Production readiness checklist

5min
|
Consul

Below is a checklist that can help you deploy your first datacenter. This checklist is not an exhaustive list and you may need to add additional tasks depending on your environment.

Infrastructure Planning

Review the reference diagram and requirements.

Ports

Refer to the API documentation for specific port numbers or alternate configuration options.

dns, DNS server port
http, HTTP API port
https, HTTPS API port
grpc, gRPC API port
serf_lan, Serf LAN port
serf_wan, Serf WAN port
server, server RPC address port
sidecar_min_port, inclusive minimum port number to use for automatically assigned sidecar service registrations
sidecar_max_port, inclusive maximum port number to use for automatically assigned sidecar service registrations
expose_min_port, inclusive minimum port number to use for automatically assigned exposed check listeners
expose_max_port, inclusive maximum port number to use for automatically assigned exposed check listeners

Deployment

Consul Servers

Read the release notes for the Consul version.
Consul binary has been distributed to all servers.
Customize the server configuration file or files.
Autopilot is configured or disabled.
TLS encryption is enabled for RPC and consensus communication.
Gossip encryption configured.
ACLs bootstrapped.
Telemetry configured.

Consul Clients

Consul binary has been distributed to all clients.
The configuration file has been customized.
TLS enabled for RPC communication
Gossip encryption configured
External Service Monitor has been deployed to nodes that cannot run a Consul client.

Networking

Configure DNS Caching

Refer to the DNS caching tutorial for step by step instructions and considerations around DNS performance.

Stale reads have been configured in the agent configuration file.
Negative response caching have been configured in the agent configuration file.
TTL values have been configured in the agent configuration file.

Setup DNS Forwarding

Refer to the DNS forwarding tutorial for instructions on integrating Consul with system DNS.

BIND, dnsmasq, Unbound, systemd-resolved, or iptables has been configured.

Security

Encryption of Communication

TLS: RPC encryption for both incoming and outgoing communication.
Gossip Encryption. Both incoming and outgoing communication.

Enable ACLs

Refer to the Secure Consul with Access Control Lists (ACLs) tutorial for instructions on setting up access control lists.

Tokens have been created for all agents and services.

Setup a Certificate Authority

Refer to the Secure Consul Agent Communication with TLS Encryption tutorial for instructions on setting up a certificate authority.

Agent certificates have been created and distributed to all agents.

Monitoring

Telemetry has been enabled.
API has been configured. New user and token have been created.

Official Grafana dashboard: If your are using Grafana to monitor your Consul datacenter health, we suggest you to use the Consul Server Monitoring Dashboard maintained by the Consul team at HashiCorp.

Failure Recovery

Backups are being periodically captured.
Outage recovery plan has been outlined.

Consul deployment guide

Explore tutorial library