diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 8be8ee2..f5422e6 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -63,6 +63,18 @@ lookup_options:
   profiles::dns::master::keys:
     merge:
       strategy: deep
+  consul::services:
+    merge:
+      strategy: deep
+  consul::watch:
+    merge:
+      strategy: deep
+  consul::check:
+    merge:
+      strategy: deep
+  profiles::consul::client::node_rules:
+    merge:
+      strategy: deep
 
 facts_path: '/opt/puppetlabs/facter/facts.d'
 
@@ -87,6 +99,16 @@ profiles::consul::server::members_role: roles::infra::storage::consul
 profiles::consul::token::node_editor::accessor_id: '024e27bd-c5bb-41e7-a578-b766509e11bc'
 profiles::consul::client::members_lookup: true
 profiles::consul::client::members_role: roles::infra::storage::consul
+profiles::consul::client::node_rules:
+  - resource: node
+    segment: "%{facts.networking.hostname}"
+    disposition: write
+  - resource: node
+    segment: "%{facts.networking.fqdn}"
+    disposition: write
+  - resource: node
+    segment: ''
+    disposition: read
 
 profiles::packages::install:
   - bash-completion
diff --git a/hieradata/country/au/region/syd1/infra/storage/vault.yaml b/hieradata/country/au/region/syd1/infra/storage/vault.yaml
index 2feaac4..d66aeea 100644
--- a/hieradata/country/au/region/syd1/infra/storage/vault.yaml
+++ b/hieradata/country/au/region/syd1/infra/storage/vault.yaml
@@ -1,2 +1,22 @@
 ---
 profiles::vault::server::primary_datacenter: 'au-syd1'
+consul::services:
+  vault:
+    service_name: 'vault'
+    tags:
+      - 'https'
+      - 'secure'
+    address: "%{facts.networking.ip}"
+    port: 443
+    checks:
+      - id: 'vault_https_check'
+        name: 'Vault HTTPS Check'
+        http: "https://%{facts.networking.fqdn}:443/v1/sys/health"
+        method: 'GET'
+        tls_skip_verify: true
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: vault
+    disposition: write
diff --git a/site/profiles/manifests/consul/client.pp b/site/profiles/manifests/consul/client.pp
index 684c7b5..4524b87 100644
--- a/site/profiles/manifests/consul/client.pp
+++ b/site/profiles/manifests/consul/client.pp
@@ -9,6 +9,7 @@ class profiles::consul::client (
   String               $members_role       = undef,
   Array                $consul_servers     = [],
   Stdlib::Absolutepath $data_dir           = '/opt/consul',
+  Array[Hash]          $node_rules         = [],
 ) {
 
   if $facts['enc_role'] != $members_role {
@@ -42,6 +43,11 @@ class profiles::consul::client (
         'retry_join'     => $servers_array,
         'bind_addr'      => $::facts['networking']['ip'],
         'advertise_addr' => $::facts['networking']['ip'],
+        'acl'            => {
+          tokens => {
+            default => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")
+          }
+        }
       },
     }
   }
@@ -49,18 +55,7 @@ class profiles::consul::client (
   # Create ACL policy that allows nodes to update themselves and read others
   consul_policy { $facts['networking']['hostname']:
     description   => "${facts['networking']['fqdn']} puppet-generated-policy",
-    rules         => [
-      {
-        'resource'    => 'node',
-        'segment'     => $facts['networking']['hostname'],
-        'disposition' => 'write'
-      },
-      {
-        'resource'    => 'node',
-        'segment'     => '',
-        'disposition' => 'read'
-      }
-    ],
+    rules         => $node_rules,
     acl_api_token => $consul_api_token,
     hostname      => $consul_hostname,
     protocol      => $consul_protocol,