Secure north/south access on virtual machines

This topic provides an overview of how Consul securely allows systems outside the service mesh to access services inside the mesh when running the Consul binary on virtual machines (VM). Network traffic that connects services inside the mesh to external clients or services is referred to as north-south traffic.

For information about enabling intra-mesh, or east-west traffic, refer to Expand network east/west overview.

Introduction

You can define points of ingress to the service mesh using either API gateways or ingress gateways. These gateways allow external network clients to access applications and services running in a Consul datacenter.

API gateways forward requests from clients to specific destinations based on path or request protocol. Ingress gateways are Consul's legacy capability for ingress and have been deprecated in favor of API gateways.

API gateways

API gateways enable external network clients to securely access applications and services running in a Consul datacenter. Consul API gateways can also forward requests from clients to specific destinations in the service mesh based on request's path or protocol.

To enable an API gateway, you must configure the gateway, its listeners, and its routes. Refer to API gateway overview for more about deploying API gateways to your Consul service mesh.

Ingress gateways

Ingress gateways listen for external requests and route authorized traffic to instances in the service mesh. They provide one-way traffic from external sources to services in the mesh. If you want to enable traffic from services in the mesh to external destinations, then you must also configure a terminating gateway, which is a separate component that requires additional configuration and maintenance.

Ingress gateways are deprecated. Use Consul API gateways to secure service mesh ingress instead.

Refer to Ingress gateway overview for additional information about deploying ingress gateways to your Consul service mesh.

Terminating gateways

Terminating gateways handle requests from services in the network for external services running on external nodes. They act as service mesh proxies that can services in the Consul catalog. These gateways terminate service mesh mTLS connections, enforce service intentions, and forward requests to the appropriate destination.

Terminating gateways are deprecated. Use Consul API gateways instead.

Refer to Terminating gateways for more information about how to deploy terminating gateways to your Consul service mesh.

Guidance

Refer to the following resources for help setting up and using API gateways:

Tutorials

• Control access into the service mesh with Consul API gateway

Usage documentation

• Deploy API gateway listeners to VMs
• Deploy API gateway routes to VMs
• Encrypt API gateway traffic on VMs
• Use JWTs to verify requests to API gateways on VMs

Reference

• API gateway configuration entry reference
• HTTP route configuration entry reference
• TCP route configuration entry reference
• Error messages