Nomad
Use Consul service mesh
This page provides information on using Consul service mesh with Nomad to securely connect and isolate your workloads. Review example job configurations that use service mesh. Learn about the Envoy proxy as well as mesh, ingress, and terminating gateways.
Introduction
Service mesh is a networking pattern that deploys and configures infrastructure to directly connect workloads. One of the most common pieces of infrastructure deployed are sidecar proxies. These proxies usually run alongside the main workload in an isolated network namespace such that all network traffic flows through the proxy.
The proxies are often referred to as the data plane since they are responsible for moving data while the components that configure them are part of the control plane because they are responsible for controlling the flow of data.
By funneling traffic through a common layer of infrastructure the control plane is able to centralize and automatically apply configuration to all proxies to enable features such as automated traffic encryption, fine-grained routing, and service-based access control permissions throughout the entire mesh.
Consul Service Mesh
Nomad has native integration with Consul to provide service mesh capabilities.
The connect block is the entrypoint for all service mesh configuration.
Nomad automatically deploys a sidecar proxy task to all allocations that have a
sidecar_service block. All incoming external traffic is handled by the
sidecar.
This proxy task is responsible for exposing the service to the mesh and can
also be used to access other services from within the allocation. These
external services are called upstreams and are declared using the
upstreams block.
Consul service mesh requires network isolation to function, so you must set
job group's network mode
to bridge, or an appropriately configured cni/*
network.
Warning: To fully isolate your workloads make sure to bind them only to
the loopback interface.
The job below exposes a service called api to the mesh:
job "..." {
# ...
group "..." {
network {
mode = "bridge"
port "http" {}
}
service {
name = "api"
port = "http"
connect {
sidecar_service {}
}
}
# ...
}
}
To access this service, a job can be configured as follows:
job "..." {
# ...
group "..." {
network {
mode = "bridge"
# ...
}
service {
# ...
connect {
sidecar_service {
proxy {
upstreams {
destination_name = "api"
local_bind_port = 8080
}
}
}
}
}
}
}
A request starting from a task within an allocation of this job follows the path:
The task makes a request to
localhost:8080which is the port where the proxy binds theapiservice as an upstream.The proxy, configured by Consul, forwards the request to a proxy running within an allocation that is part of the
apiservice.The proxy for the
apiservice forwards the request to the local port in the allocation.The response is sent back to the first task following the same path in reverse.
The IP and port to use to connect to an upstream can also be read from the
NOMAD_UPSTREAM_ADDR_<upstream> environment variable.
Envoy proxy
Consul Service Mesh uses Envoy as proxy. Nomad calls Consul's consul
connect envoy -bootstrap CLI command to generate the
initial proxy configuration.
Nomad injects a prestart sidecar Docker task to run the Envoy proxy. This task
can be customized using the sidecar_task block.
Gateways
Since the mesh defines a closed boundary that only selected services can
participate in, there are specialized proxies called gateways that can be used
for mesh-wide connectivity. Nomad can deploy these gateways using the
gateway block. Nomad injects an Envoy proxy task to any group with a
gateway service.
The types of gateways provided by Consul Service Mesh are:
Mesh gateways allow communication between different service meshes and are deployed using the
meshparameter.Ingress gateways allow services outside the mesh to connect to services inside the mesh and are deployed using the
ingressparameter.Egress gateways allow services inside the mesh to communication with services outside the mesh and are deployed using the
terminatingparameter.