Ingress gateway overview

This topic provides an overview of ingress gateways in Consul. An ingress gateway is a type of proxy that enables network connectivity from external services to services inside the mesh. They listen for external requests and route authorized traffic to instances in the service mesh. Refer to Access services overview for additional information about connecting external clients to services in the mesh.

Workflow

The following workflow describes how to deploy ingress gateways to service meshes on virtual machines (VM) and Kubernetes (K8s):

1. For networks operating on K8s, enable ingress gateways in the Helm chart configuration when installing Consul.
2. Define listeners and the services they expose to external clients. When ACLs are enabled, you must also define service intentions to allow traffic to the destination services.
3. Register the ingress gateway service with Consul and start the ingress gateway proxy service.

You can also configure ingress gateways to retrieve and serve custom TLS certificates from external systems. This functionality is designed to help you integrate with custom TLS management software. Refer to Serve custom TLS certificates from an external service for additional information.

The following diagram describes how external traffic reaches services inside the mesh through an ingress gateway:

Guidance

Refer to the following resources to help you enable secure access to service mesh resources from external clients.

Usage

• Create ingress gateways on VMs
• Create ingress gateways on K8s
• Serve TLS certificates from external services

Reference

• Ingress gateway configuration
• Helm chart configuration
• Service intentions configuration