Manage HCP Vault Dedicated clusters

HashiCorp Cloud Platform (HCP) Vault provides access to critical operational tasks, such as locking the cluster, accessing audit logs, and managing data snapshots.

Enable cross-region disaster recovery

HCP Vault Dedicated supports cross-region disaster recover (DR) on essentials or standard tier clusters in both AWS and Azure. Cross-region DR replicas must be in the same provider as the primary Vault cluster.

Cross-region DR allows you to enable high-availability for your HCP Vault Dedicated cluster, even when your selected cloud provider has a regional outage.

You must create the cross-region DR HVN in a different region than the primary cluster HVN.

Create primary HVN

Create an HVN in the preferred region for your primary cluster.

1. Launch the HCP Portal and login.

2. Select the organization and project where you want to create a HCP Vault Dedicated cluster with cross-region disaster recovery.

3. Click HashiCorp Virtual Networks.

4. Click Create network.

5. Enter hvn-primary in the Network name field.

6. Select your preferred cloud provider.

7. Select an east region for your provider from the Region selection dropdown menu.

8. Enter 172.25.16.0/24 in the CIDR block field.

9. Click Create network.

Create cross-region disaster recovery HVN

Enable cross-region DR by creating an HVN in a different region than your primary cluster.

1. Repeat the steps above to create a second HVN with the following details:

   Note

   Be sure to use non-overlapping CIDR ranges for the primary and DR HVN.

   • Network name: hvn-dr
   • Provider: Select the same cloud provider as the primary HVN.
   • Region selection: Select a west region for your provider.
   • CIDR block: 172.25.17.0/24

2. Click Back to Networks.

Create cluster with cross-region DR

1. Click Vault Dedicated.

2. Under Start from scratch click Create cluster.

3. Select the cloud provider you selected for the two HVNs as the Provider.

4. Select Standard for the Vault tier.

5. Select hvn-primary for the Network.

6. Click the toggle switch to enable the Backup network.

7. Click the pulldown menu and select hvn-dr.

8. Click Create cluster. The new cluster deployment and initialization process beings.

   When the cluster initialization completes, the Cluster networking pane displays the active HVN and the Backup network.

HashiCorp manages the disaster response. If a disaster is declared, HashiCorp will failover to the cross-region DR replica. Failover to the DR replica is transparent for any workloads accessing Vault once the failover is complete. When the disaster has been resolved, HashiCorp will fail back to the primary cluster.

Refer to the HCP Vault Dedicated documentation for additional cross-region DR considerations.

Lock and unlock the Vault cluster

Intrusion detection or data breaches may require you to lock your HCP Vault Dedicated cluster. API lock functions similarly to Vault sealing by preventing normal Vault operations but still allowing the HCP platform access to perform upgrades and snapshots.

Lock the cluster

1. Under Quick actions, click API Lock.

   A Lock API? pop-up dialog displays a warning and explanation of the locking operation.

2. Enter LOCK into the Confirm lock field.

3. Click Lock to proceed. When it completes, the cluster state changes to Locked.

Unlock the cluster

1. In the Vault cluster is locked notification, click Unlock.

   A pop-up dialog displays a warning and explanation of the unseal operation.

   

2. Enter UNLOCK into the Confirm unlock field.

3. Click Unlock.

The Vault cluster unlocks. The Vault Overview page displays the Vault configuration and available operations.

Scale an HCP Vault Dedicated cluster up or down

Vault Dedicated cluster scaling allows you to scale your cluster up or down to meet organizational needs. You can scale between both cluster tiers (e.g. dev to standard) and cluster sizes (e.g standard small to standard medium).

Cluster scaling is fully managed by the HashiCorp Cloud Platform and performed with no downtime, meaning you can continue to utilize Vault Dedicated while the cluster is being scaled up or down. Cluster scaling is available from the HCP Portal and Terraform when using version 0.21.1 or higher of the HCP Terraform provider.

Follow these steps in the HCP Portal to scale your cluster up from the dev tier cluster created in the Create a Vault Cluster on HCP tutorial.

1. Navigate to the Overview page for your Vault Dedicated cluster.

2. Click Manage and then select Edit configuration.

3. Scroll down to view the Cluster Tier pulldown menu.

4. Click the pulldown menu and select the Standard tier. In the Cluster Size pulldown menu you will see multiple supported sizes. You can scale the Vault Dedicated cluster up and down between the available sizes within a tier, or scale between different tiers. You can scale up from the development tier to another tier but you cannot scale back down to the development tier.

5. Click Next.

6. The Review changes screen provides an overview of the requested changes and the pricing differences between the two tiers.

7. Click Apply changes. You will be returned to the Overview screen.

8. The cluster will begin updating. This process will take several minutes.

   Note

   If the cluster status section displays the status as Running, refresh the browser window/tab.

Wait for the cluster to complete the scale up process and then move on to the next section.

Create data snapshots

Preserving Vault data is critical to production operations and particularly for disaster or sabotage recovery purposes. Vault Dedicated offers snapshot functionality for the underlying storage to preserve data based on your requirements.

Create snapshot

After completing the Scale an Vault Dedicated cluster up or down tutorial you can follow these steps to manually snapshot your Vault data as needed.

1. Click Snapshots in the left navigation pane.

   The view displays a history of the snapshots created.

2. Click Create snapshot.

   A Create snapshot pop-up dialog displays.

3. Enter tutorial in the Snapshot name field and click Create snapshot.

   The view displays the snapshot history. The latest snapshot is appended to the snapshot list. While the snapshot is in progress it will display a Pending animation in the Status column.

   Note

   The duration of time needed for the snapshot to complete can vary and largely depends on the size the of data stored in your Vault cluster.

   When the snapshot operation completes the Status changes to Stored.

   Note

   HCP persists the snapshots for up to 30 days after creation, checks every 24 hours, and prunes expired snapshots.

Restore snapshot

You can use the snapshots to restore data if it ever becomes necessary.

1. Click the Snapshots link in the left navigation pane.

2. Click the ellipsis (...) menu next to the tutorial snapshot entry, and choose Restore.

3. A confirmation dialog appears; enter RESTORE and click Restore snapshot to confirm restoration.

   A message will appear informing you the restore process has started.

Delete snapshot

1. Click the Snapshots link in the left navigation pane.

2. Click the ellipsis (...) menu next to the tutorial snapshot, and choose Delete.

3. A confirmation dialog appears; enter DELETE and click Delete snapshot to confirm snapshot deletion.

4. A Snapshot deleting dialog appears. Once the snapshot is deleted, it no longer appears in the snapshot list.

Access the audit log for troubleshooting

Effective troubleshooting of requests and responses to Vault requires access to the audit device logs.

Vault Dedicated enables a File Audit Device by default. This device provides the last hour of Vault requests in a downloadable archive. These logs may be imported into your preferred tooling for auditing and troubleshooting.

1. From the Vault cluster overview page, click Audit Logs.

2. From the Audit logs page, click Select logs in the Download audit logs box.

   

   A Download audit logs pop-up dialog displays.

3. Use the Start date and Start time components to specify the audit log starting position. The log file will cover a 1 hour period after the date and time that you select.

4. Once you have selected the desired Start date and Start time, click Generate logs.

   When the archive is created, a new Download audit logs pop-up dialog displays. The archive is presented with the specific time-frame covered by the log file.

   Note

   The file is only available to download for 10 minutes; after this time elapses, you must begin the download process from the first step.

5. Click the download icon.

   The downloaded file is a gzip compressed file. The filename contains the start and end timestamps as part of its filename (e.g. auditlogs-vault-cluster-202102021400-202102021500.gz).

   Tip

   Refer to the HCP Vault Dedicated Monitoring tutorial collection to learn how to stream audit logs to Datadog, Grafana Cloud, or Splunk.

Manage major version upgrades

There are scenarios where major version upgrades of the Vault cluster can potentially affect the behavior of Vault clients. For example, the returned JSON output may contain a new field. These changes may require additional testing or operational updates to leverage the enhanced behaviors.

When running Vault Dedicated essentials or standard tier clusters, you can manage when to upgrade the Vault cluster. If you would like to follow this tutorial, upgrade your Vault cluster to the essentials or standard tier.

1. Log into the HCP Portal and navigate to the Vault Overview page.

2. Click the cluster ID link for a Vault Dedicated cluster that is on the essentials or standard tier.

3. From the Vault cluster Overview page, click Upgrade settings.

4. Click Edit settings.

5. You can choose between three options to control when your cluster will be upgrade.

   Automatic will upgrade the cluster as new versions of Vault are validated for HCP.

   Manual allows you to initiate the upgrade on any day or time of your choosing, but will be automatically upgraded after 60 days.

   Scheduled allows you select a day and time window in which the upgrade will be performed.

6. Select Manual and click Apply changes.

   Note

   The remainder of these steps are for demonstration purposes only. You can follow these steps after a new version of Vault becomes available.

7. Click Overview.

8. When a cluster is set to manual, and a new upgrade is detected, you will receive a notification that an upgrade is available with a Upgrade now button.

   HCP Portal users will also receive an email notification that the upgrade is available.

9. Click Upgrade now. A dialog will appear with a link to the changelog and upgrade guide so you can review any changes that may impact your usage of Vault Dedicated.

10. Click Upgrade now to begin the automated upgrade process.

11. When the upgrade process completes, a new notification will appear with a link to the release notes.

    HCP Portal users will also receive an email notification that the upgrade is complete.

Summary

In this series of tutorials you learned how to perform the basic operational tasks for Vault Dedicated.

Visit the Manage HCP Vault Dedicated collection to learn advanced configuration options for Vault Dedicated clusters.

Help and reference

• Set up a private connection with your HVN to Amazon Web Services, Azure, and Google Cloud Platform.

• Monitor your HCP Vault Dedicated cluster.

• Create access control policies to manage access to Vault resources.

• Enable secrets engines and learn how to enable, configure, store, and generate secrets.

• Integrate your applications to read secrets from Vault using different methods.