Administrate multi-tenant Consul datacenters

This page provides an overview of Consul's multi-tenancy features. A single Consul datacenter can support multiple teams and organizations by restricting resources, service traffic, and user access to a combination of admin partitions, namespaces, networking segments, and sameness groups.

Consul Community Edition supports the default partition and default namespace, but does not support multi-tenancy. For more information, refer to Consul Enterprise.

Introduction

In large enterprise organizations, configuring, deploying, securing, and managing separate Consul datacenters for each team or project can be an impractical and resource-intensive solution. Consul Enterprise users can implement multi-tenant configurations of Consul server clusters so that teams can share a set of Consul servers. This arrangement can lower deployment costs while maintaining network security and preventing conflicts in resource names.

The two main elements in Consul's multi-tenancy support are admin partitions and namespaces. Consul namespaces are distinct from Kubernetes namespaces, but you can configure Consul to mirror existing Kubernetes namespaces. Consul also supports multi-tenancy configurations for networks that are segmented according to firewalls, and enables operators to manage a set of admin partitions and namespaces using sameness groups.

Admin partitions

Admin partitions define one or more administrative boundaries for a Consul deployment. They exist one level above namespaces in Consul's identity hierarchy. Server clusters that manage multiple admin partitions require a Consul Enterprise license.

Admin partitions enable cluster peering connections and sameness groups between Consul datacenters deployed in different regions or cloud environments. Refer to the admin partition documentation for more information.

Namespaces

Namespaces isolate data for different users or teams. They exist one level below admin partitions in Consul's identity hierarchy. Server clusters register services to multiple namespaces require a Consul Enterprise license.

Namespaces can help reduce operational challenges by removing restrictions around uniqueness of resource names across distinct teams. You can secure namespace resources with Consul's Access Control List (ACL) system. Refer to the namespace documentation for more information.

Network segments

Network segments enable Consul deployments for organizations with network rules or firewalls that prevent full connectivity between all agents in a datacenter's gossip pool. Establishing communication boundaries with Consul network segments limits Consul's connectivity requirements to an individual segment.

Network segments are defined in agent configuration files and require a Consul Enterprise license. Refer to the network segments documentation for more information.

Sameness groups

Sameness groups are a user-defined set of admin partitions with identical configurations, including namespaces and configuration entries. By establishing cluster peering connections and exporting services between these partitions when creating a sameness group, operators can manage groups of services across regions, runtimes, and cloud environments, and implement automated service failover strategies.

Sameness groups require a Consul Enterprise license. Refer to create sameness groups for more information.

Guidance

The following resources are available to help you learn about Consul multi-tenancy and its usage.

Tutorials

To get started with the features described on this page, refer to the following tutorials:

• Multi-Tenancy with Administrative Partitions
• Multi Cluster Applications with Consul Enterprise Admin Partitions
• Setup secure namespaces
• Register and discover services within namespaces

Runtime-specific usage documentation

For runtime-specific guidance, refer to the following pages:

• Configure partitions on Kubernetes
• Use Consul and Kubernetes namespaces
• Create network segments on virtual machines (VMs)

Reference documentation

For reference material related to Consul's multi-tenancy capabilities, refer to the following pages:

• Namespace reference
• Sameness group configuration entry

Constraints, limitations, and troubleshooting

If you experience errors when implementing multi-tenancy on Consul deployments, refer to the following list of technical constraints.

• WAN-federated Consul deployments support the default admin partition only.
• Samneness groups must be configured on each partition that is a member of the group.