Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Multi-Account, Multi-Region, Multi-Runtime

Rosemary Wang
January 25, 2024
Technology
1
13

Multi-Account, Multi-Region, Multi-Runtime

Originally presented at NJ HashiCorp User Group, January 2024.

Rosemary Wang

January 25, 2024
Tweet

More Decks by Rosemary Wang

See All by Rosemary Wang
Can You Test Your Infrastructure as Code?
joatmon08
1
11
Building a multi-account, multi-runtime service-oriented architecture
joatmon08
0
9
Choose Your Own Abstraction: Iterating on Developer Experience
joatmon08
0
13
Break Glass, Repair Fast, Reconcile Automation
joatmon08
2
24
Building a Developer Platform? Ask these questions.
joatmon08
0
10
From Cloud-Hosted to Cloud-Native
joatmon08
0
44
Refactoring Applications for Dynamic Secrets
joatmon08
1
29
Catching Commits to Secure Infrastructure as Code
joatmon08
1
39
Minimum Secure Pipeline
joatmon08
0
63

Other Decks in Technology

See All in Technology
GraphQL 成熟度モデルの紹介と、プロダクトに当てはめた事例 / GraphQL maturity model
mh4gf
7
1.4k
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
200
AWSに詳しくない人でも始められるコスト最適化ガイド
yuhta28
1
250
KubeConにproposalを送りたい人へのアドバイス
sat
PRO
3
260
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
5
540
LLM開発・活用の舞台裏@2024.04.25
yushin_n
2
740
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
570
Terraformあれやこれ/terraform-this-and-that
emiki
8
1.5k
GrafanaMeetup_AmazonManagedGrafanaのアクセス制御機能とマルチテナント環境下でのアクセス制御について
daitak
0
260
地理空間データ可視化・解析・活用ソリューション Pacific Spatial Solutions (PSS)
pacificspatialsolutions
0
300
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
1.3k
Java EE/Jakarta EEの現状と将来 ―クラウドネイティブ時代にJava EEは対応できるのか?―
takakiyo
1
170

Featured

See All Featured
Done Done
chrislema
178
15k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k
Creatively Recalculating Your Daily Design Routine
revolveconf
210
11k
RailsConf 2023
tenderlove
4
540
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
17
1.4k
KATA
mclloyd
15
12k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
What's in a price? How to price your products and services
michaelherold
237
11k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
241
1.2M
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Building Flexible Design Systems
yeseniaperezcruz
319
37k

Transcript

  1. © 2023 HASHICORP 1 Multi-Account, Multi-Region, Multi-Runtime Rosemary Wang Developer

    Advocate at HashiCorp @joatmon08 | joatmon08.github.io

  2. © 2023 HASHICORP 2 Consul 01

  3. © 2023 HASHICORP dev 3 kubernetes admin partition default namespace

    service-1 namespace virtual-machine admin partition service-2 namespace default admin partition default namespace prod kubernetes admin partition default namespace service-1 namespace virtual-machine admin partition service-2 namespace default admin partition default namespace

  4. © 2023 HASHICORP

  5. © 2023 HASHICORP 5 us-east-1 kubernetes admin partition default namespace

    service-1 namespace virtual-machine admin partition service-2 namespace default admin partition us-west-2 kubernetes admin partition default namespace service-1 namespace virtual-machine admin partition service-2 namespace default admin partition cluster peering

  6. © 2023 HASHICORP developer.hashicorp.com/consul/docs/k8s/connect/cluster-peering/tech-specs

  7. © 2023 HASHICORP

  8. © 2023 HASHICORP & the “Gotchas” • Prior recommendation: WAN

    Federation • Mesh gateway per admin partition • Export services across partition • Assign IP address per service instance • Peer between non-prod / prod? 8 Technical Considerations

  9. © 2023 HASHICORP developer.hashicorp.com/consul/docs/enterprise/admin-partitions

  10. © 2023 HASHICORP

  11. © 2023 HASHICORP developer.hashicorp.com/consul/docs/enterprise/admin-partitions

  12. © 2023 HASHICORP 12 Vault 02

  13. © 2023 HASHICORP 13 dev /shared namespace /service-1 namespace /service-1/shared

    namespace prod /shared namespace /service-1 namespace /service-1/shared namespace

  14. © 2023 HASHICORP developer.hashicorp.com/vault/docs/enterprise/namespaces

  15. © 2023 HASHICORP 15 us-east-1 /boundary path /consul path /prod

    path /prod/service-1 path /prod/kubernetes path us-west-2 /boundary path /consul path /prod path /prod/service-1 path /prod/kubernetes path Terraform / Other Automation

  16. © 2023 HASHICORP 16 us-east-1 /boundary namespace /consul namespace /prod

    namespace /prod/service-1 namespace /prod/kubernetes namespace us-west-2 /boundary namespace /consul namespace /prod namespace /prod/service-1 namespace /prod/kubernetes namespace replication developer.hashicorp.com/vault/docs/enterprise/replication

  17. © 2023 HASHICORP

  18. © 2023 HASHICORP

  19. © 2023 HASHICORP

  20. © 2023 HASHICORP & the “Gotchas” • Replicate configuration, policies,

    secrets engines • Does not replicate leases or tokens • To avoid replication… ◦ Top-level paths filter (globally enforced) ◦ Create secrets engine with -local option • Nest namespaces vs. replicate across non-prod / prod • Database replication versus database secrets engine 20 Technical Considerations

  21. © 2023 HASHICORP 21 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";"

  22. © 2023 HASHICORP 22 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" Cross-region DNS / Load Balancer

  23. © 2023 HASHICORP 23 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" prod read replica

  24. © 2023 HASHICORP 24 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE

    ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" prod write replica* *depends on database

  25. © 2023 HASHICORP 25 us-east-1 /database/customers prod "CREATE ROLE \"{{name}}\"

    WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" developer.hashicorp.com/vault/docs/agent-and-proxy/proxy/apiproxy vault proxy

  26. © 2023 HASHICORP 26 Boundary 03

  27. © 2023 HASHICORP primary us-east-1 27 controllers primary Boundary database

    cross-region load balancer with failover config standby us-west-2 controllers standby Boundary database read replica (promote on failover) developer.hashicorp.com/boundary/docs/install-boundary/fault-tolerance

  28. © 2023 HASHICORP global 28 customer organization dev, us-east-1 worker

    dev-us-east-1 project dev, us-west-2 worker dev-us-west-2 project prod, us-east-1 worker dev-us-east-1 project prod, us-west-2 worker prod-us-west-2 project payment organization dev, us-east-1 worker dev-us-east-1 project dev, us-west-2 worker dev-us-west-2 project prod, us-east-1 worker dev-us-east-1 project prod, us-west-2 worker prod-us-west-2 project

  29. © 2023 HASHICORP & the “Gotchas” • (Current) Access Boundary

    cluster in single region • Use worker tags to identify region, runtime, etc. • Separate regions into projects / organizations for control • Separate non-prod / prod (clusters vs. scopes) 29 Technical Considerations

  30. © 2023 HASHICORP 30 github.com/ jcolemorrison/ foundational-soa

  31. © 2023 HASHICORP Thank you [email protected]