Deploy HashiCorp Consul Service on Azure
HashiCorp Consul Service (HCS) on Azure enables Microsoft Azure users to natively provision HashiCorp-managed Consul servers in any supported Azure region directly through the Azure Marketplace. As a fully managed service, HCS on Azure enables you to leverage Consul for service discovery or service mesh across a mix of VM, hybrid/on-premises, and Kubernetes environments while offloading the operational burden to the Site Reliability Engineering (SRE) experts at HashiCorp.
In this tutorial, you will deploy an instance of HashiCorp Consul Service on your Azure subscription and learn the available configuration options for the servers. Finally you will interact with your Consul service using the Consul UI.
Prerequisites
To successfully complete this tutorial, you will need an Azure subscription with the following resource providers registered.
We also recommend previous experience with Azure, deploying applications from the Azure Marketplace, and familiarity with Azure networking regions and VNets.
Note
for production deployments you will need at least 12 vCPUs available in the region, which requires an upgraded Azure subscription.
Managed HashiCorp Consul Service on Azure
HCS on Azure is a fully managed service. The HashiCorp SRE team will manage all of the operational tasks including provisioning, monitoring, troubleshooting, and server upgrades. This allows you to adopt Consul for secure service-to-service communication across any Azure-connected environment and to focus on application and workload-specific concerns.
Setup HCS on Azure
Create a resource group
First, you will need to define a resource group where you will deploy the Consul service. Create a new one and ensure that it is located in one of the eight supported regions.
- (US) East US
- (US) East US 2
- (US) Central US
- (US) West US 2
- (Europe) West Europe
- (Europe) North Europe
- (Europe) Central France
- (Europe) South UK
It can take up to 30 seconds for the resource group to converge.
Create an HCS on Azure datacenter
HCS will be deployed as a managed application, you will be able to locate it in the marketplace under the name "HashiCorp Consul Service on Azure."
You can also access the service directly using the following URL.
Click the Create button to start the configuration process.
Configure your HCS on Azure datacenter
On the create screen, you'll define parameters for your Consul service.
- On the Basics tab, you will define details such as the resource group, region, and cluster mode.
- The Consul settings tab is optional. You can adapt Consul cluster settings to your use case, such as the visibility of the Consul UI.
Security defaults
We have configured HCS on Azure with several security defaults that cannot be disabled. You will need to take additional steps to configure your Consul clients in order to communicate with your HCS on Azure servers.
- Access Control Lists (ACL) are enabled by default and cannot be disabled. The next tutorial provides steps to setup the ACL system and create ACL tokens for Consul clients installed on VMs or legacy nodes.
- Transport Layer Security (TLS) and gossip encryption are on by default and cannot be disabled. You will need to retrieve the TLS certificates and encryption key in order to participate in agent to agent communication. The next tutorial will help you retrieve the Consul client configuration and certificates for Consul clients installed on VMs or legacy nodes.
Cluster settings
Subscription: the subscription you are using.
Resource Group: the resource group you created earlier. If you did not create one yet, you can do it using the Create new link. In this tutorial, we will use the resource group named
learn-hcs-lab
.Region: the region where you want the application to be deployed.
- (US) East US
- (US) East US 2
- (US) Central US
- (US) West US 2
- (Europe) West Europe
- (Europe) North Europe
- (Europe) Central France
- (Europe) South UK
Email: the email will be used by HashiCorp to notify you about system updates and operational issues.
Cluster Mode and Number of Servers: two options are available for the mode.
Production creates a highly available Consul datacenter. Currently, the only value available for Number of Servers is
3
. Note, to support 3 servers, you will need at least 12 vCPU available in the deployment region. Production mode is available with an annual contract or on-demand.Development creates a single server Consul service. This mode is a cost-effective option for getting hands on experience with Consul, and should only be used for testing purposes. To support 1 server, you will need at least 4 vCPU available in the deployment region.
If you need additional vCPU, you can submit a quota increase request through Azure for the appropriate quota. Sufficient vCPU is needed for both the Standard FSv2 Family and the Total Regional quotas. Visit Per VM Quota Requests to request additional Standard FSv2 Family quota or Total Regional Quota Requests to request additional Total Regional quota. Note that an increase in the VM Family quota automatically increases the Total Regional quota by the same amount.
- Application Name: defines the name of the application deployed inside the
resource group. In this tutorial, we will use
learnlab
.
Note
HashiCorp will deploy resources into the “Managed Resource Group” that is created by this process. This resource group is used only for resources created as part of this managed application and is separate from the resource group used for your VMs and other resources that you list at the top of the page.
In the Azure dashboard, click Next to move to the Consul Settings.
Consul settings
Cluster Name: defines the name for the Consul datacenter you are creating. In this tutorial, we will use
consul-learn-test
.Data Center: defines the datacenter name for your configuration, this is the datacenter you are going to use to configure your clients. This defaults to
dc1
.Consul Version: helps you select a Consul version to run in your datacenter. The deployment will run using Consul Enterprise.
External Endpoint: defines whether you want your External Endpoint enabled or disabled. “Enabled” means that your datacenter will have a public IP address. “Disabled” means that you will have no public IPs visible to the internet. Note that if you select “Disabled” you will not be able to connect to the datacenter unless you can route to the VLAN and IP address configured for Consul.
VNET starting IP address: configures the initial IP address for the VNET CIDR range of your Consul datacenter. A prefix of
/24
will be applied to the created VNet. The default value should be fine for test environments. In case you are planning to connect the HCS datacenter to an existing VNet that already uses addresses in the default range, or if you have internal policies on the address ranges to use internally, you can adapt your instance to your needs by changing the default value here.
Click Review + Create and then Create to create the cluster. The cluster will be provisioned, which shouldn't take more than 15 minutes.
You can monitor the status of the provisioning process by navigating to your resource group (such as learn-hcs-lab), finding your application (such as learnlab), and examining the Overview section. If you see a message that "The application is still being provisioned", wait a few minutes and refresh the page. Provisioning should take less than 15 minutes.
Access the Consul UI
There are two options for accessing the Consul UI. The first and quickest is through the Azure dashboard. Alternatively, you can access the UI in a new browser tab.
Warning
If you selected disabled
for the “External Endpoint” setting
above, none of the options below will permit you to access Consul UI from a
local machine or the Azure UI. If you have a VPN setup with access to the HCS
private network, you can reach the Consul UI via its private URL, exposed under
the properties.consulPrivateEndpointUrl
property that is in the form <CLUSTER ID>.private.consul.az.hashicorp.cloud
.
To display the embedded Consul UI open the Azure portal using this link:
This link contains a feature flag that enables IFrame behavior. Once you have done so, navigate to your application and click “Consul UI” in the left hand navigation pane.
You will be able to access the Consul UI and asked to login.
Delete your HCS on Azure datacenter
Continue to the next steps below to read additional tutorials on how to use your Consul service. Review them if you want to start experimenting with your Consul service and conduct integration tests for your applications.
Remember to delete the test environment at the end of your tests. Follow these steps to remove the application from your resource group.
Navigate to the resource group you deployed (
learn-hcs-lab
in our case).Locate the application (
learnlab
in our case) and click on it to open the overview.In the overview screen click on the Delete button as shown on the screen below.
Once you confirm deletion, the Consul service will be removed from your resource group.
Next steps
In this tutorial, you deployed the managed HashiCorp Consul Service (HCS) on Azure. You learned how to access the Consul UI and how to delete your HCS on Azure.
In the the next tutorial, Discover HashiCorp Consul Service on Azure Configuration, you will learn how to retrieve HCS on Azure data including server connection information, Consul client configuration, and Consul certificates. The data retrieved enables you to add Consul clients VMs.
If you want to use HCS with AKS clients on Azure you can follow Connect an Azure Kubernetes Service (AKS) cluster to HashiCorp Consul Service on Azure.
If you have any feedback the HashiCorp Consul Service on Azure, including leaving comments and filing bugs, contact hcs@hashicorp.com.
You can monitor the state of the HashiCorp Consul Service on Azure and subscribe to updates at https://hashicorpcloud.statuspage.io/.