Hashicorp Vault Monitoring – Improving Performance and Stability

Post

“[Vault is a solution to] secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data”, as stated by HashiCorp’s website. In this article we’ll focus on how to monitor HashiCorp Vault.

HashiCorp Vault, first released in 2015, was originally designed to provide a simple way to store tokens, credentials and similar secrets in a secure manner. Furthermore, Vault integrates with many common systems to create and provide temporary credentials.

HashiCorp_Vault_Reference_Architecture

Vault reference architecture from HashiCorp website

HashiCorp Vault offers a solution to prevent pre-shared and reused secrets, since credentials are requested by the application on-the-fly. In the background Vault can create, manage, and eventually delete the credentials.

Vault is a central management component in many application architectures and an important installment for securing access to resources. As you can see in the reference architecture diagram above, HashiCorp Consul is also an important component when running Vault. We won’t discuss Consul in this article but Instana also monitors Consul.

What’s Important When Monitoring HashiCorp Vault?

Being a central service, monitoring Vault is essential. If Vault is performing poorly or throwing errors it will impact user experience. There are three important elements to monitor; configuration, performance, and health.
Configuring Vault is simple, however, keeping an eye on the deployed versions and (if used) multiple data stores is as important as the “sealed” status. When Vault is restarted, it enters a “sealed” state and is not able to process requests until it becomes available.
The performance of Vault has a direct impact on the performance of dependent services when they are waiting for requested credentials or certificates. Therefore, it is important to monitor creation, read, and especially failure counts.
Health metrics are important whether Vault is running standalone, or in HA (High Availability) mode. If the Vault service is not healthy, the dependent applications and services aren’t either.

How to Monitor HashiCorp Vault with Instana

By installing the Instana Agent and providing an access token, Instana automatically collects Vault metrics related to health, performance, and configuration in one second granularity.
That is everything that is required – less than 5 minutes of work!

HashiCorp_Vault_Monitoring_Secrets
Instana screenshot of Vault secrets monitoring

If Vault is running inside a Kubernetes or a similar environment, only one Instana Agent is necessary to monitor your Vault service, Kubernetes, and all your other containerized technologies.

HashiCorp_Vault_Monitoring_Tokens_Leader_Failure
Instana screenshot of Vault tokens and leader monitoring

When issues arise, Instana understands how services interact and provides sophisticated insights into the incident. Instana correlates related services and their potential problems together to deliver an overall understanding of the degradation to help you get things functioning properly as fast as possible.

HashiCorp_Vault_Monitoring_Audit_Log_Barrier_Operations
Instana screenshot of Vault audit log and barrier operations monitoring

Instana also understands sudden increases or drops on performance metrics and automatically alerts in case an anomaly is detected, which may be caused by excessive service restarts, system intrusion, or other problems.

Getting Started with HashiCorp Vault Monitoring

Just as with every other technology monitored by Instana, HashiCorp Vault monitoring includes automatic and continuous discovery, metrics monitoring, best practice health signatures, and anomaly detection.

Start your Vault performance monitoring journey by signing up for a free 14 day trial of Instana now. You’ll have incredible visibility and understanding of your services in minutes.

Play with Instana’s APM Observability Sandbox

Developer, Engineering
This is the third post in a series on the Life of an SRE at Instana. Check out the first post and second post. Rolling out releases and hotfixes Our Instana SaaS...
|
Product
Instana is pleased to announce our official, first class support for HashiCorp Nomad. The important question is, what do I mean when I say, “first-class support”? For Instana users, first-class support means...
|

Start your FREE TRIAL today!

As the leading provider of Automatic Application Performance Monitoring (APM) solutions for microservices, Instana has developed the automatic monitoring and AI-based analysis DevOps needs to manage the performance of modern applications. Instana is the only APM solution that automatically discovers, maps and visualizes microservice applications without continuous additional engineering. Customers using Instana achieve operational excellence and deliver better software faster. Visit https://www.instana.com to learn more.