Vault
Why use HCP Vault Dedicated
The HashiCorp Cloud Platform (HCP) allows you to deploy and consume various HashiCorp tools and services in a streamlined manner.
HCP Vault Dedicated is a fully managed implementation of Vault Enterprise. HashiCorp operates the infrastructure, allowing organizations to get up and running with Vault without having to plan the underlying infrastructure. HCP Vault provides a consistent user experience compared to a self-managed Vault cluster. You can use the same Vault clients to communicate with HCP Vault as you use to communicate with self-managed Vault.
In this series of tutorials, you will follow HashiCups, a fictitious company, as they learn how to create, access, and configure a Vault cluster managed on the HashiCorp Cloud Platform.
If you are already familiar with how to provision and access a HCP Vault cluster using the HCP Portal, visit the Manage HCP Vault Dedicated collection to dive deeper into HCP Vault management.
Scenario
HashiCups recently started reviewing HashiCorp Vault to help with the security of their applications. After learning about Vault's features, they want to understand the benefits of using HCP Vault compared to a self-managed Vault cluster.
The HashiCups team is made up of people from various roles on their platform engineering team, including:
- Alice: Head of the architect team, responsible for designing services, integrations, and developing processes.
- Oliver: Manager of the operations team, responsible for implementing tools and services based on the architect team's designs, and day-to-day operations.
- Danielle: Lead engineer on the development team, responsible for building and maintaining applications, implementing integrations with other services, and supporting third-party SDKs.
- Steve: Oversees the SRE team, responsible for ensuring the reliability, availability, and performance of the platform and applications through proper monitoring, alerting, and incident response.
If you are not familiar with Vault, review the Vault foundations series of tutorials to learn about basic Vault concepts.
Simplify deployments
The HashiCorp Cloud Platform reduces operational overhead compared to a self-managed Vault cluster. Select a cloud provider, a cluster size, and HCP manages the deployment and Vault updates for you.
Multiple connectivity options
There are different connectivity options once you deploy a new HCP Vault cluster.
Most organizations choose to configure their HCP Vault cluster using a private connection over a peering connection to their cloud provider. This allows workloads in AWS or Azure to access the HCP Vault cluster to retrieve secrets.
You can also connect other cloud providers using a VPN connection to a connected AWS or Azure account. This allows workloads running in the Google Cloud Platform, IBM Cloud, or other cloud providers to access the HCP Vault cluster over a private connection.
You can also choose to allow a public connection. With public connections enabled, the HCP Vault cluster will have an associated public address where clients can directly connect to Vault. When using a public connection, you should configure an IP allow list to limit access to your HCP Vault cluster from trusted IP addresses.
Self-managed and HCP Vault Dedicated cluster comparison
Here is a quick comparison between a self-managed Vault cluster and a HCP Vault cluster.
| Feature | Self-managed | HCP Vault Dedicated |
|---|---|---|
| Vault edition | Vault Community Edition or Vault Enterprise | Vault Enterprise |
| Storage backend | Choose one and self-manage | Integrated Storage |
| Seal | Seal uses Shamir's Secret Sharing algorithm to generate key shares by default. | Auto-unseal is configured. A unique Key Management Service (KMS) key is created for each cluster. |
| Vault version | Self-manage the upgrade process | The minor versions are upgraded for you automatically. See the Vault Version documentation for more detail. |
| Top-level namespace | root | admin |
| Root/admin token | Vault initialization process generates a root token. To regenerate a root token, unseal keys or recovery keys are required. | Click on the Generate token button via HCP Vault Portal returns an admin token which is valid for 6 hours. |
| Advanced Data Protection (ADP) features | Available with license | Available with HCP Vault standard. |
| Enterprise Replication | DR Replication requires Enterprise Standard, and Performance Replication is part of Enterprise Premium. | Performance Replication is available with HCP Vault standard. |
| Auth methods | No limitation | A subset of available auth methods have been validated on HCP Vault. Additional auth methods will be validated over time. Refer to Validated secrets engines and auth methods documentation for more details. |
| Secrets engines | No restriction | A subset of available secrets engines have been validated on HCP Vault. Additional secrets engines will be validated over time. Refer to the Security Overview documentation for more details. |
| Cluster scaling | No built in feature to scale the cluster size up or down. | Scale your cluster size dynamically via the HashiCorp Cloud Platform Portal or Terraform. |
| Sentinel | Available with license | Available with HCP Vault standard. |
To learn more about HCP Vault pricing, visit the HCP Vault Dedicated pricing and HCP Billing documentation pages.
Next steps
In the next tutorial, you will play the role of Oliver as they create their first HCP Vault cluster. Go through each tutorial in this series to understand how to manage a Vault cluster running on the HashiCorp Cloud Platform.