Service Mesh Configuration

    Consul Connect is the component shipped with Consul that enables service mesh functionality. The terms Consul Connect and Consul service mesh are used interchangeably throughout this documentation.

    Tip: Service mesh is enabled by default when running Consul in dev mode with consul agent -dev.

    Begin by enabling Connect for your Consul cluster. By default, Connect is disabled. Enabling Connect requires changing the configuration of only your Consul servers (not client agents). To enable Connect, add the following to a new or existing server configuration file. In an existing cluster, this configuration change requires a Consul server restart, which you can perform one server at a time to maintain availability. In HCL:

    Enable Consul service mesh

    Enable Consul service mesh

    • HCL
    • JSON

    This will enable Connect and configure your Consul cluster to use the built-in certificate authority for creating and managing certificates. You may also configure Consul to use an external , such as Vault.

    Services and proxies may always register with Connect settings, but they will fail to retrieve or verify any TLS certificates. This causes all Connect-based connection attempts to fail until Connect is enabled on the server agents.

    Other optional Connect configurations that you can set in the server configuration file include:

    If you would like to use Envoy as your Connect proxy you will need to enable gRPC.

    Security note: Enabling Connect is enough to try the feature but doesn’t automatically ensure complete security. Please read the to understand the additional steps needed for a secure deployment.

    To account for common Connect use cases where you have many instances of the same service, and many colocated sidecar proxies, Consul allows you to customize the settings for all of your proxies or all the instances of a given service at once using Configuration Entries.

    You can override centralized configurations for individual proxy instances in their , and the default protocols for service instances in their service registrations.

    Consul Connect is especially useful if you are using an orchestrator like Nomad or Kubernetes, because these orchestrators can deploy thousands of service instances which frequently move hosts. Sidecars for each service can be configured through these schedulers, and in some cases they can automate Consul configuration, sidecar deployment, and service registration.

    Connect can be used with Nomad to provide secure service-to-service communication between Nomad jobs and task groups. The ability to use the dynamic port feature of Nomad makes Connect particularly easy to use. Learn about how to configure Connect on Nomad by reading the

    Kubernetes