Production Readiness Checklist
Below is a checklist that can help you deploy your first datacenter. This checklist is not an exhaustive list and you may need to add additional tasks depending on your environment.
- Review the reference diagram and requirements.
Refer to the API documentation for specific port numbers or alternate configuration options.
dns, DNS server port
http, HTTP API port
https, HTTPS API port
grpc, gRPC API port
serf_lan, Serf LAN port
serf_wan, Serf WAN port
server, server RPC address port
sidecar_min_port, inclusive minimum port number to use for automatically assigned sidecar service registrations
sidecar_max_port, inclusive maximum port number to use for automatically assigned sidecar service registrations
expose_min_port, inclusive minimum port number to use for automatically assigned exposed check listeners
expose_max_port, inclusive maximum port number to use for automatically assigned exposed check listeners
- Read the release notes for the Consul version.
- Consul binary has been distributed to all servers.
- Customize the server configuration file or files.
- Autopilot is configured or disabled.
- TLS encryption is enabled for RPC and consensus communication.
- Gossip encryption configured.
- ACLs bootstrapped.
- Telemetry configured.
- Consul binary has been distributed to all clients.
- The configuration file has been customized.
- TLS enabled for RPC communication
- Gossip encryption configured
- External Service Monitor has been deployed to nodes that cannot run a Consul client.
Configure DNS Caching
Refer to the DNS caching tutorial for step by step instructions and considerations around DNS performance.
- Stale reads have been configured in the agent configuration file.
- Negative response caching have been configured in the agent configuration file.
- TTL values have been configured in the agent configuration file.
Setup DNS Forwarding
Refer to the DNS forwarding tutorial for instructions on integrating Consul with system DNS.
- BIND, dnsmasq, Unbound, systemd-resolved, or iptables has been configured.
Encryption of Communication
- TLS: RPC encryption for both incoming and outgoing communication.
- Gossip Encryption. Both incoming and outgoing communication.
Refer to the Secure Consul with Access Control Lists (ACLs) tutorial for instructions on setting up access control lists.
- Tokens have been created for all agents and services.
Setup a Certificate Authority
Refer to the Secure Consul Agent Communication with TLS Encryption tutorial for instructions on setting up a certificate authority.
- Agent certificates have been created and distributed to all agents.
- Telemetry has been enabled.
- API has been configured. New user and token have been created.
Official Grafana dashboard: If your are using Grafana to monitor your Consul datacenter health, we suggest you to use the Consul Server Monitoring Dashboard maintained by the Consul team at HashiCorp.
- Backups are being periodically captured.
- Outage recovery plan has been outlined.