Expand service network east/west

This topic provides an overview of the strategies and processes for linking defined segments of your service mesh to extend east/west operations across cloud regions, runtimes, and platforms. Linking network segments into an extended service mesh enables advanced strategies for deploying and monitoring service operations in your network.

For more information about how to divide your network, including the difference between deployment strategies enabled by methods such as WAN federation and cluster peering, refer to manage multi-tenancy.

Introduction

Consul supports two general strategies for extending east/west service mesh traffic across your network:

• Cluster peering
• Wide Area Network (WAN) federation

Consul community edition supports basic cluster peering and federation scenarios. Implementing advanced scenarios such as federated network areas and cluster peering between multiple admin partitions in datacenters require Consul Enterprise. Refer to Consul Enterprise for more information.

Cluster peering

Cluster peering connects two or more independent Consul clusters so that services deployed to different datacenters can communicate. The process to establish a connection generates and exchanges peering tokens between admin partitions in each datacenter.

Peering topologies that include more than one admin partition in a single Consul datacenter require Consul Enterprise. HCP Consul enables additional support for cluster peering lifecycle operations through HCP Consul Central.

Cluster peering in your service mesh enables sameness groups, service failover, and connections between Consul clusters owned by different operators. Refer to the Cluster peering documentation for more information.

WAN federation

Wide Area Network (WAN) federation joins two or more Consul datacenters. When you enable WAN federation in each server cluster and declare one of them the primary datacenter, Consul agents can communicate using WAN gossip to function as if they were a single datacenter.

WAN federation in your service mesh enables service-to-service communication across cloud regions, key/value store replication, and advanced strategies for traffic management such as service failover. Refer to the WAN federation documentation for more information.

Federated network areas

Network areas specify a relationship between a pair of Consul datacenters. Operators create reciprocal areas on each side of the relationship and then joins them together. This networking strategy allows for more flexible relationships between Consul datacenters, such as hub/spoke or more general tree structures. Because traffic between network areas uses server RPC (8300/tcp), you can secure it using only TLS.

Refer to the Network area documentation for more information.

Secure communication with mesh gateways

Mesh gateways route service mesh traffic between Consul datacenters that reside in different cloud or runtime environments where general interconnectivity between all services in all datacenters is not feasible. In hybrid or multi-cloud production environments, mesh gateways secure communication between datacenters deployed to different cloud regions or platforms.

After you register a mesh gateway with Consul, you can configure a service's sidecar proxy to enable the mesh gateway as a service upstream. Refer to the Mesh gateway documentation for more information.

Guidance

For runtime specific guidance, including federating clusters across runtimes, refer to the following topics:

• Extend network east/west on virtual machines
• Extend network east/west on Kubernetes
• WAN federation between virtual machines and Kubernetes clusters

Reference documentation

For reference material related to the processes for extending your service mesh by linking segments of your network, refer to the following pages:

• CLI reference: consul join command
• CLI reference: consul operator area command
• CLI reference: peering command
• HTTP API reference: /operator/area endpoint
• HTTP API reference: /peering endpoint
• Mesh gateway configuration reference
• Proxy defaults configuration reference

Constraints, limitations, and troubleshooting

If you experience errors when linking segments of your network, refer to the following list of technical constraints.

• Consul does not support deployments that use WAN federation and cluster peering simultaneously.
• The Consul UI does not support the creation of cluster peering connections, WAN-federated datacenters, federated network areas, or mesh gateways. A dedicated user interface to view, create, and manage cluster peering connections is available through HCP Consul Central.