» Performance Standby Nodes
Vault supports a multi-server mode for high availability. This mode protects against outages by running multiple Vault servers. High availability mode is automatically enabled when using a data store that supports it. You can learn more about HA mode on the Concepts page.
Vault Enterprise offers additional features that allow HA nodes to service read-only requests on the local standby node. Read-only requests are requests that do not modify Vault's storage.
» Server-to-Server Communication
Performance Standbys require the request forwarding method described in the HA Server-to-Server docs.
A performance standby will connect to the active node over the existing request forwarding connection. If selected by the active node to be promoted to a performance standby it will be handed a newly-generated private key and certificate for use in creating a new mutually-authenticated TLS connection to the cluster port. This connection will be used to send updates from the active node to the standby.
» Request Forwarding
A Performance Standby will attempt to process requests that come in. If a storage write is detected the standby will forward the request over the cluster port connection to the active node. If the request is read-only the Performance Standby will handle the requests locally.
Sending requests to Performance Stanbys that result in forwarded writes will be slightly slower than going directly to the active node. A client that has advanced knowledge of the behavior of the call can choose to point the request to the appropriate node.
» Direct Access
A Performance Standby will tag itself as such in consul if service registration
is enabled. To access the set of Performance Standbys the
tag can be used. For example to send requets to only the performance standbys
https://performance-standby.vault.dc1.consul could be used (host name may vary
based on consul configuration).
» Behind Load Balancers
Additionally, if you wish to point your load balancers at performance standby
sys/health endpoint can be used to determine if a node is a
performance standby. See the sys/health API docs for
» Disabling Performance Standbys
To disable performance standbys the
disable_performance_standby flag should be
set to true in the Vault config file. This will both tell a standby not to
attempt to enable performance mode and an active node to not allow any
performance standby connections.
This setting should be synced across all nodes in the cluster.
» Monitoring Performance Standbys
To verify your node is a performance standby the
vault status command can be
$ vault status Key Value --- ----- Seal Type shamir Sealed false Total Shares 1 Threshold 1 Version 0.11.0+prem Cluster Name vault-cluster-d040e74c Cluster ID 9f82e03b-71fb-97a6-9c5a-46fa6715d6e4 HA Enabled true HA Cluster https://127.0.0.1:8201 HA Mode standby Active Node Address http://127.0.0.1:8200 Performance Standby Node true Performance Standby Last Remote WAL 380329