Mesh Gateways

    Mesh gateways enable routing of Connect traffic between different Consul datacenters. Those datacenters can reside in different clouds or runtime environments where general interconnectivity between all services in all datacenters isn’t feasible. These gateways operate by sniffing the SNI header out of the Connect session and then route the connection to the appropriate destination based on the server name requested. The data within the mTLS session is not decrypted by the Gateway.

    For a complete example of how to connect services across datacenters, review the mesh gateway tutorial.

    Each mesh gateway needs three things:

    1. General network connectivity to all services within its local Consul datacenter.
    2. General network connectivity to all mesh gateways within remote Consul datacenters.

    Mesh gateways also require that your Consul datacenters are configured correctly:

    • Consul version 1.6.0 or newer is required.
    • Consul must be enabled in both datacenters.
    • Each of your datacenters must have a unique name.
    • Your datacenters must be .
    • The primary datacenter must be set to the same value in both datacenters. This specifies which datacenter is the authority for Connect certificates and is required for services in all datacenters to establish mutual TLS with each other.
    • must be enabled.

    Currently, Envoy is the only proxy with mesh gateway capabilities in Consul.

    • Sidecar proxies that send traffic to an upstream service through a gateway need to know the location of that gateway. They discover the gateway based on their sidecar proxy registrations. Consul can only translate the gateway registration information into Envoy configuration, so any sidecars that send upstream traffic through a gateway must be Envoy.

    Sidecar proxies that don’t send upstream traffic through a gateway aren’t affected when you deploy gateways. If you are using Consul’s built-in proxy as a Connect sidecar it will continue to work for intra-datacenter traffic and will receive incoming traffic even if that traffic has passed through a gateway.

    Each upstream of a Connect proxy can be configured to be routed through a mesh gateway. Depending on your network, the proxy’s connection to the gateway can happen in one of the following modes illustrated in the diagram above:

    • local - In this mode the Connect proxy makes its outbound connection to a gateway running in the same datacenter. That gateway is then responsible for ensuring the data gets forwarded along to gateways in the destination datacenter. This is the mode of operation depicted in the diagram at the beginning of the page.

    • - In this mode the Connect proxy makes its outbound connection to a gateway running in the destination datacenter. That gateway will then forward the data to the final destination service.

    • none - In this mode, no gateway is used and a Connect proxy makes its outbound connections directly to the destination services.

    Note: If ACLs are enabled, a token granting service:write for the gateway’s service name and service:read for all services in the datacenter must be added to the gateway’s service definition. These permissions authorize the token to route communications for other Connect services but does not allow decrypting any of their communications.

    Configuring a Connect Proxy to use gateways is as simple as setting its mode of operation. This can be done in several different places allowing for global to more fine grained control. If the gateway mode is configured in multiple locations the order of precedence is as follows

    1. Upstream Definition
    2. Service Instance Definition
    3. Centralized configuration entry

    The following proxy-defaults configuration will enable gateways for all Connect services in the mode.

    The following service-defaults configuration will enable gateways for all Connect services with the name “web”.

    The following definition will enable gateways for the service instance in the remote mode.

    Or alternatively inline with the service definition: