Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Multi-Account, Multi-Region, Multi-Runtime

Rosemary Wang
January 25, 2024
Technology
1
21

Multi-Account, Multi-Region, Multi-Runtime

Originally presented at NJ HashiCorp User Group, January 2024.

Rosemary Wang

January 25, 2024
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Secure Day 2 operations with Boundary and Vault
joatmon08
0
14
Can You Test Your Infrastructure as Code?
joatmon08
1
49
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
26
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
31
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
40
Building a Developer Platform? Ask these questions.
joatmon08
0
26
From Cloud-Hosted to Cloud-Native
joatmon08
0
50
Refactoring Applications for Dynamic Secrets
joatmon08
1
37
Catching Commits to Secure Infrastructure as Code
joatmon08
1
48

Other Decks in Technology

See All in Technology
独自ツール開発でスタジオ撮影をDX!「VLS(Virtual LED Studio)」 / dx-studio-vls
cyberagentdevelopers
PRO
1
180
30万人が利用するチャットをFirebase Realtime DatabaseからActionCableへ移行する方法
ryosk7
5
350
マネジメント視点でのre:Invent参加 ~もしCEOがre:Inventに行ったら~
kojiasai
0
470
いまならこう作りたい AWSコンテナ[本格]入門ハンズオン 〜2024年版 ハンズオンの構想〜
horsewin
9
2.1k
Shift-from-React-to-Vue
calm1205
3
1.3k
Amazon_CloudWatch_ログ異常検出_導入ガイド
tsujiba
4
1.6k
GitHub Universe: Evaluating RAG apps in GitHub Actions
pamelafox
0
180
「視座」の上げ方が成人発達理論にわかりやすくまとまってた / think_ perspective_hidden_dimensions
shuzon
2
4.1k
Apple/Google/Amazonの決済システムの違いを踏まえた定期購読課金システムの構築 / abema-billing-system
cyberagentdevelopers
PRO
1
220
Fargateを使った研修の話
takesection
0
120
日経電子版におけるリアルタイムレコメンドシステム開発の事例紹介/nikkei-realtime-recommender-system
yng87
1
500
チームを主語にしてみる / Making "Team" the Subject
ar_tama
4
310

Featured

See All Featured
The World Runs on Bad Software
bkeepers
PRO
65
11k
[RailsConf 2023] Rails as a piece of cake
palkan
51
4.9k
Thoughts on Productivity
jonyablonski
67
4.3k
Docker and Python
trallard
40
3.1k
For a Future-Friendly Web
brad_frost
175
9.4k
Into the Great Unknown - MozCon
thekraken
31
1.5k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
A Tale of Four Properties
chriscoyier
156
23k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
41
2.1k
Navigating Team Friction
lara
183
14k
How to Ace a Technical Interview
jacobian
275
23k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
7.9k

Transcript

  1. © 2023 HASHICORP 1 Multi-Account, Multi-Region, Multi-Runtime Rosemary Wang Developer

    Advocate at HashiCorp @joatmon08 | joatmon08.github.io

  2. © 2023 HASHICORP 2 Consul 01

  3. © 2023 HASHICORP dev 3 kubernetes admin partition default namespace

    service-1 namespace virtual-machine admin partition service-2 namespace default admin partition default namespace prod kubernetes admin partition default namespace service-1 namespace virtual-machine admin partition service-2 namespace default admin partition default namespace

  4. © 2023 HASHICORP

  5. © 2023 HASHICORP 5 us-east-1 kubernetes admin partition default namespace

    service-1 namespace virtual-machine admin partition service-2 namespace default admin partition us-west-2 kubernetes admin partition default namespace service-1 namespace virtual-machine admin partition service-2 namespace default admin partition cluster peering

  6. © 2023 HASHICORP developer.hashicorp.com/consul/docs/k8s/connect/cluster-peering/tech-specs

  7. © 2023 HASHICORP

  8. © 2023 HASHICORP & the “Gotchas” • Prior recommendation: WAN

    Federation • Mesh gateway per admin partition • Export services across partition • Assign IP address per service instance • Peer between non-prod / prod? 8 Technical Considerations

  9. © 2023 HASHICORP developer.hashicorp.com/consul/docs/enterprise/admin-partitions

  10. © 2023 HASHICORP

  11. © 2023 HASHICORP developer.hashicorp.com/consul/docs/enterprise/admin-partitions

  12. © 2023 HASHICORP 12 Vault 02

  13. © 2023 HASHICORP 13 dev /shared namespace /service-1 namespace /service-1/shared

    namespace prod /shared namespace /service-1 namespace /service-1/shared namespace

  14. © 2023 HASHICORP developer.hashicorp.com/vault/docs/enterprise/namespaces

  15. © 2023 HASHICORP 15 us-east-1 /boundary path /consul path /prod

    path /prod/service-1 path /prod/kubernetes path us-west-2 /boundary path /consul path /prod path /prod/service-1 path /prod/kubernetes path Terraform / Other Automation

  16. © 2023 HASHICORP 16 us-east-1 /boundary namespace /consul namespace /prod

    namespace /prod/service-1 namespace /prod/kubernetes namespace us-west-2 /boundary namespace /consul namespace /prod namespace /prod/service-1 namespace /prod/kubernetes namespace replication developer.hashicorp.com/vault/docs/enterprise/replication

  17. © 2023 HASHICORP

  18. © 2023 HASHICORP

  19. © 2023 HASHICORP

  20. © 2023 HASHICORP & the “Gotchas” • Replicate configuration, policies,

    secrets engines • Does not replicate leases or tokens • To avoid replication… ◦ Top-level paths filter (globally enforced) ◦ Create secrets engine with -local option • Nest namespaces vs. replicate across non-prod / prod • Database replication versus database secrets engine 20 Technical Considerations

  21. © 2023 HASHICORP 21 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";"

  22. © 2023 HASHICORP 22 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" Cross-region DNS / Load Balancer

  23. © 2023 HASHICORP 23 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" prod read replica

  24. © 2023 HASHICORP 24 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" prod write replica* *depends on database

  25. © 2023 HASHICORP 25 us-east-1 /database/customers prod "CREATE ROLE \"{{name}}\"

    WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" developer.hashicorp.com/vault/docs/agent-and-proxy/proxy/apiproxy vault proxy

  26. © 2023 HASHICORP 26 Boundary 03

  27. © 2023 HASHICORP primary us-east-1 27 controllers primary Boundary database

    cross-region load balancer with failover config standby us-west-2 controllers standby Boundary database read replica (promote on failover) developer.hashicorp.com/boundary/docs/install-boundary/fault-tolerance

  28. © 2023 HASHICORP global 28 customer organization dev, us-east-1 worker

    dev-us-east-1 project dev, us-west-2 worker dev-us-west-2 project prod, us-east-1 worker dev-us-east-1 project prod, us-west-2 worker prod-us-west-2 project payment organization dev, us-east-1 worker dev-us-east-1 project dev, us-west-2 worker dev-us-west-2 project prod, us-east-1 worker dev-us-east-1 project prod, us-west-2 worker prod-us-west-2 project

  29. © 2023 HASHICORP & the “Gotchas” • (Current) Access Boundary

    cluster in single region • Use worker tags to identify region, runtime, etc. • Separate regions into projects / organizations for control • Separate non-prod / prod (clusters vs. scopes) 29 Technical Considerations

  30. © 2023 HASHICORP 30 github.com/ jcolemorrison/ foundational-soa

  31. © 2023 HASHICORP Thank you [email protected]