Consul
Consul security architecture
This page introduces the parts of Consul's architecture that secure communication between users, Consul agents in the control plane, and communication between services in your application's data plane.
Control plane
Consul agents use the following security features and protocols to secure communication in a Consul datacenter.
Security feature | Enabled by default | Description |
---|---|---|
Access control lists (ACLs) | ❌ | Secures communication between Consul agents and controls access to the API, CLI, and UI. |
Agent TLS encryption | ❌ | Verifies Consul server and client agents with TLS certificates using built-in CA. |
Gossip encryption | ✅ | Encrypts communication between agents that manage cluster membership and broadcast messages. |
SSO/Auth method integration | ❌ | Leverages existing OIDC and RBAC controls for users to connect to the Consul CLI and UI. |
Data plane
The workload agents Consul runs in an application's data plane provide additional security features that are not enabled by default. These features are enforced by Envoy proxies deployed in the service mesh as gateways and sidecar proxies.
Security feature | Description |
---|---|
Consul API gateway | Secures user and application ingress for a service network. |
mTLS certificate authority | Verifies incoming and outgoing service traffic with TLS certificates using built-in CA. |
Service intentions | Limits service-to-service communication to explicitly definied routes between services. |
JWT token support | Requires an additional verification check for sidecar proxies using JSON Web Tokens. |
Best practices
We recommend you follow these best practices to ensure that your Consul deployments and the service mesh applications they support remain secure.
- Secure Consul datacenters with ACLs, TLS encryption, and gossip encryption. Every unique datacenter you deploy requires bootstrapping each system.
- Secure your service mesh with mTLS encryption and service intentions.
- Configure service intentions to use a
default: deny
policy so that services require explicit permissions to communicate.