HashiCorp Learn
Infrastructure
  • TerraformTerraformLearn terraformDocs
  • PackerPackerLearn packerDocs
  • VagrantVagrantLearn vagrantDocs
Security
  • VaultVaultLearn vaultDocs
  • BoundaryBoundaryLearn boundaryDocs
Networking
  • ConsulConsulLearn consulDocs
Applications
  • NomadNomadLearn nomadDocs
  • WaypointWaypointLearn waypointDocs
  • HashiCorp Cloud Platform (HCP) LogoHashiCorp Cloud Platform (HCP)HashiCorp Cloud Platform (HCP)Docs
Type '/' to Search
Loading account...
  • Bookmarks
  • Manage Account
  • Overview
  • Understand the architectural differences
  • Consul vs. Integrated Storage
  • Self-check questions
  • Next step
DocsForum
Back to vault
Integrated StorageView Collection
    Vault with Integrated Storage Reference ArchitectureVault Deployment Guide with Integrated StorageVault HA Cluster with Integrated StorageVault HA Cluster with Integrated Storage on AWSInspecting Data in Integrated StoragePreflight Checklist - Migrating to Integrated StorageStorage Migration tutorial - Consul to Integrated StorageUse Integrated Storage for HA Coordination

Preflight Checklist - Migrating to Integrated Storage

  • 6 min
  • Products Usedvault

NOTE: The purpose of this tutorial is NOT to walk you through the storage migration steps. This guide provides a quick self-check whether it is your best interest to migrate the Vault storage from an external system to the integrated storage.

»Who should read this guide?

You should read this guide if you are currently running a Vault environment backed by an external system such as HashiCorp Consul to persist the Vault's encrypted data, and considering to migrate to the Vault's integrated storage.

The integrated storage is an additional storage option made available in Vault 1.4 and not a requirement. Vault continues to support external storage that is currently supported (e.g. Consul).

»Topics covered

  • Understand the architectural differences
  • Consul vs. Integrated Storage
    • System requirements comparison
    • Performance considerations
    • Inspect Vault data
    • Summary
  • Self-check questions

»Understand the architectural differences

It is important to understand the differences between the Vault cluster with external storage backend and the cluster using the integrated storage.

»Reference architecture with Consul

The recommended number of Vault instances is 3 in a cluster which connects to a Consul cluster which may have 5 or more nodes as shown in the diagram below. (Total of 8 virtual machines to host a Vault HA environment.)

Reference Diagram

The processing requirements depend on the encryption and messaging workloads. Memory requirements will dependant on the total size of secrets stored in the memory. The Vault server itself has minimal storage requirements but the Consul nodes should have a relatively high-performance hard disk system.

»Reference architecture with integrated storage

The recommended number of Vault instances is 5 in a cluster. In a single HA cluster, all Vault nodes share the data while an active node holds the lock; therefore, only the active node has write access. To achieve n-2 redundancy, (meaning that the cluster can still function after losing 2 nodes), an ideal size for a Vault HA cluster is 5 nodes.

NOTE: Refer to the Integrated Storage documentation.

Reference Diagram Details

Because the data gets persisted on the same host, the Vault server should be hosted on a relatively high-performance hard disk system.

»Consul vs. Integrated Storage

The integrated storage eliminates the need for external storage; therefore, Vault is the only software you need to stand up a cluster. This indicates that the host machine must have disk capacity in an amount equal or greater to that of the existing external storage backend.

»System requirements comparison

The fundamental difference between Vault's integrated storage and Consul is that the integrated storage stores everything on disk while Consul KV stores everything in its memory which impacts the host's RAM.

»Machine sizes for Vault - Consul as its storage backend

It is recommended to avoid hosting Consul on an instance with burstable CPU.

SizeCPUMemoryDiskTypical Cloud Instance Types
Small2 core4-8 GB RAM25 GBAWS: m5.large
Azure: Standard_D2_v3
GCE: n1-standard-2, n1-standard-4
Large4-8 core16-32 GB RAM50 GBAWS: m5.xlarge, m5.2xlarge
Azure: Standard_D4_v3, Standard_D8_v3
GCE: n1-standard-8, n1-standard-16

»Machine sizes for Vault with integrated storage

SizeCPUMemoryDiskTypical Cloud Instance Types
Small2 core8-16 GB RAM100 GBAWS: m5.large, m5.xlarge
Azure: Standard_D2_v3, Standard_D4_v3
GCE: n2-standard-2, n2-standard-4
Large4-8 core32-64 GB RAM200 GBAWS: m5.2xlarge, m5.4xlarge
Azure: Standard_D8_v3, Standard_D16_v3
GCE: n2-standard-8, n2-standard-16

If many secrets are being generated or rotated frequently, this information will need to be flushed to the disk often. Therefore, the infrastructure should have a relatively high-performance hard disk system when using the integrated storage.

NOTE: Vault's integrated storage is disk-bound; therefore, care should be taken when planning storage volume size and performance. For cloud providers, IOPS can be dependent on volume size and/or provisioned IOPS. It is recommended to provision IOPS and avoid burstable IOPS. Monitoring of IOPS performance should be implemented in order to tune the storage volume to the IOPS load.

»Performance considerations

Because Consul KV is memory-bound, it is necessary to take a snapshot frequently. However, Vault's integrated storage persists everything on the disk which eliminates the need for such frequent snapshot operations. Take snapshots to back up the data so that you can restore them in case of data loss. This reduces the performance cost introduced by the frequent snapshot operations.

In considering disk performance, since Vault data changes are immediately written to disk, rather than in batched snapshots as Consul does, it is important to monitor IOPS as well as disk queues to limit storage bottlenecks.

Consul's autopilot feature is currently not available in Vault's integrated storage.

»Inspect Vault data

Inspection of Vault data differs considerably from the consul kv commands used to inspect Consul's KV store. Consult the Inspecting Data in Integrated Storage tutorial to query Vault's integrated storage data.

»Summary

The table below highlights the differences between Consul and integrated storage.

ConsiderationConsul as storage backendVault integrated storage
System requirementMemory optimized machineStorage optimized high IOPS machine
Data snapshotFrequent snapshotsNormal data backup strategy
Snapshot automationSnapshot agent (Consul Enterprise only)Automatic snapshot (Vault Enterprise v1.6.0 and later)
Data inspectionOnline, use consul kv commandOffline, requires using recovery mode
AutopilotSupportedNot available

»Self-check questions

  • Where is the product expertise?
    • Do you already have Consul expertise?
    • Are you concerned about lack of Consul knowledge?
  • Do you currently experience any technical issue with Consul?
  • What motivates the data migration from the current storage backend to the integrated storage?
    • Reduce the operational overhead?
    • Reduce the number of machines to run?
    • Reduce the cloud infrastructure cost?
  • Do you have a staging environment where you can run production loads and verify that everything works as you expect?
  • Have you thought through the storage backup process or workflow after migrating to the integrated storage?
  • Do you currently rely heavily on using Consul to inspect Vault data?

»Next step

If you are ready to migrate the current storage backend to integrated storage, refer to the Storage Migration Tutorial - Consul to Integrated Storage.

To deploy a new cluster with integrated storage, refer to the Vault HA Cluster with Integrated Storage tutorial.


Back to Collection
HashiCorp
  • System Status
  • Terms of Use
  • Security
  • Privacy
stdin: is not a tty