Service-to-service Traffic Across Partitions

    Mesh gateways enable you to route service mesh traffic between different Consul admin partitions. Partitions can reside in different clouds or runtime environments where general interconnectivity between all services in all partitions isn’t feasible.

    Mesh gateways operate by sniffing and extracting the server name indication (SNI) header from the service mesh session and routing the connection to the appropriate destination based on the server name requested. The gateway does not decrypt the data within the mTLS session.

    Ensure that your Consul environment meets the following requirements.

    • Consul Enterprise version 1.11.0 or newer.
    • A local Consul agent is required to manage its configuration.
    • Consul service mesh must be enabled in all partitions. Refer to the for details.
    • Each partition must have a unique name. Refer to the admin partitions documentation for details.
    • If you want to you must enable centralized configuration.

    Proxy

    Envoy is the only proxy with mesh gateway capabilities in Consul.

    Mesh gateway proxies receive their configuration through Consul, which automatically generates it based on the proxy’s registration. Consul can only translate mesh gateway registration information into Envoy configuration.

    Sidecar proxies that send traffic to an upstream service through a gateway need to know the location of that gateway. They discover the gateway based on their sidecar proxy registrations. Consul can only translate the gateway registration information into Envoy configuration.

    Sidecar proxies that do not send upstream traffic through a gateway are not affected when you deploy gateways. If you are using Consul’s built-in proxy as a Connect sidecar it will continue to work for intra-datacenter traffic and will receive incoming traffic even if that traffic has passed through a gateway.

    Configure the following settings to register the mesh gateway as a service in Consul.

    • Specify in the kind field to register the gateway with Consul.
    • Configure the proxy.upstreams parameters to route traffic to the correct service, namespace, and partition. Refer to the upstreams documentation for details. The service proxy.upstreams.destination_name is always required. The proxy.upstreams.destination_partition must be configured to enable cross-partition traffic. The proxy.upstreams.destination_namespace configuration is only necessary if the destination service is in a different namespace.
    • Configure the exported-services configuration entry to enable Consul to export services contained in an admin partition to one or more additional partitions. Refer to the for details.
    • Define the Proxy.Config settings using opaque parameters compatible with your proxy, i.e., Envoy. For Envoy, refer to the Gateway Options and documentation for additional configuration information.
    • If ACLs are enabled, a token granting service:write for the gateway’s service name and service:read for all services in the datacenter or partition must be added to the gateway’s service definition. These permissions authorize the token to route communications for other Consul service mesh services, but does not allow decrypting any of their communications.

    Each upstream associated with a service mesh proxy can be configured so that it is routed through a mesh gateway. Depending on your network, the proxy’s connection to the gateway can operate in one of the following modes:

    • none - (Default) No gateway is used and a service mesh connect proxy makes its outbound connections directly to the destination services.

    • - The service mesh connect proxy makes an outbound connection to a gateway running in the destination datacenter. The gateway forwards the data to the final destination service.

    Connect Proxy Configuration

    Set the proxy to the preferred to configure the service mesh proxy. You can specify the mode globally or within child configurations to control proxy behaviors at a lower level. Consul recognizes the following order of precedence if the gateway mode is configured in multiple locations the order of precedence:

    1. Upstream definition (highest priority)
    2. Service instance definition
    3. Centralized service-defaults configuration entry
    4. Centralized proxy-defaults configuration entry

    Use the following example configurations to help you understand some of the common scenarios.

    The following proxy-defaults configuration will enable gateways for all Connect services in the local mode.

    Example: Enabling gateways globally.

    Example: Enabling gateways globally.

    HCL

    • HCL
    • YAML
    1. Kind = "proxy-defaults"
    2. Name = "global"
    3. MeshGateway {
    4. Mode = "local"
    5. }
    1. Kind: proxy-defaults
    2. MeshGateway:
    3. - Mode: local
    4. Name: global
    1. Kind: proxy-defaults
    2. MeshGateway:
    3. - Mode: local
    4. Name: global

    Enabling Gateways Per Service

    The following service-defaults configuration will enable gateways for all Connect services with the name web.

    Example: Enabling gateways per service.

    HCL

    Enabling Service-to-service Traffic Across Admin Partitions - 图2

    • HCL
    • YAML
    1. Kind = "service-defaults"
    2. Name = "web"
    3. MeshGateway {
    4. Mode = "local"
    5. }
    1. Kind: service-defaults
    2. MeshGateway:
    3. - Mode: local
    4. Name: web
    1. Kind: service-defaults
    2. MeshGateway:
    3. - Mode: local
    4. Name: web

    The following definition will enable gateways for web service instances in the finance partition.

    Example: Enabling gateways for a service instance.

    Example: Enabling gateways for a service instance.

    HCL

    • HCL
    • YAML
    1. service {
    2. name = "web-sidecar-proxy"
    3. kind = "connect-proxy"
    4. port = 8181
    5. proxy {
    6. destination_service_name = "web"
    7. mesh_gateway {
    8. mode = "local"
    9. }
    10. upstreams = [
    11. {
    12. destination_namespace = "default"
    13. destination_type = "service"
    14. destination_name = "billing"
    15. local_bind_port = 9090
    16. }
    17. ]
    18. }
    19. }
    1. service {
    2. name = "web-sidecar-proxy"
    3. port = 8181
    4. proxy {
    5. destination_service_name = "web"
    6. mesh_gateway {
    7. mode = "local"
    8. }
    9. upstreams = [
    10. {
    11. destination_partition = "finance"
    12. destination_namespace = "default"
    13. destination_type = "service"
    14. destination_name = "billing"
    15. local_bind_port = 9090
    16. }
    17. ]
    18. }
    19. }
    1. service:
    2. - kind: connect-proxy
    3. name: web-sidecar-proxy
    4. port: 8181
    5. proxy:
    6. - destination_service_name: web
    7. mesh_gateway:
    8. - mode: local
    9. upstreams:
    10. - destination_name: billing
    11. destination_namespace: default
    12. destination_partition: finance
    13. destination_type: service
    14. local_bind_port: 9090

    Enabling Gateways for a Proxy Upstream

    The following service definition will enable gateways in local mode for three different partitions. Note that each service exists in the same namespace, but are separated by admin partition.

    Example: Enabling gateways for a proxy upstream.

    Example: Enabling gateways for a proxy upstream.

    Enabling Service-to-service Traffic Across Admin Partitions - 图4

    • HCL
    • YAML
    1. service {
    2. name = "web-sidecar-proxy"
    3. kind = "connect-proxy"
    4. port = 8181
    5. proxy {
    6. destination_service_name = "web"
    7. upstreams = [
    8. {
    9. destination_name = "api"
    10. destination_namespace = "dev"
    11. destination_partition = "api"
    12. local_bind_port = 10000
    13. mesh_gateway {
    14. mode = "local"
    15. }
    16. },
    17. {
    18. destination_name = "db"
    19. destination_namespace = "dev"
    20. destination_partition = "db"
    21. local_bind_port = 10001
    22. mesh_gateway {
    23. mode = "local"
    24. }
    25. },
    26. {
    27. destination_name = "logging"
    28. destination_partition = "logging"
    29. local_bind_port = 10002
    30. mesh_gateway {
    31. mode = "local"
    32. }
    33. ]
    34. }
    35. }
    1. service {
    2. name = "web-sidecar-proxy"
    3. kind = "connect-proxy"
    4. port = 8181
    5. proxy {
    6. destination_service_name = "web"
    7. upstreams = [
    8. {
    9. destination_name = "api"
    10. destination_namespace = "dev"
    11. destination_partition = "api"
    12. local_bind_port = 10000
    13. mesh_gateway {
    14. mode = "local"
    15. }
    16. },
    17. {
    18. destination_name = "db"
    19. destination_namespace = "dev"
    20. destination_partition = "db"
    21. local_bind_port = 10001
    22. mesh_gateway {
    23. mode = "local"
    24. }
    25. },
    26. {
    27. destination_name = "logging"
    28. destination_namespace = "dev"
    29. destination_partition = "logging"
    30. local_bind_port = 10002
    31. mesh_gateway {
    32. mode = "local"
    33. }
    34. },
    35. ]
    36. }
    37. }
    1. service:
    2. - kind: connect-proxy
    3. name: web-sidecar-proxy
    4. port: 8181
    5. proxy:
    6. - destination_service_name: web
    7. upstreams:
    8. - destination_name: api
    9. destination_namespace: dev
    10. destination_partition: api
    11. local_bind_port: 10000
    12. mesh_gateway:
    13. - mode: local
    14. - destination_name: db
    15. destination_namespace: dev
    16. destination_partition: db
    17. local_bind_port: 10001
    18. mesh_gateway:
    19. - mode: local
    20. - destination_name: logging
    21. destination_namespace: dev
    22. destination_partition: logging
    23. local_bind_port: 10002
    24. mesh_gateway:
    25. - mode: local