connect block in the job specification

Placement	`job -> group -> service -> connect`

Use the connect block to configure various options for Consul service mesh (formerly Consul Connect). The connect block is valid only within the context of a service definition at the task group level.

Refer to the following resources for details on using Consul service mesh with Nomad:

The Consul service mesh overview for an introduction and how to configure Consul service mesh in your job.
Secure Nomad jobs with Consul service mesh for using connect when Consul ACLs are enabled.

All the examples on this page assume Consul and Nomad are in the same datacenter.

job "countdash" {
  datacenters = ["dc1"]

  group "api" {
    network {
      mode = "bridge"
    }

    service {
      name = "count-api"
      port = "9001"

      connect {
        sidecar_service {}
      }
    }

    task "web" {
      driver = "docker"

      config {
        image = "hashicorpdev/counter-api:v3"
      }
    }
  }
}

Parameters

Used to configure a connect service. Only one of native, sidecar_service, or gateway may be realized per connect block.

native - (bool: false) - This is used to configure the service as supporting Consul service mesh native applications.
sidecar_service - (sidecar_service: nil) - This is used to configure the sidecar service created by Nomad for Consul service mesh.
sidecar_task - (sidecar_task:nil) - This modifies the task configuration of the Envoy proxy created as a sidecar or gateway.
gateway - (gateway:nil) - This is used to configure the gateway service created by Nomad for Consul service mesh.

Examples

Using Consul service mesh native

The following example is a minimal service block for a Consul service mesh native application implemented by a task named generate. Make sure to include the service name and service port fields so that Consul advertizes the service with your desired values.

service {
  name = "uuid-api"
  port = "${NOMAD_PORT_api}"
  task = "generate"

  connect {
    native = true
  }
}

Using sidecar service

The following example is a minimal connect block with defaults and is sufficient to start an Envoy proxy sidecar for allowing incoming connections via Consul service mesh. Make sure to include the service name and service port fields so that Consul advertizes the service with your desired values.

service {
  name = "count-api"
  port = "9001"

  connect {
    sidecar_service {}
  }
}

The following example includes specifying upstreams.

service {
  name = "count-api"
  port = "9001"

  connect {
     sidecar_service {
       proxy {
         upstreams {
           destination_name = "count-api"
           local_bind_port = 8080
         }
       }
     }
  }
}

The following is the complete countdash example. It includes an API service and a frontend Dashboard service which connects to the API service as a Connect upstream. Once running, the dashboard is accessible at localhost:9002.

job "countdash" {
  datacenters = ["dc1"]

  group "api" {
    network {
      mode = "bridge"
    }

    service {
      name = "count-api"
      port = "9001"

      connect {
        sidecar_service {}
      }

      check {
        expose   = true
        type     = "http"
        name     = "api-health"
        path     = "/health"
        interval = "10s"
        timeout  = "3s"
      }
    }

    task "web" {
      driver = "docker"

      config {
        image = "hashicorpdev/counter-api:v3"
      }
    }
  }

  group "dashboard" {
    network {
      mode = "bridge"

      port "http" {
        static = 9002
        to     = 9002
      }
    }

    service {
      name = "count-dashboard"
      port = "9002"

      connect {
        sidecar_service {
          proxy {
            upstreams {
              destination_name = "count-api"
              local_bind_port  = 8080
            }
          }
        }
      }
    }

    task "dashboard" {
      driver = "docker"

      env {
        COUNTING_SERVICE_URL = "http://${NOMAD_UPSTREAM_ADDR_count_api}"
      }

      config {
        image = "hashicorpdev/counter-dashboard:v3"
      }
    }
  }
}

Using a gateway

The following is an example service block for creating and using a Consul service mesh ingress gateway. It includes a gateway service definition and an API service fronted by the gateway. Once running, the gateway can be used to reach the API service by first looking up the gateway Consul DNS address with curl.

curl $(dig +short @127.0.0.1 -p 8600 uuid-api.ingress.dc1.consul. ANY):8080

job "ingress-demo" {

  datacenters = ["dc1"]

  group "ingress-group" {

    network {
      mode = "bridge"
      port "inbound" {
        static = 8080
        to     = 8080
      }
    }

    service {
      name = "my-ingress-service"
      port = "8080"

      connect {
        gateway {
          ingress {
            listener {
              port     = 8080
              protocol = "tcp"
              service {
                name = "uuid-api"
              }
            }
          }
        }
      }
    }
  }
}