Vault
HCP Vault Dedicated operation tasks
HashiCorp Cloud Platform (HCP) Vault provides access to critical operational tasks, such as locking the cluster, accessing audit logs, and managing data snapshots.
Enable cross-region disaster recovery
Note
Cross-region disaster recovery is available for flex / entitlement contracts.
HCP Vault Dedicated supports cross-region disaster recover (DR) on standard or plus tier clusters in both AWS and Azure. Cross-region DR replicas must be in the same provider as the primary Vault cluster.
Cross-region DR allows you to enable high-availability for your HCP Vault Dedicated cluster, even when your selected cloud provider has a regional outage.
You must create the cross-region DR HVN in a different region than the primary cluster HVN.
Impact of cross-region DR set up on existing clusters
You can enable cross-region DR for new or existing HCP Vault Dedicated clusters.
When you enable cross-region DR for an existing cluster, the cluster will be unavailable for up to 10 minutes while replication occurs.
Create primary HVN
Create an HVN in the preferred region for your primary cluster.
Launch the HCP Portal and login.
Select the organization and project where you want to create a HCP Vault Dedicated cluster with cross-region disaster recovery.
Click HashiCorp Virtual Networks.
Click Create network.
Enter
hvn-aws-us-west-2
in the Network name field.Select Amazon Web Services as the Provider.
Select Oregon (us-west-2) from the Region selection dropdown menu.
Enter
172.25.16.0/24
in the CIDR block field.Click Create network.
Create cross-region disaster recovery HVN
Enable cross-region DR by creating an HVN in a different region than your primary cluster.
Repeat the steps above to create a second HVN with the following details:
Note
Be sure to use non-overlapping CIDR ranges for the primary and DR HVN.
- Network name:
hvn-aws-us-east-2
- Provider: Amazon Web Services
- Region selection: Ohio (us-east-2)
- CIDR block:
172.25.17.0/24
- Network name:
Click Back to Networks.
Create cluster with cross-region DR
Click Vault Dedicated.
Under Start from scratch click Create cluster.
Select Amazon Web Services as the Provider.
Select Standard for the Vault tier.
Select hv-aws-us-west-2 for the Network.
Click the toggle switch to enable the Backup network.
Click the pulldown menu and select hvn-aws-us-east-2.
Click Create cluster. The new cluster deployment and initialization process beings.
When the cluster initialization completes, the Cluster networking pane displays the active HVN and the Backup network.
HashiCorp manages the disaster response. If a disaster is declared, HashiCorp will failover to the cross-region DR replica. Failover to the DR replica is transparent for any workloads accessing Vault once the failover is complete. When the disaster has been resolved, HashiCorp will fail back to the primary cluster.
Refer to the HCP Vault Dedicated documentation for additional cross-region DR considerations.
Note
The remainder of this tutorial assumes that you created and connected to the HCP Vault cluster in the Create a Vault Cluster on HashiCorp Cloud Platform (HCP) tutorial.
Lock and unlock the Vault cluster
Intrusion detection or data breaches may require you to lock your HCP Vault Dedicated cluster. API lock functions similarly to Vault sealing by preventing normal Vault operations but still allowing the HCP platform access to perform upgrades and snapshots.
Warning
Locking a cluster prevents customer access to the cluster until it is unlocked.
Lock the cluster
Under Quick actions, click API Lock.
A Lock API? pop-up dialog displays a warning and explanation of the locking operation.
Enter
LOCK
into the Confirm lock field.Click Lock to proceed. When it completes, the cluster state changes to Locked.
Unlock the cluster
In the Vault cluster is locked notification, click Unlock.
A pop-up dialog displays a warning and explanation of the unseal operation.
Enter
UNLOCK
into the Confirm unlock field.Click Unlock.
The Vault cluster unlocks. The Vault Overview page displays the Vault configuration and available operations.
Scale an HCP Vault Dedicated cluster up or down
Note
Scaling your HCP Vault Dedicated cluster to a higher tier will increase the hourly charges for your HCP account. Please review carefully before committing any changes to your HCP Vault Dedicated cluster.
Vault Dedicated cluster scaling allows you to scale your cluster up or down to meet organizational needs. You can scale between both cluster tiers (e.g. dev to starter, starter to standard) and cluster sizes (e.g standard small to standard medium).
Note
HCP Vault Dedicated clusters can be scaled up from the development tier to a larger tier, however starter, standard, or plus tier clusters cannot be scaled down to the development tier.
Cluster scaling is fully managed by the HashiCorp Cloud Platform and performed with no downtime, meaning you can continue to utilize Vault Dedicated while the cluster is being scaled up or down. Cluster scaling is available from the HCP Portal and Terraform when using version 0.21.1 or higher of the HCP Terraform provider.
Follow these steps in the HCP Portal to scale your cluster up from the dev tier cluster created in the Create a Vault Cluster on HCP tutorial.
Navigate to the Overview page for your Vault Dedicated cluster.
Click Manage and then select Edit configuration.
Scroll down to view the Cluster Tier pulldown menu.
Click the pulldown menu and select the Standard tier. In the Cluster Size pulldown menu you will see multiple supported sizes. You can scale the Vault Dedicated cluster up and down between the available sizes within a tier, or scale between different tiers. You can scale up from the development tier to another tier but you cannot scale back down to the development tier.
Click Next.
The Review changes screen provides an overview of the requested changes and the pricing differences between the two tiers.
Click Apply changes. You will be returned to the Overview screen.
The cluster will begin updating. This process will take several minutes.
Note
If the cluster status section displays the status as Running, refresh the browser window/tab.
Wait for the cluster to complete the scale up process and then move on to the next section.
Data snapshots
Preserving Vault data is critical to production operations and particularly for disaster or sabotage recovery purposes. Vault Dedicated offers snapshot functionality for the underlying storage to preserve data based on your requirements.
Note
Snapshots are not available for development tier clusters.
Create snapshot
After completing the Scale an Vault Dedicated cluster up or down tutorial you can follow these steps to manually snapshot your Vault data as needed.
Click Snapshots in the left navigation pane.
The view displays a history of the snapshots created.
Click Create snapshot.
A Create snapshot pop-up dialog displays.
Enter tutorial in the Snapshot name field and click Create snapshot.
The view displays the snapshot history. The latest snapshot is appended to the snapshot list. While the snapshot is in progress it will display a Pending animation in the Status column.
Note
The duration of time needed for the snapshot to complete can vary and largely depends on the size the of data stored in your Vault cluster.
When the snapshot operation completes the Status changes to Stored.
Note
HCP persists the snapshots for up to 30 days after creation, checks every 24 hours, and prunes expired snapshots.
Restore snapshot
You can use the snapshots to restore data if it ever becomes necessary.
Click the Snapshots link in the left navigation pane.
Click the ellipsis (...) menu next to the tutorial snapshot entry, and choose Restore.
A confirmation dialog appears; enter
RESTORE
and click Restore snapshot to confirm restoration.A message will appear informing you the restore process has started.
Delete snapshot
Click the Snapshots link in the left navigation pane.
Click the ellipsis (...) menu next to the tutorial snapshot, and choose Delete.
A confirmation dialog appears; enter
DELETE
and click Delete snapshot to confirm snapshot deletion.A Snapshot deleting dialog appears. Once the snapshot is deleted, it no longer appears in the snapshot list.
Access the audit log for troubleshooting
Note
Audit logging is not available on Development tier clusters.
Effective troubleshooting of requests and responses to Vault requires access to the audit device logs.
Vault Dedicated enables a File Audit Device by default. This device provides the last hour of Vault requests in a downloadable archive. These logs may be imported into your preferred tooling for auditing and troubleshooting.
From the Vault cluster overview page, click Audit Logs.
From the Audit logs page, click Select logs in the Download audit logs box.
A Download audit logs pop-up dialog displays.
Use the Start date and Start time components to specify the audit log starting position. The log file will cover a 1 hour period after the date and time that you select.
Once you have selected the desired Start date and Start time, click Generate logs.
When the archive is created, a new Download audit logs pop-up dialog displays. The archive is presented with the specific time-frame covered by the log file.
Note
The file is only available to download for 10 minutes; after this time elapses, you must begin the download process from the first step.
Click the download icon.
The downloaded file is a gzip compressed file. The filename contains the start and end timestamps as part of its filename (e.g.
auditlogs-vault-cluster-202102021400-202102021500.gz
).Refer to the HCP Vault Dedicated Monitoring tutorial collection to learn how to stream audit logs to Datadog, Grafana Cloud, or Splunk.
Manage major version upgrades
There are scenarios where major version upgrades of the Vault cluster can potentially affect the behavior of Vault clients. For example, the returned JSON output may contain a new field. These changes may require additional testing or operational updates to leverage the enhanced behaviors.
When running Vault Dedicated on either the Standard or Plus tiers, you can manage when the Vault cluster will be upgraded.
Note
Major version upgrade settings are available on either the Standard or Plus tier. If you would like to follow this tutorial, upgrade your Vault cluster to the Standard or Plus tier.
Log into the HCP Portal and navigate to the Vault Overview page.
Click the cluster ID link for a Vault Dedicated cluster that is on the Standard or Plus tier.
From the Vault cluster Overview page, click Upgrade settings.
Click Edit settings.
You can choose between three options to control when your cluster will be upgrade.
Automatic will upgrade the cluster as new versions of Vault are validated for HCP.
Manual allows you to initiate the upgrade on any day or time of your choosing, but will be automatically upgraded after 30 days.
Scheduled allows you select a day and time window in which the upgrade will be performed.
Select Manual and click Apply changes.
Note
The remainder of these steps are for demonstration purposes only. You can follow these steps after a new version of Vault becomes available.
Click Overview.
When a cluster is set to manual, and a new upgrade is detected, you will receive a notification that an upgrade is available with a Upgrade now button.
HCP Portal users will also receive an email notification that the upgrade is available.
Click Upgrade now. A dialog will appear with a link to the changelog and upgrade guide so you can review any changes that may impact your usage of Vault Dedicated.
Click Upgrade now to begin the automated upgrade process.
When the upgrade process completes, a new notification will appear with a link to the release notes.
HCP Portal users will also receive an email notification that the upgrade is complete.
Help and reference
You learned how to perform the basic operational tasks for Vault Dedicated.
The next step is to set up a VPC peering or Transit Gateway connection with your HVN and your VPC where your applications are running from. You can set it up manually or via Terraform. Visit the HCP Vault Dedicated Operations collection to learn how to connect to Vault Dedicated clusters.
To learn how to monitor your Vault Dedicated cluster, visit the HCP Vault Monitoring documentation.
The Policies collection lists additional tutorials that cover more advanced Vault policy examples.
Vault offers a number of secrets engines. To learn more, visit the Secrets Management collection and learn how to enable and configure secrets engines that you are interested in.
When you are ready to integrate your applications to read secrets from Vault, visit the App Integration collection for examples.