HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Consul
Consul Home

You are viewing documentation for version v1.21.x. View latest version.

Consul architecture

This page provides an overview of the architecture for Consul's operations.

Introduction

Consul can support many different network topologies and cloud providers. The number of Consul agents and network components you deploy may change, but the underlying architecture of Consul's operations remain the same across systems, runtimes, and cloud environments.

Diagram of the Consul control plane consensus traffic

Consul operates in two areas to support your workloads:

  • The control plane is the part of Consul's infrastructure that maintains a central registry to track services and their respective IP addresses. It enables you to register, access, and secure services deployed across your network. To learn more, refer to control plane architecture.
  • The data plane is the part of the network where workloads send application data to other nodes in the cluster. The Consul process does not run directly in the data plane, but when using Consul's service mesh features, you can deploy components such as sidecar proxies and gateways into the data plane to manage L4 and L7 network traffic between services. To learn more, refer to data plane architecture.

Backend data persistence

Consul servers in the control plane keep a record of the state of Consul agents and their registered services using the Raft protocol for consensus. This protocol generates data in the form of a Raft index that the Consul cluster must persist across reboots during cluster operations.

Consul logs the Raft index with the write-ahead log (WAL) LogStore backend. The WAL backend implements a traditional log with rotating, append-only log files, and it retains logs without affecting a cluster's write performance at scale.

Consul agents store this data in the folder specified with the -data-dir command.

For more information about the Raft index and Consul's backend requirements, refer to Persistent data backend architecture.

Network tomography

Consul uses a network tomography system to compute network coordinates for nodes in the cluster. These coordinates allow the network round trip time (RTT) to be estimated between any two nodes. Consul can use RTT when returning services. For example, it can find the service node that is nearest to the one making the request, or it can fail over to services in the next closest datacenter.

Consul uses the the Serf library, which also provides gossip communication between agents in a cluster, to determine network coordinates and their RTT.

For more information, refer to network coordinates.

Security architecture

Consul is secured by several methods for encrypted communication. These methods apply to Consul's operations in both the control plane and the data plane. For more information about how Consul secures communication across its architectural components, refer to security architecture.

Edit this page on GitHub