Beta

HashiCorp Certified: Vault Associate Certification

Vault Replication

Replication Architecture

Vault supports two replication modes—performance and disaster recovery (DR)—to scale reads and provide robust failover. In this guide, we’ll cover:

  1. Conceptual overview
  2. Reference topologies (cloud & on-premises)
  3. Networking requirements

Performance vs. DR Replication

Vault replication modes at a glance:

ModeUse CaseWhat ReplicatesPromotion Behavior
PerformanceScale reads, reduce latency in local sitesData (secrets, configs)N/A
Disaster RecoveryFailover with token and lease preservationData + Tokens (from any cluster tier)DR replica becomes new primary on promotion

Token Behavior

  • Tokens created on a primary or performance cluster replicate only to their DR cluster.
  • Performance secondaries never receive tokens directly from the primary.
  • Promoting a DR cluster restores all tokens and leases for uninterrupted operation.

Clients always connect to their local cluster for both reads and writes. On failure, you promote the regional DR to primary.

Example: Two Data Centers

Imagine two sites, A and B, each with primary, performance, and DR replicas:

  1. Primary in Data Center A
  2. Performance Replica in Data Center B
  3. DR Replica for Primary in Data Center A
  4. DR Replica for Performance in Data Center B

Flow:

  • Clients in A → Primary; Clients in B → Performance Replica
  • Primary → Performance Replica (data only)
  • Primary & Performance → their DR clusters (data + tokens)
  • On outage, promote the corresponding DR to restore service

AWS Regional Replication

A common AWS pattern spans two regions, each with local DR:

The image illustrates a replication architecture on a map of the United States, showing AWS data centers on the east and west coasts with arrows indicating data replication between them.

  • us-east-1: Primary + DR
  • us-west-1: Performance Replica + DR

Global Deployment

For global scale, replicate from one primary to multiple regions, each with its own DR:

The image is a world map highlighting data replication and performance between Dallas and London, with a focus on primary and disaster recovery (DR) systems. It also features a cartoon character in the bottom right corner.

Start with Dallas → London (with DR):

The image is a map showing data replication and performance replication between data centers in Dallas, London, and Sydney. It illustrates connections and roles of primary and disaster recovery (DR) systems across these locations.

Extend further to Sydney, maintaining consistent policies, auth methods, secrets engines, and configurations across all clusters.

Real-World On-Premises Examples

Customer A: VMware Active-Active

High-availability with VMware clusters across two data centers:

The image illustrates a real-world customer example of data replication between two data centers, showing production and non-production environments with VMware clusters and replication processes.

  • Production DC A: Primary + DR
  • Production DC B: Performance Replica + DR
  • Non-Prod: QA and sandbox mirrors for testing

Customer B: On-Premises to AWS

Hybrid topology connecting on-premises primary to AWS:

The image is a diagram illustrating a real-world customer example of an on-premises datacenter setup with production, non-production, and QA environments, showing data replication to AWS.

  • On-Prem Production: Primary + DR
  • AWS: Performance Replica + DR
  • Non-Prod & QA: Separate clusters for dev and testing

Networking Requirements

Replicating Vault clusters requires simple connectivity and DNS resolution:

The image outlines networking requirements for communication between a primary cluster and a DR replication cluster, emphasizing the need for DNS resolution and specific TCP ports.

Network Security

  • Open TCP 8200 and 8201 bi-directionally between clusters.
  • Restrict access using firewalls or security groups.
  • Ensure each cluster can resolve its peers’ DNS names.

Port Reference

SourceDestinationPortProtocolDirectionPurpose
Vault → Vault (bootstrapping)Peer Vault clusters8200TCPBi-directionalCluster bootstrap
Vault → Vault (replication)Peer Vault clusters8201TCPBi-directionalData & RPC forwarding
Client → Load BalancerVault API endpoint8200TCPInboundClient operations
Load Balancer → VaultVault API servers8200TCPInternalLoad balanced traffic
Vault → External ServicesDatabase secrets engines, etc.variesTCPOutboundSecrets engine access

The image is a table detailing networking ports, including source, destination, port, protocol, direction, and purpose. It also features a Vault certification badge and a cartoon character at the bottom right.

Watch Video

Watch video content

Previous
Introduction to Vault Replication
Next
How Do We Set All of this Up