Introduction
The article will focus on enabling replication on the primary and secondary vault clusters using the primary_cluster_addr and primary_api_addr respectively.
When the primary's cluster address is not directly accessible and must be accessed via an alternate path/address, such as through a TCP-based load balancer, primary_cluster_addr is specified when enabling replication on the primary cluster.
When enabling replication in primary mode:
primary_cluster_addr (string: "") – Specifies the cluster address that the primary gives to secondary nodes. If not set, uses vault's configured cluster address.
- To enable replication on a DR primary cluster using primary_cluster_addr :
vault write -f sys/replication/dr/primary/enable primary_cluster_addr=https://vault-c7f79654cd-478f28491.elb.us-west-1.amazonaws.com:8201
where primary_cluster_addr is the address of the loadbalancer for the primary cluster pointing to port 8201.
- To enable replication on a Performance primary cluster using primary_cluster_addr :
vault write -f sys/replication/performance/primary/enable primary_cluster_addr=https://vault-c7f79654cd-478f28491.elb.us-west-1.amazonaws.com:8201
When the primary's redirect address is not directly accessible and must be accessed via an alternate path/address, such as through a load balancer, primary_api_addr is specified when enabling replication on the secondary cluster.
When enabling replication in secondary mode:
primary_api_addr (string: "") – Set this to the API address (normal Vault address) to override the value embedded in the token.
- To enable DR replication on a secondary using a secondary bootstrap token and specifying primary_api_addr :
vault write -f sys/replication/dr/secondary/enable token=$SECONDARY_BOOTSTRAP_TOKEN primary_api_addr=https://vault-c7f79654cd-478f28491.elb.us-west-1.amazonaws.com:8200
where primary_api_addr is the loadbalancer address of the primary vault cluster pointing to port 8200.
- To enable Perf replication on a secondary using a secondary activation token and specifying primary_api_addr :
vault write -f sys/replication/performance/secondary/enable token=$SECONDARY_BOOTSTRAP_TOKEN primary_api_addr=https://vault-c7f79654cd-478f28491.elb.us-west-1.amazonaws.com:8200
Expected Outcome
Replication should be successfully established between the primary and secondary clusters after enabling
Prerequisites (if applicable)
- Primary vault cluster address is not directly accessible from the secondary cluster
- Primary vault cluster redirect address is not directly accessible from the secondary cluster
Use Case
When trying to establish DR or Performance replication between clusters where the cluster address and redirect address of the primary cluster is not directly accessible by the secondary cluster but can be accessed via a TCP-based load balancer
Useful links: