Vault HA mode(OSS) vs Vault Enterprise

Question

Hashcorp vault enterprise provides three main features, performance replica, disaster recovery, and namespace. Well my use case is not required to go with disaster recovery and for performance replica, i can setup Vault OSS with consul backend and run many active clusters which will be equivalent to performance replica, Is my understanding s correct will that feasible to not to use license and still have the same what Vault Enterprise

Answer 1

Hashicorp includes a lot more in Vault Enterprise:

• Namespaces
• Disaster Recovery Replication
• Advanced Telemetry
• Performance Replication
• Replication Filters
• Performance Standby Nodes
• HSM Auto-Unseal
• Seal Wrap FIPS-140-2 Support
• Control Groups
• Entropy Augmentation
• Sentinel Policy as Code
• Lease Count Quotas
• Integrated Storage Snapshots
• Transform engine
• KMIP and Cloud Key Management engines

...but all those features are broken up into tiers, so you don't get all those features for one price, these things are generally negotiated based on your client count. However, I wouldn't call Namespaces and Replication clusters the "main" features of Enterprise, your company's use case is going to dictate your needs.

The reason that Performance Replication clusters are a thing is because of write divergence. Essentially, if you run two separate clusters off the same storage, two clusters are going to have leader nodes which are both going to try to write to the storage, and this can result in data loss. (Within a cluster, any node can respond to read requests, but if a non-leader node receives a write request, it gets forwarded to the leader node to manage and execute, and the response is forwarded back to the non-leader node. This is acceptable because write operations are much less frequent than read operations.) So, to prevent the data loss but still have the ability to have multiple datacenters in different regions stood up which all have access to the same information, Hashicorp provided Performance Replication via Enterprise.

Performance Secondary clusters maintain their own leases, which alleviates a great deal of write traffic, and read operations are always able to be handled by non-primary nodes so this is nothing new. However, there are still some write operations that need to be managed by the leader node on the primary cluster. Performance Secondary and Performance Replication features are designed to know which requests to forward and which to keep local. There's also the concept of filters, which allows a Vault administrator to define rules to keep GDPR data in their European datacenter, and US Government data in their US datacenter, and prevent this data from being stored somewhere it shouldn't be, while still providing a majority of data from anywhere.

So, can this be reproduced in Vault OSS? Not really. You might be able to trick Vault into thinking that some of its HA nodes are in a different datacenter via contrived networking, possibly use some VPN tunnels to connect the cluster networks. I can't recommend this of course; besides the fact I've never tested it, I'd have concerns about network latency interfering with application functionality and storage access, lease management wouldn't scale, Hashicorp recommends maximum five nodes to a cluster, the write node would become overloaded at scale, and that's just off the top of my head. It's a bad idea, and certainly not "the same" as what Enterprise offers.

TL;DR: You can't do this, and a workaround would have huge issues, and would certainly NOT be the same as a performance replication secondary cluster.