diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 4d7b5d0..ef0a1f5 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -87,6 +87,9 @@ lookup_options:
   profiles::consul::client::node_rules:
     merge:
       strategy: deep
+  profiles::consul::prepared_query::rules:
+    merge:
+      strategy: deep
 
 facts_path: '/opt/puppetlabs/facter/facts.d'
 
diff --git a/hieradata/roles/infra/storage/consul.yaml b/hieradata/roles/infra/storage/consul.yaml
index 7d3d0f9..08819e8 100644
--- a/hieradata/roles/infra/storage/consul.yaml
+++ b/hieradata/roles/infra/storage/consul.yaml
@@ -33,3 +33,23 @@ profiles::nginx::simpleproxy::nginx_aliases:
   - consul.main.unkin.net
 profiles::nginx::simpleproxy::proxy_port: 8500
 profiles::nginx::simpleproxy::proxy_path: '/'
+
+profiles::consul::prepared_query::rules:
+  vault:
+    ensure: 'present'
+    service_name: 'vault'
+    service_failover_n: 3
+    service_only_passing: true
+    ttl: 10
+  puppet:
+    ensure: 'present'
+    service_name: 'puppet'
+    service_failover_n: 3
+    service_only_passing: true
+    ttl: 10
+  puppetca:
+    ensure: 'present'
+    service_name: 'puppetca'
+    service_failover_n: 3
+    service_only_passing: true
+    ttl: 10
diff --git a/site/profiles/manifests/consul/prepared_query.pp b/site/profiles/manifests/consul/prepared_query.pp
new file mode 100644
index 0000000..16df79f
--- /dev/null
+++ b/site/profiles/manifests/consul/prepared_query.pp
@@ -0,0 +1,14 @@
+# profile::consul::prepared_query
+class profiles::consul::prepared_query (
+  String $root_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'),
+  Hash   $rules = {},
+) {
+
+  $rules.each | $rule, $data | {
+    consul_prepared_query { $rule:
+      acl_api_token => $root_api_token,
+      hostname      => $facts['networking']['ip'],
+      *             => $data,
+    }
+  }
+}
diff --git a/site/profiles/manifests/consul/server.pp b/site/profiles/manifests/consul/server.pp
index 942850b..f71c567 100644
--- a/site/profiles/manifests/consul/server.pp
+++ b/site/profiles/manifests/consul/server.pp
@@ -127,6 +127,7 @@ class profiles::consul::server (
     include profiles::nginx::simpleproxy
     include profiles::consul::policies
     include profiles::consul::tokens
+    include profiles::consul::prepared_query
 
     # get the dns port from the $ports hash, otherwise use the default
     $dns_port = pick($ports['dns'], 8600)