Multi-Region Replication Now Available with HCP Vault

We are pleased to announce the availability of new Plus clusters featuring multi-region replication with HashiCorp Cloud Platform (HCP) Vault. These new clusters bring fully-managed performance replication support to customers that need secrets and policies across multiple cloud regions.

HCP Vault enables organizations to get Vault clusters up and running quickly and get access to powerful secrets management and encryption capabilities. With HCP Vault, customers have one multi-cloud workflow, push-button deployment, and a fully managed infrastructure. We have been making steady improvements since announcing the general availability of HCP Vault in April of 2021, including a Development node, a Starter cluster, and a Standard cluster. Now, HCP Vault Plus adds performance replication for syncing secrets between two highly available Vault clusters located in separate regions.

In this post, we will review some of the new features and capabilities introduced since we launched HCP Vault, including cross-region performance replication.

»Performance Replication

Many organizations rely on infrastructure in geographically distributed Amazon Web Service (AWS) regions to increase service performance and lower request round-trip latency. HashiCorp Vault has long supported replication and we are happy to be bringing that capability to our customers through HCP Vault.

This means you can run a production grade three-node Vault cluster in one AWS region and have it replicated across to another three-node cluster in another AWS region. For example, data in AWS West could be replicated to AWS East. Replication operates using a leader-to-follower model, wherein a leader cluster (known as a primary) is linked to a follower cluster. The primary cluster acts as the system of record and asynchronously replicates most Vault data.

There are a several common use cases when you would consider performance replication:

• Multi-region deployments: A common challenge is providing Vault to applications across two regions in a highly available manner. Running a single Vault cluster can increase access latency for remote clients, raise the risk of availability loss or outages during connectivity failures, and limit scalability.
• Scaling throughput: Applications that use Vault for Encryption-as-a-Service or cryptographic offload may generate a very high volume of requests for Vault. Replicating keys between two clusters allows load to be distributed across additional servers to handle more requests.

»Pricing and AWS Region Availability

HCP Vault is generally available in AWS regions in the U.S. (Oregon and Virginia), Europe (Frankfurt, Ireland, and London), Singapore, and Australia (Sydney). We plan to expand to other regions in the future.

HCP Vault offers multiple packages at discrete price points:

• Development tier: This is the best way to get started testing HCP Vault in AWS environments. The Development tier is a non-production, single-node deployment of Vault meant for development and test workloads, billed at $0.03 per hour with up to 25 clients.
• Starter tier: For light production workflows, we recommend provisioning a multi-node, highly available Starter tier. This is a 3-node, highly available Vault deployment that is billed at $0.50 per hour with up to 25 clients.
• Standard tier: For larger production workflows, we recommend provisioning a multi-node, highly available Standard tier with increased capacity. Base prices range from $1.578 to $7.489 per hour depending on the cluster size you choose, with additional price scaling for active clients.
• Plus tier (with performance replication): For organizations with demanding workloads and infrastructure in multiple geographically distributed regions we recommend a pair of three-node clusters running performance replications. Base prices for the HCP Vault Plus tier range from $1.844 to $7.489 per cluster per hour depending on the cluster size you choose, with additional price scaling for active clients.

To review our full pricing information, please visit our HCP Vault pricing page. All newly created accounts receive $50 in HCP credits.

»Getting Started

As a fully managed service, HCP Vault makes it easier to secure, store, and tightly control access to tokens, passwords, certificates, encryption keys, and other sensitive data. HCP Vault also enables secure secrets management across Amazon EC2, Amazon EKS, AWS Lambda, and many other AWS services.

We designed HCP Vault to minimize the steps necessary to set up Vault within your AWS environments. At a high level, operators need to take four steps to start using HCP Vault:

1. Create an account: First, create a HashiCorp Cloud Platform account.
2. Deploy a cluster: Next, select HCP Vault from the dashboard. This quickstart deployment guide will walk you through the process of creating your HashiCorp Virtual Network (HVN) and a Vault cluster.
3. Peer with AWS: Once you have deployed your HVN and cluster, the next step is to peer that network with your existing AWS environments.
4. Get hands on: Quickly get up and running using our hands-on labs for HashiCorp Cloud Platform (HCP) Vault.

That’s it; you are ready to connect and use HCP Vault. In practice, these steps will have a range of options when you drill down into them, so we’ve created a series of HashiCorp Learn guides to help you manage the finer details of your setup.

»Next Steps

We are very excited about making the HCP Vault Plus cluster with performance replication generally available. We recommend creating an HCP account and trying HCP Vault for yourself. For more information about HCP Vault and pricing, please visit our product page or sign up through the HCP portal.