, all of the secondary's existing storage will be wiped. This is irrevocable. Make a backup first if there is a remote chance you'll need some of this data at some future point.
Generally, activating as a secondary will be the first thing that is done upon setting up a new cluster for replication.
Replicated vs. local backend mounts
All backend mounts (of all types) that can be enabled within Vault default to being mounted as a replicated mount. This means that mounts cannot be enabled on a secondary, and mounts enabled on the primary will replicate to secondaries.
Mounts can also be marked local (via the -local
flag on the Vault CLI or
setting the local
parameter to true
in the API). This can only be performed
at mount time; if a mount is local but should have been replicated, or vice
versa, you must disable the backend and mount a new instance at that path with
the local flag enabled. If you cannot start a new instance of a mount, you can
use a path filter to deny replication to one or more secondaries.
Local mounts do not propagate data from the primary to secondaries, and local mounts on secondaries do not have their data removed during the syncing process. The exception is during initial bootstrapping of a secondary from a state where replication is disabled; all data, including local mounts, is deleted at this time (as the encryption keys will have changed so data in local mounts would be unable to be read).
Audit devices
In normal Vault usage, if Vault has at least one audit device configured and is unable to successfully log to at least one device, it will block further requests.
Replicated audit mounts must be able to successfully log on all replicated clusters. For example, if using the file audit device, the configured path must be able to be written to by all secondaries. It may be useful to use at least one local audit mount on each cluster to prevent such a scenario.
Never have two primaries
The replication model is not designed for active-active usage and enabling two primaries should never be done, as it can lead to data loss if they or their secondaries are ever reconnected.
Disaster recovery
Local backend mounts are not replicated and their use will require existing DR mechanisms if DR is necessary in your implementation.
If you need true DR, review the Disaster recovery replication tutorial.
Clean up
Stop the Vault Enterprise containers.
Delete the Docker network created for this tutorial.
Delete the temporary directory created for this tutorial.
Unset environment variables created for this tutorial (or close the terminal).