A service mesh is a dedicated layer that provides secure service-to-service communication for on-prem, cloud, or multi-cloud infrastructure. Service meshes are often used in conjunction with the microservice architectural pattern, but can provide value in any scenario where complex networking is involved.
Service meshes typically consist of a control plane, and a data plane. The control plane is responsible for securing the mesh, facilitating service discovery, health checking, policy enforcement, and other similar operational concerns. The data plane handles communication between services. Many service mesh solutions employ a sidecar proxy to handle data plane communications, and thus limit the level of awareness the services need to have about the network environment.
Consul is a service mesh solution that offers a software-driven approach to:
- Security (mTLS & ACLs)
- Traffic management
- Network segmentation
- Failure handling
When the service mesh feature is enabled, multiple sidecar proxies are deployed alongside your application. The sidecar proxies handle all aspects of security, observability, and traffic management, allowing your application to take advantage of all these features without being aware of Consul at all.
This collection of tutorials will give you a basic introduction to Consul service mesh with a focus on Kubernetes deployments. You will deploy services in Kubernetes taking advantage of the features provided by Consul.
The adoption of microservices architectures and cloud infrastructure is requiring new approaches to networking. There are many vendors and tools, each attempting to solve the problem in different ways. The Consul service mesh solution makes no assumptions about the underlying network and uses a pure software approach with a focus on simplicity and broad compatibility.
Consul service mesh simplifies service discovery in complex networking environments, and streamlines deploying applications into a zero-trust network.
When new versions of a service are deployed and have to exist alongside other instances of the same application, often on different versions, the ability to manage changes in the service landscape of your network becomes crucial. Consul helps you by offering a service catalog, configurable service routing, health checks, automatic load balancing, and geo-failover across multiple instances of the same service.
The increasing complexity of deployment scenarios places a heavy burden on network security operators and amplifies the limitations inherent with any sort of manual configuration approach. Environments like Kubernetes, or public cloud networks, where IP addresses frequently change, or are unknown, add to the overall complexity of the challenge.
The Consul service mesh control plane can be configured to enforce mutual TLS (mTLS), and will automatically generate and distribute the TLS certificates for every service in the mesh. The certificates are used for both service identity verification and communication encryption.
The Consul service mesh data plane is made up of proxies deployed locally alongside each service instance. These proxies, called sidecar proxies, receive mesh configuration data from the control plane, and control network communication between their local service instance and other services in the network. The sidecar proxy handles inbound and outbound service connections, and ensures TLS connections between services are both verified and encrypted.
Once the service sidecar proxies are deployed, communication between services is secure within the mesh. However, you may wish to define a more fine-grained set of policies that specify which services are authorized to communicate with each other. Consul intentions allow you to explicitly allow or deny connections, at a conceptual, service definition level, rather than having to manually manage complex firewall rules and port mappings.
Consul offers first-class Kubernetes support by providing an official Helm chart for installing, configuring, and upgrading Consul on Kubernetes. The chart automates the installation and configuration of Consul service mesh for Kubernetes.
Consul is compatible with all architectures and cloud providers. The service catalog sync and auto-join features permit you to extend the boundaries of your Kubernetes clusters to include services running outside of Kubernetes.
Consul also integrates with HashiCorp Nomad to provide secure service-to-service communication between Nomad jobs and task groups. With a few changes to the job specification, job authors can opt into Connect integration. When Connect is enabled, Nomad will launch a proxy alongside the application in the job file. The Envoy proxy provides secure communication with other applications in the cluster.
In this tutorial you learned the basic concepts of a service mesh and how Consul service mesh can be used to simplify the management of your complex networking environment.
In the next tutorial, Enforce a Zero-trust Network with Consul Service Mesh you will learn how to configure intentions to define access control between services in the Consul service mesh and control which services are allowed or not allowed to establish connections.