mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-22 23:21:08 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
98 lines
4.3 KiB
Plaintext
98 lines
4.3 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Use performance standby nodes
|
|
description: >-
|
|
Use performance standby nodes with Vault Enterprise clusters for high
|
|
availability.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# Use performance standby nodes
|
|
|
|
@include 'alerts/enterprise-and-hcp.mdx'
|
|
|
|
Vault supports a multi-server mode for high availability. This mode protects
|
|
against outages by running multiple Vault servers. High availability mode
|
|
is automatically enabled when using a data store that supports it. You can
|
|
learn more about HA mode on the [Concepts](/vault/docs/concepts/ha) page.
|
|
|
|
Vault Enterprise offers additional features that allow HA nodes to service
|
|
read-only requests on the local standby node. Read-only requests are requests
|
|
that do not modify Vault's storage.
|
|
|
|
## Server-to-Server communication
|
|
|
|
Performance Standbys require the request forwarding method described in the [HA
|
|
Server-to-Server](/vault/docs/concepts/ha#server-to-server-communication) docs.
|
|
Unlike regular standby nodes, performance standbys will **not** respect the
|
|
`X-Vault-No-Request-Forwarding` header.
|
|
|
|
A performance standby will connect to the active node over the existing request
|
|
forwarding connection. If selected by the active node to be promoted to a
|
|
performance standby it will be handed a newly-generated private key and certificate
|
|
for use in creating a new mutually-authenticated TLS connection to the cluster
|
|
port. This connection will be used to send updates from the active node to the
|
|
standby.
|
|
|
|
## Request forwarding
|
|
|
|
A Performance Standby will attempt to process requests that come in. If a
|
|
storage write is detected the standby will forward the request over the cluster
|
|
port connection to the active node. If the request is read-only the Performance
|
|
Standby will handle the requests locally.
|
|
|
|
Sending requests to Performance Standbys that result in forwarded writes will be
|
|
slightly slower than going directly to the active node. A client that has
|
|
advanced knowledge of the behavior of the call can choose to point the request
|
|
to the appropriate node.
|
|
|
|
### Direct access
|
|
|
|
A Performance Standby will tag itself as such in consul if service registration
|
|
is enabled. To access the set of Performance Standbys the `performance-standby`
|
|
tag can be used. For example to send requests to only the performance standbys
|
|
`https://performance-standby.vault.dc1.consul` could be used (host name may vary
|
|
based on consul configuration).
|
|
|
|
### Behind load balancers
|
|
|
|
Additionally, if you wish to point your load balancers at performance standby
|
|
nodes, the `sys/health` endpoint can be used to determine if a node is a
|
|
performance standby. See the [sys/health API](/vault/api-docs/system/health) docs for
|
|
more info.
|
|
|
|
## Disabling performance standbys
|
|
|
|
To disable performance standbys the `disable_performance_standby` flag should be
|
|
set to true in the Vault config file. This will both tell a standby not to
|
|
attempt to enable performance mode and an active node to not allow any
|
|
performance standby connections.
|
|
|
|
This setting should be synced across all nodes in the cluster.
|
|
|
|
## Monitoring performance standbys
|
|
|
|
To verify your node is a performance standby the `vault status` command can be
|
|
used:
|
|
|
|
```shell-session
|
|
$ vault status
|
|
Key Value
|
|
--- -----
|
|
Seal Type shamir
|
|
Sealed false
|
|
Total Shares 1
|
|
Threshold 1
|
|
Version 0.11.0+ent
|
|
Cluster Name vault-cluster-d040e74c
|
|
Cluster ID 9f82e03b-71fb-97a6-9c5a-46fa6715d6e4
|
|
HA Enabled true
|
|
HA Cluster https://127.0.0.1:8201
|
|
HA Mode standby
|
|
Active Node Address http://127.0.0.1:8200
|
|
Performance Standby Node true
|
|
Performance Standby Last Remote WAL 380329
|
|
```
|