Multi-Account, Multi-Region, Multi-Runtime

Transcript

1. © 2023 HASHICORP 1 Multi-Account, Multi-Region, Multi-Runtime Rosemary Wang Developer

   Advocate at HashiCorp @joatmon08 | joatmon08.github.io

2. © 2023 HASHICORP 2 Consul 01

3. © 2023 HASHICORP dev 3 kubernetes admin partition default namespace

   service-1 namespace virtual-machine admin partition service-2 namespace default admin partition default namespace prod kubernetes admin partition default namespace service-1 namespace virtual-machine admin partition service-2 namespace default admin partition default namespace

4. © 2023 HASHICORP

5. © 2023 HASHICORP 5 us-east-1 kubernetes admin partition default namespace

   service-1 namespace virtual-machine admin partition service-2 namespace default admin partition us-west-2 kubernetes admin partition default namespace service-1 namespace virtual-machine admin partition service-2 namespace default admin partition cluster peering

6. © 2023 HASHICORP developer.hashicorp.com/consul/docs/k8s/connect/cluster-peering/tech-specs

7. © 2023 HASHICORP

8. © 2023 HASHICORP & the “Gotchas” • Prior recommendation: WAN

   Federation • Mesh gateway per admin partition • Export services across partition • Assign IP address per service instance • Peer between non-prod / prod? 8 Technical Considerations

9. © 2023 HASHICORP developer.hashicorp.com/consul/docs/enterprise/admin-partitions

10. © 2023 HASHICORP

11. © 2023 HASHICORP developer.hashicorp.com/consul/docs/enterprise/admin-partitions

12. © 2023 HASHICORP 12 Vault 02

13. © 2023 HASHICORP 13 dev /shared namespace /service-1 namespace /service-1/shared

    namespace prod /shared namespace /service-1 namespace /service-1/shared namespace

14. © 2023 HASHICORP developer.hashicorp.com/vault/docs/enterprise/namespaces

15. © 2023 HASHICORP 15 us-east-1 /boundary path /consul path /prod

    path /prod/service-1 path /prod/kubernetes path us-west-2 /boundary path /consul path /prod path /prod/service-1 path /prod/kubernetes path Terraform / Other Automation

16. © 2023 HASHICORP 16 us-east-1 /boundary namespace /consul namespace /prod

    namespace /prod/service-1 namespace /prod/kubernetes namespace us-west-2 /boundary namespace /consul namespace /prod namespace /prod/service-1 namespace /prod/kubernetes namespace replication developer.hashicorp.com/vault/docs/enterprise/replication

17. © 2023 HASHICORP

18. © 2023 HASHICORP

19. © 2023 HASHICORP

20. © 2023 HASHICORP & the “Gotchas” • Replicate configuration, policies,

    secrets engines • Does not replicate leases or tokens • To avoid replication… ◦ Top-level paths filter (globally enforced) ◦ Create secrets engine with -local option • Nest namespaces vs. replicate across non-prod / prod • Database replication versus database secrets engine 20 Technical Considerations

21. © 2023 HASHICORP 21 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";"

22. © 2023 HASHICORP 22 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" Cross-region DNS / Load Balancer

23. © 2023 HASHICORP 23 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" prod read replica

24. © 2023 HASHICORP 24 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" prod write replica* *depends on database

25. © 2023 HASHICORP 25 us-east-1 /database/customers prod "CREATE ROLE \"{{name}}\"

    WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" developer.hashicorp.com/vault/docs/agent-and-proxy/proxy/apiproxy vault proxy

26. © 2023 HASHICORP 26 Boundary 03

27. © 2023 HASHICORP primary us-east-1 27 controllers primary Boundary database

    cross-region load balancer with failover config standby us-west-2 controllers standby Boundary database read replica (promote on failover) developer.hashicorp.com/boundary/docs/install-boundary/fault-tolerance

28. © 2023 HASHICORP global 28 customer organization dev, us-east-1 worker

    dev-us-east-1 project dev, us-west-2 worker dev-us-west-2 project prod, us-east-1 worker dev-us-east-1 project prod, us-west-2 worker prod-us-west-2 project payment organization dev, us-east-1 worker dev-us-east-1 project dev, us-west-2 worker dev-us-west-2 project prod, us-east-1 worker dev-us-east-1 project prod, us-west-2 worker prod-us-west-2 project

29. © 2023 HASHICORP & the “Gotchas” • (Current) Access Boundary

    cluster in single region • Use worker tags to identify region, runtime, etc. • Separate regions into projects / organizations for control • Separate non-prod / prod (clusters vs. scopes) 29 Technical Considerations

30. © 2023 HASHICORP 30 github.com/ jcolemorrison/ foundational-soa

31. © 2023 HASHICORP Thank you [email protected]