Configure Azure VM as a Consul Client for HCP Consul

HashiCorp Cloud Platform (HCP) Consul is a fully managed Service Mesh as a Service (SMaaS) version of Consul. After you deploy an HCP Consul server cluster, you must deploy Consul clients into your network so you can leverage Consul’s full feature set including service mesh and service discovery. HCP Consul supports Consul clients running on Azure Virtual Machine (VM) and Azure Kubernetes Service (AKS) resources.

In this tutorial, you will deploy and provision a Consul client running on an Azure VM instance that connects to your HCP Consul cluster. In the process, you will review the provisioning script to better understand the steps required to properly configure an Azure VM instance to connect and interact with an HCP Consul cluster.

Prerequisites

For this tutorial, you will need:

• The Terraform 0.14+ CLI installed locally.
• The Azure CLI installed locally.
• An HCP account configured for use with Terraform
• An Azure account configured for use with Terraform

Clone example repository

In your terminal, clone the project repository from GitHub. This repository contains Terraform configuration, including configuration for this tutorial.

$ git clone https://github.com/hashicorp/learn-consul-terraform.git

$ git clone git@github.com:hashicorp/learn-consul-terraform.git

Change into the directory with the newly cloned repository.

$ cd learn-consul-terraform/datacenter-deploy-hcp-azure-vm-client

Fetch the latest tags and check out the v0.0.## tag of the repository.

$ git fetch && git checkout v0.0.##

Review configuration

The project directory contains two sub-directories:

1. The 1-virtual-network-hcp subdirectory contains Terraform configuration to deploy an Azure virtual network and underlying networking resources, an HCP HashiCorp Virtual Network (HVN), and an HCP Consul cluster. In addition, these configuration files use the hashicorp/hcp-consul/azurerm Terraform module to set up all networking rules to allow a Consul client to communicate with the HCP Consul servers. This includes setting up the peering connection between the HVN and your Azure virtual network, setting up the HCP routes, and creating Azure network security group ingress rules.

2. The 2-vm-consul-client subdirectory contains Terraform configuration that creates an SSH key pair and deploys an Azure virtual machine. The virtual machine uses a cloud-init script to automate the Consul client configuration. In the Review Consul client configuration for Azure VM section, you will review the automation scripts in more detail.

This tutorial intentionally separates the Terraform configuration into two discrete steps. This process reflects Terraform best practices. By dividing the HCP Consul cluster management from the Consul client management, you can separate the duties and reduce the blast radius.

Deploy Azure and HCP Consul resources

In this section, you will use your Terraform configuration files deploy an HCP Consul cluster, an Azure virtual network, and the underlying networking resources.

Issue the terraform init command from your working directory to download the necessary providers and initialize the backend.

$ terraform -chdir=1-virtual-network-hcp/ init

Initializing modules...
Initializing the backend...
Initializing provider plugins...
...

Terraform has been successfully initialized!
...

Then, deploy the resources. Confirm the run by entering yes.

$ terraform -chdir=1-virtual-network-hcp/ apply

## ...
Do you want to perform these actions?
 Terraform will perform the actions described above.
 Only 'yes' will be accepted to approve.

 Enter a value: yes

## ...

Apply complete! Resources: 25 added, 0 changed, 0 destroyed.

Outputs:

azurerm_nsg = "learn-hcp-consul-vm-client-nsg"
azurerm_resource_group = "learn-hcp-consul-vm-client-gid"
consul_root_token = <sensitive>
consul_url = "https://servers-public-consul-ffff5f82.9e6a40c0.z1.hashicorp.cloud"
hcp_consul_cluster_id = "learn-hcp-consul-vm-client"
prefix = "learn-hcp-consul-vm-client"
subnet_id = "/subscriptions/c9ed8610-47a3-4107-a2b2-a322114dfb29/resourceGroups/learn-hcp-consul-vm-client-gid/providers/Microsoft.Network/virtualNetworks/learn-hcp-consul-vm-client-vnet/subnets/subnet1"

Notice that Terraform displays the outputs created from the apply.

Create terraform.tfvars file for Consul client directory

Since you created the underlying infrastructure with Terraform, you can use the outputs to help you deploy the Azure VM resources in the next section.

Create a terraform.tfvars file in the 2-vm-consul-client directory with the Terraform outputs from this project.

$ echo "hcp_consul_cluster_id=\"$(terraform output -raw hcp_consul_cluster_id)\"
azurerm_resource_group=\"$(terraform output -raw azurerm_resource_group)\"
prefix=\"$(terraform output -raw prefix)\"
azurerm_nsg=\"$(terraform output -raw azurerm_nsg)\"
subnet_id=$(terraform output -json subnet_id)" > ../2-vm-consul-client/terraform.tfvars

Review Consul client configuration for Azure VM

In this tutorial, you will apply HCP Consul's secure-by-default design with Terraform by configuring your Azure VM instances with the gossip encryption key, the Consul CA cert, and a permissive ACL token.

Inspect the datacenter-deploy-hcp-azure-vm-client/2-vm-consul-client/main.tf file contents in your project directory:

resource "azurerm_linux_virtual_machine" "consul_client" {
  count                 = 1
  name                  = "consul-client-${count.index}-${random_string.random.id}"
  location              = data.azurerm_resource_group.selected.location
  resource_group_name   = data.azurerm_resource_group.selected.name
  network_interface_ids = [azurerm_network_interface.client_nic.id]
  size                  = "Standard_DS1_v2"

  os_disk {
    name                 = "myOsDisk"
    caching              = "ReadWrite"
    storage_account_type = "Premium_LRS"
  }

  source_image_reference {
    publisher = "Canonical"
    offer     = "0001-com-ubuntu-server-focal"
    sku       = "20_04-lts-gen2"
    version   = "latest"
  }

  admin_username                  = "ubuntu"
  disable_password_authentication = true

  admin_ssh_key {
    username   = "ubuntu"
    public_key = file("./consul-client.pub")
  }

  user_data = base64encode(templatefile("${path.module}/scripts/user_data.sh", {
    setup = base64gzip(templatefile("${path.module}/scripts/setup.sh", {
      consul_ca        = data.hcp_consul_cluster.selected.consul_ca_file
      consul_config    = data.hcp_consul_cluster.selected.consul_config_file
      consul_acl_token = hcp_consul_cluster_root_token.token.secret_id,
      consul_version   = data.hcp_consul_cluster.selected.consul_version,
      consul_service = base64encode(templatefile("${path.module}/scripts/service", {
        service_name = "consul",
        service_cmd  = "/usr/bin/consul agent -data-dir /var/consul -config-dir=/etc/consul.d/",
      })),
      vpc_cidr = data.hcp_hvn.selected.cidr_block
    })),
  }))

  tags = {
    Name = "hcp-consul-client-${count.index}"
  }
}

In this example, the secure Consul configuration properties received from your HCP Consul cluster will be injected into your Azure VM Consul configuration file. Consul will then be set to run as a service on your Azure VM with this secure configuration.

Deploy Azure VM resources

In this section, you will use Terraform to create an SSH key pair and deploy an Azure virtual machine. The virtual machine uses a cloud-init script to automate the secure Consul client configuration, which will connect to your HCP Consul cluster.

Issue the terraform init command from your working directory to download the necessary providers and initialize the backend.

$ terraform -chdir=2-vm-consul-client/ init

Initializing modules...
Initializing the backend...
Initializing provider plugins...
...

Terraform has been successfully initialized!
...

Then, deploy the resources. Confirm the run by entering yes.

$ terraform -chdir=2-vm-consul-client/ apply

## ...
Do you want to perform these actions?
 Terraform will perform the actions described above.
 Only 'yes' will be accepted to approve.

 Enter a value: yes

## ...

Apply complete! Resources: 11 added, 0 changed, 0 destroyed.

Outputs:

consul_root_token = <sensitive>
consul_url = "https://servers-public-consul-ffff5f82.9e6a40c0.z1.hashicorp.cloud"
tls_private_key = <sensitive>
vm_client = "20.230.191.76"

Notice that Terraform displays the outputs created from the apply.

Explore the Consul UI

In this section you will view your Consul UI to explore your resources.

Retrieve your HCP Consul public URL and ACL token from Terraform.

$ terraform -chdir=1-virtual-network-hcp/ output consul_url && \
  terraform -chdir=1-virtual-network-hcp/ output consul_root_token

Example output:

"https://servers-public-consul-ffff5f82.9e6a40c0.z1.hashicorp.cloud"
"5c4e7242-8300-b6de-2e4c-78cdbad15c39"

Copy and paste the Consul public URL into your browser to visit the Consul UI. Since HCP Consul is secure by default, copy and paste the ACL token into the Consul authentication prompt to use the Consul UI.

Once authenticated, click the Nodes tab on the left navigation pane to review your nodes that contain active Consul clients.

Notice that your environment contains two Consul nodes: A Consul server agent running in your HCP cluster, and a Consul client agent running on your Azure VM instance.

Next steps

In this tutorial, you connected Consul clients on Azure VM to HCP Consul. To keep learning about Consul's features, and for step-by-step examples of how to perform common Consul tasks, feel free to explore one of the following tutorials.

• Explore the Consul UI tutorial
• Register a Service with Consul Service Discovery tutorial
• Secure Applications with Service Sidecar Proxies tutorial
• Create a Consul service mesh on HCP using Envoy as a sidecar proxy tutorial If you encounter any issues, please contact the HCP support team at support.hashicorp.com.