Documentation
Get started
What is Consul?
Consul operations
Service networking
Enterprise solutions
Runtimes and platforms
Plugins, integrations, & extensions
Reference docs
Glossary

Consul security architecture

This page introduces the parts of Consul's architecture that secure communication between users, Consul agents in the control plane, and communication between services in your application's data plane.

Control plane

Consul agents use the following security features and protocols to secure communication in a Consul datacenter.

Security feature	Enabled by default	Description
Access control lists (ACLs)	❌	Secures communication between Consul agents and controls access to the API, CLI, and UI.
Agent TLS encryption	❌	Verifies Consul server and client agents with TLS certificates using built-in CA.
Gossip encryption	✅	Encrypts communication between agents that manage cluster membership and broadcast messages.
SSO/Auth method integration	❌	Leverages existing OIDC and RBAC controls for users to connect to the Consul CLI and UI.

Data plane

The workload agents Consul runs in an application's data plane provide additional security features that are not enabled by default. These features are enforced by Envoy proxies deployed in the service mesh as gateways and sidecar proxies.

Security feature	Description
Consul API gateway	Secures user and application ingress for a service network.
mTLS certificate authority	Verifies incoming and outgoing service traffic with TLS certificates using built-in CA.
Service intentions	Limits service-to-service communication to explicitly definied routes between services.
JWT token support	Requires an additional verification check for sidecar proxies using JSON Web Tokens.

Best practices

We recommend you follow these best practices to ensure that your Consul deployments and the service mesh applications they support remain secure.

Secure Consul datacenters with ACLs, TLS encryption, and gossip encryption. Every unique datacenter you deploy requires bootstrapping each system.
Secure your service mesh with mTLS encryption and service intentions.
Configure service intentions to use a default: deny policy so that services require explicit permissions to communicate.