Consul Multi-Cluster Security Considerations
This guide applies to Consul versions 1.8 and later.
The same security considerations for Consul single cluster deployments apply to Consul multi-cluster deployments, however, there are a few considerations that are specific to Consul multi-cluster deployments.
TLS best practices
It’s important to note that in a Consul multi-cluster deployment, the same Certificate Authority (CA) should be used for all Consul datacenters and should include subject alternative name (SAN) for all Consul datacenters. For example, if three datacenters exist -- dc1, dc2, and dc3 -- then the SAN certificate names should include server.dc1.consul, server.dc2.consul, and server.dc3.consul.
Gossip encryption best practices
If basic WAN federation is configured, then the same gossip encryption key should be shared between Consul datacenters to ensure that communication can be encrypted and decrypted.
If advanced WAN federation is configured, a gossip encryption key is not shared between Consul datacenters.
ACL token best practices
Whether basic or advanced WAN federation is used, ACLs need to be shared between Consul datacenters via ACL replication. By default, ACL replication is automatically enabled in the primary Consul datacenter, however, it needs to be explicitly enabled on all additional Consul datacenters. Additionally, an ACL replication policy & token should be created within the primary Consul datacenter. For additional information, please refer to the ACL Replication for Multiple Datacenters Learn tutorial.