Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Multi-Account, Multi-Region, Multi-Runtime

Multi-Account, Multi-Region, Multi-Runtime

Originally presented at NJ HashiCorp User Group, January 2024.

Rosemary Wang

January 25, 2024
Tweet

More Decks by Rosemary Wang

Other Decks in Technology

Transcript

  1. © 2023 HASHICORP dev 3 kubernetes admin partition default namespace

    service-1 namespace virtual-machine admin partition service-2 namespace default admin partition default namespace prod kubernetes admin partition default namespace service-1 namespace virtual-machine admin partition service-2 namespace default admin partition default namespace
  2. © 2023 HASHICORP 5 us-east-1 kubernetes admin partition default namespace

    service-1 namespace virtual-machine admin partition service-2 namespace default admin partition us-west-2 kubernetes admin partition default namespace service-1 namespace virtual-machine admin partition service-2 namespace default admin partition cluster peering
  3. © 2023 HASHICORP & the “Gotchas” • Prior recommendation: WAN

    Federation • Mesh gateway per admin partition • Export services across partition • Assign IP address per service instance • Peer between non-prod / prod? 8 Technical Considerations
  4. © 2023 HASHICORP 13 dev /shared namespace /service-1 namespace /service-1/shared

    namespace prod /shared namespace /service-1 namespace /service-1/shared namespace
  5. © 2023 HASHICORP 15 us-east-1 /boundary path /consul path /prod

    path /prod/service-1 path /prod/kubernetes path us-west-2 /boundary path /consul path /prod path /prod/service-1 path /prod/kubernetes path Terraform / Other Automation
  6. © 2023 HASHICORP 16 us-east-1 /boundary namespace /consul namespace /prod

    namespace /prod/service-1 namespace /prod/kubernetes namespace us-west-2 /boundary namespace /consul namespace /prod namespace /prod/service-1 namespace /prod/kubernetes namespace replication developer.hashicorp.com/vault/docs/enterprise/replication
  7. © 2023 HASHICORP & the “Gotchas” • Replicate configuration, policies,

    secrets engines • Does not replicate leases or tokens • To avoid replication… ◦ Top-level paths filter (globally enforced) ◦ Create secrets engine with -local option • Nest namespaces vs. replicate across non-prod / prod • Database replication versus database secrets engine 20 Technical Considerations
  8. © 2023 HASHICORP 21 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";"
  9. © 2023 HASHICORP 22 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" Cross-region DNS / Load Balancer
  10. © 2023 HASHICORP 23 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" prod read replica
  11. © 2023 HASHICORP 24 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" prod write replica* *depends on database
  12. © 2023 HASHICORP 25 us-east-1 /database/customers prod "CREATE ROLE \"{{name}}\"

    WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" developer.hashicorp.com/vault/docs/agent-and-proxy/proxy/apiproxy vault proxy
  13. © 2023 HASHICORP primary us-east-1 27 controllers primary Boundary database

    cross-region load balancer with failover config standby us-west-2 controllers standby Boundary database read replica (promote on failover) developer.hashicorp.com/boundary/docs/install-boundary/fault-tolerance
  14. © 2023 HASHICORP global 28 customer organization dev, us-east-1 worker

    dev-us-east-1 project dev, us-west-2 worker dev-us-west-2 project prod, us-east-1 worker dev-us-east-1 project prod, us-west-2 worker prod-us-west-2 project payment organization dev, us-east-1 worker dev-us-east-1 project dev, us-west-2 worker dev-us-west-2 project prod, us-east-1 worker dev-us-east-1 project prod, us-west-2 worker prod-us-west-2 project
  15. © 2023 HASHICORP & the “Gotchas” • (Current) Access Boundary

    cluster in single region • Use worker tags to identify region, runtime, etc. • Separate regions into projects / organizations for control • Separate non-prod / prod (clusters vs. scopes) 29 Technical Considerations