Skip to content

Latest commit

 

History

History
52 lines (33 loc) · 3.63 KB

service-to-service-traffic-peers.mdx

File metadata and controls

52 lines (33 loc) · 3.63 KB
Raw
layout page_title description
docs
Mesh Gateways between Peered Clusters
Mesh gateways are specialized proxies that route data between services that cannot communicate directly. Learn how to enable service-to-service traffic across clusters in different datacenters or admin partitions that have an established peering connection.

Mesh Gateways between Peered Clusters

Mesh gateways are required for you to route service mesh traffic between different Consul clusters. Clusters can reside in different clouds or runtime environments where general interconnectivity between all services in all clusters is not feasible.

Unlike mesh gateways for datacenters and partitions, mesh gateways between peers terminate mTLS sessions to decrypt data to HTTP services and then re-encrypt traffic to send to services. Data must be decrypted in order to evaluate and apply dynamic routing rules at the destination cluster, which reduces coupling between peers.

Prerequisites

To configure mesh gateways for cluster peering, make sure your Consul environment meets the following requirements:

  • Consul version 1.13.0 or newer.
  • A local Consul agent is required to manage mesh gateway configuration.
  • Enable Consul service mesh in all clusters.
  • Enable peering on all Consul servers.
  • Use Envoy proxies. Envoy is the only proxy with mesh gateway capabilities in Consul.

Configuration

Configure the following settings to register and use the mesh gateway as a service in Consul.

Gateway registration

  • Specify mesh-gateway in the kind field to register the gateway with Consul.
  • Define the Proxy.Config settings using opaque parameters compatible with your proxy. For Envoy, refer to the Gateway Options and Escape-hatch Overrides documentation for additional configuration information.

Alternatively, you can also use the CLI to spin up and register a gateway in Consul. For additional information, refer to the consul connect envoy command.

Sidecar registration

  • Configure the proxy.upstreams parameters to route traffic to the correct service, namespace, and peer. Refer to the upstreams documentation for details.
  • The service proxy.upstreams.destination_name is always required.
  • The proxy.upstreams.destination_peer must be configured to enable cross-cluster traffic.
  • The proxy.upstream/destination_namespace configuration is only necessary if the destination service is in a non-default namespace.

Service exports

  • Include the exported-services configuration entry to enable Consul to export services contained in a cluster to one or more additional clusters. For additional information, refer to the Exported Services documentation.

ACL configuration

  • If ACLs are enabled, you must add a token granting service:write for the gateway's service name and service:read for all services in the Enterprise admin partition or OSS datacenter to the gateway's service definition. These permissions authorize the token to route communications for other Consul service mesh services.

Modes

Modes are not configurable for mesh gateways that connect peered clusters. By default, all proxies connecting to peered clusters use mesh gateways in remote mode.