Configure the type of load balancer (HTTP(s) instead of TCP)

Question

Configure the type of load balancer (HTTP(s) instead of TCP)

marius-balteanu opened this issue 4 years ago · 2 comments

Currently, the module generates an internal/external TCP balancer to handle the incoming traffic, but I think that it could be useful to have the option to configure an HTTP(s) Load balancer instead. It could be a new one or an existing one.

The HTTP(s) Load balancer have some nice security features like Cloud Armour or IAP.

It's this in scope of this module? I can try creating a PR.

Answer 1 · 2020-07-29T17:12:11.000Z

Hi @marius-balteanu thanks for raising this issue. We have designed this module to adhere to the Vault hardening best practices from Hashicorp, which include this item:

End-to-End TLS. Vault should always be used with TLS in production. If intermediate load balancers or reverse proxies are used to front Vault, they should not terminate TLS. This way traffic is always encrypted in transit to Vault and minimizes risks introduced by intermediate layers.

By using an HTTP load balancer you'd have to terminate TLS at the load balancer and re-encrypt traffic to the internal host to have end to end encryption. This is not necessary with Vault since TLS is terminated at the Vault process, which is true end to end encryption. While you're correct that this limits the visibility of traffic to WAFs like Cloud Armor, you can still use IAP to access Vault hosts via SSH by using the following configuration:

module "vault" {
  source  = "terraform-google-modules/vault/google"
  version = "~> 5.0"

  project_id                = var.project_id
  ...
  # Only allow SSH from IAP
  ssh_allowed_cidrs         = ["35.235.240.0/20"]
  ...
}

Additionally, WAFs are typically most useful for public facing internet traffic, which is not the best practice for Vault anyway. While we do support external load balancers for legacy reasons, due to the sensitive nature of the data Vault stores, it's best practice to deploy it internally. Have a look at the following for more: HashiCorp Vault and Terraform on Google Cloud — Security Best Practices

Other than Cloud Armor and IAP, do you have any other required use case for an HTTP Load Balancer?

Answer 2 · 2020-07-30T07:14:38.000Z

Thanks @onetwopunch for your quick and detailed response.

Not really, I wanted to avoid adding a new LB in front of our internal infrastructure and to use our existing HTTP(s) LB as entry point. In our setup, we need a way to access the Vault from multiple locations because we don't manage a single GCP project/organization, instead we have plenty of projects deployed across multiple clouds (GCP, AWS, Azure) and on premise servers. Also, the AWS architecture with the ALB in front made me think that can be a good option.

Anyway, I went again through the available resources and I'm going to setup using the TCP LB, as you recommended.