Discover HashiCorp Consul Service on Azure Configuration
In the Deploy HashiCorp Consul Service on Azure tutorial, you deployed an HashiCorp Consul Service (HCS) instance on Azure servers. The next step before deploying clients and services is to discover nformation about your servers. In this tutorial, you will retrieve the HCS on Azure data including server connection information, Consul agent configuration, and Consul certificates.
Note
For "Beta Testing" you can also access the Consul ACL system to create tokens for the Consul client agents. This process will be updated when HCS on Azure is generally available.
This tutorial provides steps to retrieve configuration to manually configure a physical node or VM to act as Consul client for HCS. In case you want to configure an AKS cluster to run your client load, you can skip this tutorial and follow Connect an Azure Kubernetes Service (AKS) cluster to HashiCorp Consul Service on Azure instead.
Prerequisites
To successfully complete this tutorial, you need previous experience with Azure. You will also need the following:
Configure AZ tool to communicate with HCS
In this tutorial collection you will use the Azure CLI tool to retrieve information about your managed HCS on Azure.
HashiCorp provides an Azure CLI extension to interact with your HCS cluster.
Install the HashiCorp extension
You can install the extension directly from your shell using the az
command:
Login to your Azure account
First, login into Azure using the CLI tool.
The command redirects you to a web page where you can authorize your login. Use the same credentials for this login as you used to access the Azure console and create your HCS on Azure servers.
Retrieve Consul client configuration and certificates
Now that you have installed the hcs
extension to your Azure CLI tool, you can
retrieve Consul client configuration and certificates. We used learn-hcs-lab
as Azure resource group and learnlab
as managed application name in the
previous tutorial. Change the arguments with the names you used during the
initial configuration for your HCS instance.
Tip
You can abbreviate --resource-group
with -g
The command will create two files:
consul.json
- containing the Consul agent configuration for the clients.ca.pem
- containing certificates for the Consul HCS CA to be used with auto-encrypt enabled
Note
You are going to need these files to complete the following tutorials. Don't remove them before you complete the full tutorial collection or unless you want to clean up your test node.
Check agent configuration
If you want to check the configuration HCS created for your clients you can
inspect the file consul.json
.
Fields of note from the automatic client configuration are:
acl
- The ACL system is enabled with"default_policy": "deny"
. In the following section you'll learn how to bootstrap the ACL system and retrieve the administrative token.encrypt
- It is configured for gossip encryption and includes the key which is going to be used by the datacenter to secure gossip communication.auto_encrypt
- It is configured for TLS encryption and to use the auto encryption method that automatically distributes certificates to the clients.retry_join
- It is configured to join the servers at startup.
Note
The configuration is made to have agents joining the datacenter using an HCS private endpoint. In order for your clients to communicate with the Consul servers deployed by HCS on Azure, you must configure bi-directional peering between your VNet and the VNet created for HCS on Azure. You will do it in the next tutorial.
Bootstrap the ACL system
To start the configuration of the ACL system, retrieve the administrative token from HCS.
Compatibility notice
The tutorial refers to the token as masterToken
. The term is temporary and will likely change in the near future. We will update the tutorials and the documentation when the change happens.
Using the administrative token, identified by the value of SecretID
, you can create policies and tokens to define ACLs for your client nodes.
Next steps
In this tutorial you used the Azure CLI tool to discover information about HCS on Azure and to bootstrap the ACL system in your Consul datacenter. With the Consul server agent configuration, the TLS certificate, and the ACL token you created, you can now add Consul clients to your Consul service. Continue to the Connect VM-based Applications to HashiCorp Consul Service on Azure tutorial to connect an Azure VM and install a Consul client or Connect an Azure Kubernetes Service (AKS) cluster to HashiCorp Consul Service on Azure tutorial to connect Consul clients deployed into a Kubernetes cluster.
To learn more about the Consul ACL system and how to create ACL tokens, complete the Secure Consul with ACLs tutorial.
To learn more about TLS encryption and configuration settings, read the Secure Agent Communication with TLS Encryption tutorial.
If you have any feedback for the HashiCorp Engineering or SRE team, including leaving comments and filing bugs, please contact hcs@hashicorp.com.