Slide 1

Slide 1 text

© 2023 HASHICORP 1 Multi-Account, Multi-Region, Multi-Runtime Rosemary Wang Developer Advocate at HashiCorp @joatmon08 | joatmon08.github.io

Slide 2

Slide 2 text

© 2023 HASHICORP 2 Consul 01

Slide 3

Slide 3 text

© 2023 HASHICORP dev 3 kubernetes admin partition default namespace service-1 namespace virtual-machine admin partition service-2 namespace default admin partition default namespace prod kubernetes admin partition default namespace service-1 namespace virtual-machine admin partition service-2 namespace default admin partition default namespace

Slide 4

Slide 4 text

© 2023 HASHICORP

Slide 5

Slide 5 text

© 2023 HASHICORP 5 us-east-1 kubernetes admin partition default namespace service-1 namespace virtual-machine admin partition service-2 namespace default admin partition us-west-2 kubernetes admin partition default namespace service-1 namespace virtual-machine admin partition service-2 namespace default admin partition cluster peering

Slide 6

Slide 6 text

© 2023 HASHICORP developer.hashicorp.com/consul/docs/k8s/connect/cluster-peering/tech-specs

Slide 7

Slide 7 text

© 2023 HASHICORP

Slide 8

Slide 8 text

© 2023 HASHICORP & the “Gotchas” ● Prior recommendation: WAN Federation ● Mesh gateway per admin partition ● Export services across partition ● Assign IP address per service instance ● Peer between non-prod / prod? 8 Technical Considerations

Slide 9

Slide 9 text

© 2023 HASHICORP developer.hashicorp.com/consul/docs/enterprise/admin-partitions

Slide 10

Slide 10 text

© 2023 HASHICORP

Slide 11

Slide 11 text

© 2023 HASHICORP developer.hashicorp.com/consul/docs/enterprise/admin-partitions

Slide 12

Slide 12 text

© 2023 HASHICORP 12 Vault 02

Slide 13

Slide 13 text

© 2023 HASHICORP 13 dev /shared namespace /service-1 namespace /service-1/shared namespace prod /shared namespace /service-1 namespace /service-1/shared namespace

Slide 14

Slide 14 text

© 2023 HASHICORP developer.hashicorp.com/vault/docs/enterprise/namespaces

Slide 15

Slide 15 text

© 2023 HASHICORP 15 us-east-1 /boundary path /consul path /prod path /prod/service-1 path /prod/kubernetes path us-west-2 /boundary path /consul path /prod path /prod/service-1 path /prod/kubernetes path Terraform / Other Automation

Slide 16

Slide 16 text

© 2023 HASHICORP 16 us-east-1 /boundary namespace /consul namespace /prod namespace /prod/service-1 namespace /prod/kubernetes namespace us-west-2 /boundary namespace /consul namespace /prod namespace /prod/service-1 namespace /prod/kubernetes namespace replication developer.hashicorp.com/vault/docs/enterprise/replication

Slide 17

Slide 17 text

© 2023 HASHICORP

Slide 18

Slide 18 text

© 2023 HASHICORP

Slide 19

Slide 19 text

© 2023 HASHICORP

Slide 20

Slide 20 text

© 2023 HASHICORP & the “Gotchas” ● Replicate configuration, policies, secrets engines ● Does not replicate leases or tokens ● To avoid replication… ○ Top-level paths filter (globally enforced) ○ Create secrets engine with -local option ● Nest namespaces vs. replicate across non-prod / prod ● Database replication versus database secrets engine 20 Technical Considerations

Slide 21

Slide 21 text

© 2023 HASHICORP 21 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";"

Slide 22

Slide 22 text

© 2023 HASHICORP 22 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" Cross-region DNS / Load Balancer

Slide 23

Slide 23 text

© 2023 HASHICORP 23 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" prod read replica

Slide 24

Slide 24 text

© 2023 HASHICORP 24 us-east-1 /database/customers us-west-2 /database/customers prod "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" prod write replica* *depends on database

Slide 25

Slide 25 text

© 2023 HASHICORP 25 us-east-1 /database/customers prod "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT ALL PRIVILEGES ON ${var.db_name} TO \"{{name}}\";" developer.hashicorp.com/vault/docs/agent-and-proxy/proxy/apiproxy vault proxy

Slide 26

Slide 26 text

© 2023 HASHICORP 26 Boundary 03

Slide 27

Slide 27 text

© 2023 HASHICORP primary us-east-1 27 controllers primary Boundary database cross-region load balancer with failover config standby us-west-2 controllers standby Boundary database read replica (promote on failover) developer.hashicorp.com/boundary/docs/install-boundary/fault-tolerance

Slide 28

Slide 28 text

© 2023 HASHICORP global 28 customer organization dev, us-east-1 worker dev-us-east-1 project dev, us-west-2 worker dev-us-west-2 project prod, us-east-1 worker dev-us-east-1 project prod, us-west-2 worker prod-us-west-2 project payment organization dev, us-east-1 worker dev-us-east-1 project dev, us-west-2 worker dev-us-west-2 project prod, us-east-1 worker dev-us-east-1 project prod, us-west-2 worker prod-us-west-2 project

Slide 29

Slide 29 text

© 2023 HASHICORP & the “Gotchas” ● (Current) Access Boundary cluster in single region ● Use worker tags to identify region, runtime, etc. ● Separate regions into projects / organizations for control ● Separate non-prod / prod (clusters vs. scopes) 29 Technical Considerations

Slide 30

Slide 30 text

© 2023 HASHICORP 30 github.com/ jcolemorrison/ foundational-soa

Slide 31

Slide 31 text

© 2023 HASHICORP Thank you [email protected]