We currently run haproxy on a vault001 host, which purely serves as a port 22 TCP load balancer for the web tier.
From T12978, modern "ELB-VPC" LBs can balance TCP traffic on port 22, so this doesn't need to be a separate host. When I originally set this stuff up, port 22 either wasn't an option or I failed to identify how to configure it.
Since the pool behind vault.phacility.com is the same as the pool behind *.phacility.com and will be for the foreseeable future, this can actually just be folded into the lb ELB. So the plan is probably:
- Add a 22 -> 2223 to lb001.
- Locally, hostfile vault.phacility.com DNS to whatever anything.phacility.com is resolving to (ELB external address).
- Test that it works.
- Point DNS for vault.phacility.com at the lb001 ELB.
- Test that it works.
- Decommission the vault001 host, the vault role, and nuke all the HAProxy config and install operations from core/. None of this is stateful so it doesn't need any special care.