Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Multi-Account, Multi-Region, Multi-Runtime

Rosemary Wang
January 25, 2024
Technology
1
21

Multi-Account, Multi-Region, Multi-Runtime

Originally presented at NJ HashiCorp User Group, January 2024.

Rosemary Wang

January 25, 2024
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Secure Day 2 operations with Boundary and Vault
joatmon08
0
15
Can You Test Your Infrastructure as Code?
joatmon08
1
51
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
26
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
31
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
40
Building a Developer Platform? Ask these questions.
joatmon08
0
27
From Cloud-Hosted to Cloud-Native
joatmon08
0
53
Refactoring Applications for Dynamic Secrets
joatmon08
1
37
Catching Commits to Secure Infrastructure as Code
joatmon08
1
51

Other Decks in Technology

See All in Technology
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
2
610
信頼性に挑む中で拡張できる・得られる1人のスキルセットとは?
ken5scal
2
530
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
480
Terraform Stacks入門 #HashiTalks
msato
0
350
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
370
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
750
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
9
960
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.7k
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
380
プロダクト活用度で見えた真実 ホリゾンタルSaaSでの顧客解像度の高め方
tadaken3
0
100

Featured

See All Featured
The Cost Of JavaScript in 2023
addyosmani
45
6.8k
Building Applications with DynamoDB
mza
90
6.1k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Ruby is Unlike a Banana
tanoku
97
11k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
Speed Design
sergeychernyshev
25
620
Docker and Python
trallard
40
3.1k
Gamification - CAS2011
davidbonilla
80
5k
RailsConf 2023
tenderlove
29
900

Transcript

  1. © 2023 HASHICORP 1 Multi-Account, Multi-Region, Multi-Runtime Rosemary Wang Developer

    Advocate at HashiCorp @joatmon08 | joatmon08.github.io

  2. © 2023 HASHICORP 2 Consul 01

  3. © 2023 HASHICORP dev 3 kubernetes admin partition default namespace

    service-1 namespace virtual-machine admin partition service-2 namespace default admin partition default namespace prod kubernetes admin partition default namespace service-1 namespace virtual-machine admin partition service-2 namespace default admin partition default namespace

  4. © 2023 HASHICORP

  5. © 2023 HASHICORP 5 us-east-1 kubernetes admin partition default namespace

    service-1 namespace virtual-machine admin partition service-2 namespace default admin partition us-west-2 kubernetes admin partition default namespace service-1 namespace virtual-machine admin partition service-2 namespace default admin partition cluster peering

  6. © 2023 HASHICORP developer.hashicorp.com/consul/docs/k8s/connect/cluster-peering/tech-specs

  7. © 2023 HASHICORP

  8. © 2023 HASHICORP & the “Gotchas” • Prior recommendation: WAN

    Federation • Mesh gateway per admin partition • Export services across partition • Assign IP address per service instance • Peer between non-prod / prod? 8 Technical Considerations

  9. © 2023 HASHICORP developer.hashicorp.com/consul/docs/enterprise/admin-partitions

  10. © 2023 HASHICORP

  11. © 2023 HASHICORP developer.hashicorp.com/consul/docs/enterprise/admin-partitions

  12. © 2023 HASHICORP 12 Vault 02

  13. © 2023 HASHICORP 13 dev /shared namespace /service-1 namespace /service-1/shared

    namespace prod /shared namespace /service-1 namespace /service-1/shared namespace

  14. © 2023 HASHICORP developer.hashicorp.com/vault/docs/enterprise/namespaces

  15. © 2023 HASHICORP 15 us-east-1 /boundary path /consul path /prod

    path /prod/service-1 path /prod/kubernetes path us-west-2 /boundary path /consul path /prod path /prod/service-1 path /prod/kubernetes path Terraform / Other Automation

  16. © 2023 HASHICORP 16 us-east-1 /boundary namespace /consul namespace /prod

    namespace /prod/service-1 namespace /prod/kubernetes namespace us-west-2 /boundary namespace /consul namespace /prod namespace /prod/service-1 namespace /prod/kubernetes namespace replication developer.hashicorp.com/vault/docs/enterprise/replication

  17. © 2023 HASHICORP

  18. © 2023 HASHICORP

  19. © 2023 HASHICORP

  20. © 2023 HASHICORP & the “Gotchas” • Replicate configuration, policies,

    secrets engines • Does not replicate leases or tokens • To avoid replication… ◦ Top-level paths filter (globally enforced) ◦ Create secrets engine with -local option • Nest namespaces vs. replicate across non-prod / prod • Database replication versus database secrets engine 20 Technical Considerations

  21. © 2023 HASHICORP 21 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";"

  22. © 2023 HASHICORP 22 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" Cross-region DNS / Load Balancer

  23. © 2023 HASHICORP 23 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" prod read replica

  24. © 2023 HASHICORP 24 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" prod write replica* *depends on database

  25. © 2023 HASHICORP 25 us-east-1 /database/customers prod "CREATE ROLE \"{{name}}\"

    WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" developer.hashicorp.com/vault/docs/agent-and-proxy/proxy/apiproxy vault proxy

  26. © 2023 HASHICORP 26 Boundary 03

  27. © 2023 HASHICORP primary us-east-1 27 controllers primary Boundary database

    cross-region load balancer with failover config standby us-west-2 controllers standby Boundary database read replica (promote on failover) developer.hashicorp.com/boundary/docs/install-boundary/fault-tolerance

  28. © 2023 HASHICORP global 28 customer organization dev, us-east-1 worker

    dev-us-east-1 project dev, us-west-2 worker dev-us-west-2 project prod, us-east-1 worker dev-us-east-1 project prod, us-west-2 worker prod-us-west-2 project payment organization dev, us-east-1 worker dev-us-east-1 project dev, us-west-2 worker dev-us-west-2 project prod, us-east-1 worker dev-us-east-1 project prod, us-west-2 worker prod-us-west-2 project

  29. © 2023 HASHICORP & the “Gotchas” • (Current) Access Boundary

    cluster in single region • Use worker tags to identify region, runtime, etc. • Separate regions into projects / organizations for control • Separate non-prod / prod (clusters vs. scopes) 29 Technical Considerations

  30. © 2023 HASHICORP 30 github.com/ jcolemorrison/ foundational-soa

  31. © 2023 HASHICORP Thank you [email protected]