Securely connect your services with Consul service mesh
In the previous tutorial, you deployed Consul client agents and registered services to your Consul catalog.
In this tutorial, you will introduce zero trust security in your network by implementing Consul service mesh. This will enable secure service-to-service communication and allow you to leverage Consul's full suite of features.
In order to do this, you will edit the service definitions on your Consul clients, launch Envoy sidecar proxies, and create service intentions to allow traffic across your services in your network.
Tutorial scenario
This tutorial uses HashiCups, a demo coffee shop application made up of several microservices running on VMs.
At the beginning of the tutorial, you have a Consul datacenter with one server and four clients running on VMs. The services connect directly to each other using the VMs address and access every service in the network.
By the end of this tutorial, you will have a fully deployed Consul service mesh with Envoy sidecar proxies running alongside each service. The services will be configured so they cannot be reachable, unless expliclty allowed through Consul service intentions.
Prerequisites
This tutorial uses an interactive lab to guide you through how to setting up service mesh on your VM workloads. This lab environment includes all required binaries and sample configurations. We highly recommend using the interactive lab environment to complete this tutorial.
Launch Terminal
This tutorial includes a free interactive command-line lab that lets you follow along on actual cloud infrastructure.
Verify Consul binary
Verify that the VM you want to deploy the Consul server on has the Consul binary.
Verify Envoy installation on the VMs
In the interactive lab environment, click on each tab associated with the client nodes (NGINX, Frontend, API, and Database) and verify Envoy is installed.
Configure environment
This tutorial and interactive lab environment uses scripts in the tutorial's GitHub repository to generate the Consul configuration files for your client agents.
The interactive lab environment includes these scripts and the pre-configured Consul server. In Operator, list the files in your current directory.
In addition, the Consul client agents must have following Consul resources that are compatible with your Consul server:
- The root CA certificate that you generated during the Consul server deployment.
- The gossip encryption key that you used to encrypt gossip communication.
Define these files' path. The script will include resources in the auto-generated client configuration files
Finally, the script uses Consul CLI to interact with Consul server and generate tokens for the Consul client agents. In order to interact with the Consul server, you need to setup your terminal.
Run the following commands to configure the Consul CLI to interact with the Consul server.
You also need to provide an ACL token to authenticate to your Consul server. In the previous tutorial, you generated an ACL token and stored it in a file.
Retrieve this value and set it to an environment variable named CONSUL_HTTP_TOKEN
.
Verify your Consul CLI can interact with your Consul server.
Generate Consul client configuration
Once you have set up your environment by defining the defaults for your script and configuring the Consul CLI, generate the Consul clients configuration files.
The script creates new service definitions for the services to add them to the service mesh. In addition, it creates several global configuration files for the Consul service mesh control plane.
The new service definition includes an extra definition for the service upstreams. An upstream is a service that the defined service needs to communicate with.
The following is the new service definition for the NGINX service. Notice the new upstream definition — the NGINX service needs to connect to the frontend and API services. Consul will instruct the sidecar proxies to bind the upstream services to the relevant ports.
Review and create intentions
The initial Consul configuration denied all service connections by default. We recommend this setting in production environments to follow the "least-privilege" principle, by restricting all network access unless explicitly defined.
Intentions let you allow and restrict access between services. Intentions are destination-orientated — this means you create the intentions for the destination, then define which services can access it.
The following intentions are required for HashiCups:
Tip
Notice these descriptions show traffic going from the destination to the source service.
- The
db
service needs to be reached by theapi
service. - The
api
service needs to be reached by thenginx
services. - The
frontend
service needs to be reached by thenginx
service.
The script already generated these configuration files and saved them in the service_mesh_configs/global
directory. Create the service intentions.
Use config write
to create the following intentions.
Create the intentions for the db
service.
Create the intentions for the api
service.
Create the intentions for the frontend
service.
Apply new Consul client configuration
Before you can apply the new client configuration, you must copy them into each Consul client VMs.
Tip
In the interactive lab environment, the HashiCups application nodes
have a running SSH server. As a result, you can use ssh
and scp
commands to
perform the following operations. If the nodes in your personal environment does
not have an SSH server, you may need to use a different approach to create the
configuration directories and copy the files.
Start sidecar proxies on client VMs
Once you copied the configuration files on the different VMs, login on each Consul client VMs and restart the Consul agent.
Start sidecar proxy for Database
Log into the virtual machine that hosts the database and reload the Consul configuration.
Tip
For the interactive lab environment, select the tab that corresponds with the service — in this case, Database.
Then, configure terminal to use Consul client token.
Finally, start the Envoy sidecar proxy for the service. Notice this command
configures the sidecar proxy specifically for the database service
(-sidecar-for hashicups-db-1
). If you host multiple services on a VM, you must
start an Envoy sidecar proxy for every service.
### Start sidecar proxy for API
Log into the virtual machine that hosts the API and reload the Consul configuration.
Then, configure terminal to use Consul client token.
Finally, start the Envoy sidecar proxy for the service.
Start sidecar proxy for Frontend
Log into the virtual machine that hosts the frontend and reload the Consul configuration.
Then configure terminal to use Consul client token.
Finally, start the Envoy sidecar proxy for the service.
Start sidecar proxy for NGINX
Log into the virtual machine that hosts NGINX and reload the Consul configuration.
Then, configure terminal to use Consul client token.
Finally, start the Envoy sidecar proxy for the service.
Restart services to listen on localhost
Navigate to the Operator terminal and restart the services to listen only on
localhost
. This ensures that the services cannot communicate with each other
directly.
This tutorial still configures the NGINX service to listen on the VM's IP so you can still access it remotely. For production, we recommend using an ingress gateway to manage access to the service.
Click on the Consul UI tab.
Confirm that HashiCups still works despite being configured to localhost
. The
Envoy sidecar proxies route each service's local traffic to the relevant upstream.
Next steps
In this tutorial, you learned how to migrate your Consul services to Consul
service mesh by updating each service's definitions, starting Envoy sidecar
proxies for each service, and updating the services' dependencies to bind to localhost
.
In the process, you integrated Zero Trust Security in your network and learned how to define explicitly define service-to-service permissions using intentions.
In the next tutorial, you will learn how to monitor the services in your Consul service mesh using the Grafana suite.
For more information about the topics covered in this tutorial, refer to the following resources: