diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index bfbbd03..89259fc 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -200,6 +200,10 @@ profiles::puppet::client::runtimeout: 3600
 profiles::puppet::client::show_diff: true
 profiles::puppet::client::usecacheonfailure: false
 
+# puppetdb
+puppetdbapi: prodinf01n04.main.unkin.net
+puppetdbsql: prodinf01n05.main.unkin.net
+
 prometheus::node_exporter::export_scrape_job: true
 prometheus::systemd_exporter::export_scrape_job: true
 
diff --git a/hieradata/roles/infra.yaml b/hieradata/roles/infra.yaml
index 3192355..8c2ae06 100644
--- a/hieradata/roles/infra.yaml
+++ b/hieradata/roles/infra.yaml
@@ -2,7 +2,5 @@
 profiles::packages::install:
   - policycoreutils
 
-profiles::puppet::puppetdb::puppetdb_host: prodinf01n04.main.unkin.net
-profiles::puppet::puppetdb::postgres_host: prodinf01n05.main.unkin.net
 puppetdb::master::config::create_puppet_service_resource: false
 #puppetdb::master::config::puppetdb_host: "%{lookup('profiles::puppet::puppetdb::puppetdb_host')}"
diff --git a/hieradata/roles/infra/puppetdb/api.yaml b/hieradata/roles/infra/puppetdb/api.yaml
index dc7465d..ae31065 100644
--- a/hieradata/roles/infra/puppetdb/api.yaml
+++ b/hieradata/roles/infra/puppetdb/api.yaml
@@ -3,3 +3,32 @@ profiles::puppet::puppetdb_api::java_bin: /usr/lib/jvm/jre-11/bin/java
 profiles::puppet::puppetdb_api::java_args:
   '-Xmx': '2048m'
   '-Xms': '256m'
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - puppetdbapi.main.unkin.net
+  - puppetdbapi.service.consul
+  - puppetdbapi.query.consul
+  - puppetdbapi
+
+consul::services:
+  puppetdbapi:
+    service_name: 'puppetdbapi'
+    tags:
+      - 'puppet'
+      - 'puppetdb'
+      - 'puppetdbapi'
+    address: "%{facts.networking.ip}"
+    port: 8080
+    checks:
+      - id: 'puppetdbapi_http_check'
+        name: 'PuppetDB API HTTP Check'
+        http: "http://%{facts.networking.fqdn}:8080"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: puppetdbapi
+    disposition: write
diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml
index 036e177..07bf60a 100644
--- a/hieradata/roles/infra/storage/consul.yaml
+++ b/hieradata/roles/infra/storage/consul.yaml
@@ -59,3 +59,9 @@ profiles::consul::prepared_query::rules:
     service_failover_n: 3
     service_only_passing: true
     ttl: 10
+  puppetdbapi:
+    ensure: 'present'
+    service_name: 'puppetdbapi'
+    service_failover_n: 3
+    service_only_passing: true
+    ttl: 10
diff --git a/site/profiles/manifests/puppet/puppetboard.pp b/site/profiles/manifests/puppet/puppetboard.pp
index 6a2bbb9..4130e73 100644
--- a/site/profiles/manifests/puppet/puppetboard.pp
+++ b/site/profiles/manifests/puppet/puppetboard.pp
@@ -8,7 +8,7 @@ class profiles::puppet::puppetboard (
   Integer $reports_count        = 40,
   Boolean $offline_mode         = true,
   String  $default_environment  = '*',
-  String  $puppetdb_host        = lookup('profiles::puppet::puppetdb::puppetdb_host'),
+  String  $puppetdb_host        = lookup('puppetdbapi'),
   Stdlib::AbsolutePath $basedir = '/opt/puppetboard',
   Stdlib::Absolutepath $virtualenv_dir  = "${basedir}/venv",
   Stdlib::Absolutepath $settings_file   = "${basedir}/settings.py",
diff --git a/site/profiles/manifests/puppet/puppetdb_api.pp b/site/profiles/manifests/puppet/puppetdb_api.pp
index 214f163..8c2177e 100644
--- a/site/profiles/manifests/puppet/puppetdb_api.pp
+++ b/site/profiles/manifests/puppet/puppetdb_api.pp
@@ -1,42 +1,45 @@
 # configure the puppetdb api service
 class profiles::puppet::puppetdb_api (
-  String $postgres_host = lookup('profiles::puppet::puppetdb::postgres_host'),
+  String $postgres_host = lookup('puppetdbsql'),
   String $listen_address = $facts['networking']['ip'],
   Stdlib::Absolutepath $java_bin = '/usr/bin/java',
   Hash   $java_args = {},
 ) {
 
-  class { 'java':
-    package => 'java-11-openjdk-devel',
-    before  => Class['puppetdb::server'],
-  }
+  # wait for enc_role to match the required role
+  if $facts['enc_role'] == 'roles::infra::puppetdb::api' {
+    class { 'java':
+      package => 'java-11-openjdk-devel',
+      before  => Class['puppetdb::server'],
+    }
 
-  class { 'puppetdb::server':
-    database_host      => $postgres_host,
-    manage_firewall    => false,
-    ssl_listen_address => $listen_address,
-    listen_address     => $listen_address,
-    java_bin           => $java_bin,
-    java_args          => $java_args,
-  }
+    class { 'puppetdb::server':
+      database_host      => $postgres_host,
+      manage_firewall    => false,
+      ssl_listen_address => $listen_address,
+      listen_address     => $listen_address,
+      java_bin           => $java_bin,
+      java_args          => $java_args,
+    }
 
-  contain ::puppetdb::server
+    contain ::puppetdb::server
 
-  class { 'prometheus::puppetdb_exporter':
-    puppetdb_url      => "http://${listen_address}:8080/pdb/query",
-    export_scrape_job => true,
-  }
+    class { 'prometheus::puppetdb_exporter':
+      puppetdb_url      => "http://${listen_address}:8080/pdb/query",
+      export_scrape_job => true,
+    }
 
-  # export haproxy balancemember
-  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8080":
-    service => 'be_puppetdbapi',
-    ports   => [8080],
-    options => [
-      "cookie ${facts['networking']['hostname']}",
-      'check',
-      'inter 2s',
-      'rise 3',
-      'fall 2',
-    ]
+    # export haproxy balancemember
+    profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8080":
+      service => 'be_puppetdbapi',
+      ports   => [8080],
+      options => [
+        "cookie ${facts['networking']['hostname']}",
+        'check',
+        'inter 2s',
+        'rise 3',
+        'fall 2',
+      ]
+    }
   }
 }
diff --git a/site/profiles/manifests/puppet/puppetdb_sql.pp b/site/profiles/manifests/puppet/puppetdb_sql.pp
index 5afa9a5..1765003 100644
--- a/site/profiles/manifests/puppet/puppetdb_sql.pp
+++ b/site/profiles/manifests/puppet/puppetdb_sql.pp
@@ -1,6 +1,6 @@
 # configure the puppetdb sql service
 class profiles::puppet::puppetdb_sql (
-  String $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host'),
+  String $puppetdb_host = lookup('puppetdbsql'),
   String $listen_address = $facts['networking']['ip'],
 ) {
 
diff --git a/site/profiles/manifests/puppet/puppetmaster.pp b/site/profiles/manifests/puppet/puppetmaster.pp
index 79ce387..6ce7ca5 100644
--- a/site/profiles/manifests/puppet/puppetmaster.pp
+++ b/site/profiles/manifests/puppet/puppetmaster.pp
@@ -3,7 +3,7 @@
 # This class manages the puppetmaster using the ghoneycutt-puppet module.
 # It manages the server settings in the puppet.conf file.
 class profiles::puppet::puppetmaster (
-  Optional[Stdlib::Fqdn] $puppetdb_host = lookup('profiles::puppet::puppetdb::puppetdb_host', Optional[Stdlib::Fqdn], 'first', undef),
+  Optional[Stdlib::Fqdn] $puppetdb_host = lookup('puppetdbapi', Optional[Stdlib::Fqdn], 'first', undef),
 ) {
 
   if $facts['enc_role'] == 'roles::infra::puppet::master' {