Consul
Secure north/south access on Kubernetes
This topic provides an overview of how Consul securely allows systems outside the service mesh to access services inside the mesh on Kubernetes. Network traffic that connects services inside the mesh to external clients or services is referred to as north-south traffic.
For information about enabling intra-mesh, or east-west traffic , refer to Expand network east/west overview.
Introduction
You can define points of ingress to the service mesh using either API gateways or ingress gateways. These gateways allow external network clients to access applications and services running in a Consul datacenter.
API gateways forward requests from clients to specific destinations based on path or request protocol. Ingress gateways are Consul's legacy capability for ingress and have been deprecated in favor of API gateways.
API gateways
API gateways enable external network clients to securely access applications and services running in a Consul datacenter. Consul API gateways can also forward requests from clients to specific destinations in the service mesh based on request's path or protocol.
To enable an API gateway, you must configure the gateway, its listeners, and its routes. Refer to API gateway overview for more about deploying API gateways to your Consul service mesh.
Ingress gateways
Ingress gateways listen for external requests and route authorized traffic to instances in the service mesh. They provide one-way traffic from external sources to services in the mesh. If you want to enable traffic from services in the mesh to external destinations, then you must also configure a terminating gateway, which is a separate component that requires additional configuration and maintenance.
Ingress gateways are deprecated. Use Consul API gateways to secure service mesh ingress instead.
Refer to Ingress gateway overview for additional information about deploying ingress gateways to your Consul service mesh.
Terminating gateways
Terminating gateways handle requests from services in the network for external services running on external nodes. They act as service mesh proxies that can services in the Consul catalog. These gateways terminate service mesh mTLS connections, enforce service intentions, and forward requests to the appropriate destination.
Terminating gateways are deprecated. Use Consul API gateways instead.
Refer to Terminating gateways for more information about how to deploy terminating gateways to your Consul service mesh.
Guidance
Refer to the following resources for help setting up and using API gateways:
Tutorials
Usage documentation
- Deploy API gateway listeners to Kubernetes
- Deploy API gateway routes to Kubernetes
- Reroute HTTP requests in Kubernetes
- Route traffic to peered services in Kubernetes
- Use JWTs to verify requests to API gateways on Kubernetes