consul/website/source/docs/guides/connect-gateways.md

431 lines
14 KiB
Markdown
Raw Normal View History

---
layout: "docs"
page_title: "Connecting Services Across Datacenters"
sidebar_current: "docs-guides-connect-gateways"
description: |-
Connect services and secure inter-service communication across datacenters
using Consul Connect and mesh gateways.
---
## Introduction
Consul Connect is Consuls service mesh offering, which allows users to observe
and secure service-to-service communication. Because Connect implements mutual
TLS between services, it also enabled us to build mesh gateways, which provide
users with a way to help services in different datacenters communicate with each
other. Mesh gateways take advantage of Server Name Indication (SNI), which is an
extension to TLS that allows them to see the destination of inter-datacenter
traffic without decrypting the message payload.
Using mesh gateways for inter-datacenter communication can prevent each Connect
proxy from needing an accessible IP address, and frees operators from worrying
about IP address overlap between datacenters.
In this guide, you will configure Consul Connect across multiple Consul
datacenters and use mesh gateways to enable inter-service traffic between them.
Specifically, you will:
1. Enable Connect in both datacenters
1. Deploy the two mesh gateways
1. Register services and Connect sidecar proxies
1. Configure intentions
1. Test that your services can communicate with each other
For the remainder of this guide we will refer to mesh gateways as "gateways".
Anywhere in this guide where you see the word gateway, assume it is specifically
a mesh gateway (as opposed to an API or other type of gateway).
## Prerequisites
To complete this guide you will need two wide area network (WAN) joined Consul
datacenters with access control list (ACL) replication enabled. If you are
starting from scratch, follow these guides to set up your datacenters, or use
them to check that you have the proper configuration:
- [Deployment Guide](/consul/datacenter-deploy/deployment-guide)
- [Securing Consul with ACLs](/consul/security-networking/production-acls)
- [Basic Federation with WAN Gossip](/consul/security-networking/datacenters)
You will also need to enable ACL replication, which you can do by following the
[ACL Replication for Multiple
Datacenters](/consul/day-2-operations/acl-replication) guide with the following
modification.
When creating the [replication token for ACL
management](/consul/day-2-operations/acl-replication#create-the-replication-token-for-acl-management),
it will need the following policy:
```json
{
"acl": "write",
"operator": "write",
"service_prefix": {
"" : {
"policy": "read"
}
}
}
```
The replication token needs different permissions depending on what you want to
accomplish. The above policy allows for ACL policy, role, and token replication
with `acl:write`, CA replication with `operator:write` and intention and
configuration entry replication with `service:*:read`.
You will also need to install [Envoy](https://www.envoyproxy.io/) alongside your
Consul clients. Both the gateway and sidecar proxies will need to get
configuration and updates from a local Consul client.
Lastly you should set [`enable_central_service_config =
true`](https://www.consul.io/docs/agent/options.html#enable_central_service_config)
on your Consul clients, which will allow them to centrally configrure the
sidecar and mesh gateway proxies.
## Enable Connect in Both Datacenters
Once you have your datacenters set up and ACL replication configured, its time
to enable Connect in each of them sequentially. Connects certificate authority
(which is distinct from the Consul certificate authority that you manage using
the CLI) will automatically bootstrap as soon as a server with Connect enabled
becomes the server clusters leader. You can also use [Vault as a Connect
CA](https://www.consul.io/docs/connect/ca/vault.html).
!> **Warning:** If you are using this guide as a production playbook, we
strongly recommend that you enable Connect in each of your datacenters by
following the [Connect in Production
guide](/consul/developer-segmentation/connect-production),
which includes production security recommendations.
### Enable Connect in the primary datacenter
Enable Connect in the primary data center and bootstrap the Connect CA by adding
the following snippet to the server configuration for each of your servers.
```json
connect {
"enabled": true
}
```
Load the new configuration by restarting each server one at a time, making sure
to maintain quorum. This will be a similar process to performing a [rolling
restart during
upgrades](https://www.consul.io/docs/upgrading.html#standard-upgrades).
Stop the first server by running the following [leave
command](https://www.consul.io/docs/commands/leave.html).
```text
$ consul leave
```
Once the server shuts down restart it and make sure that it is healthy and
rejoins the other servers. Repeat this process until you've restarted all the
servers with Connect enabled.
### Enable Connect in the secondary datacenter
Once Connect is enabled in the primary datacenter, follow the same process to
enable Connect in the secondary datacenter. Add the following configuration to
the configuration for your servers, and restart them one at a time, making sure
to maintain quorum.
```json
connect {
"enabled": true
}
```
The `primary_datacenter` setting that was required in order to enable ACL
replication between datacenters also specifies which datacenter will write
intentions and act as the [root CA for Connect](https://www.consul.io/docs/connect/connect-internals.html#connections-across-datacenters).
Intentions, which allow or deny inter-service communication, are automatically
replicated to the secondary datacenter.
## Deploy Gateways
Connect mesh gateways proxy requests from services in one datacenter to services
in another, so you will need to deploy your gateways on nodes that can reach
each other over the network. As we mentioned in the prerequisites,
you will need to make sure that both Envoy and Consul are installed on the
gateway nodes. You wont want to run any services on these nodes other than
Consul and Envoy because they necessarily will have access to the WAN.
### Generate Tokens for the Gateways
Youll need to [generate a
token](/consul/security-networking/production-acls#apply-individual-tokens-to-the-services)
for each gateway that gives it read access to the entire catalog.
Create a file named `mesh-gateway-policy.json` containing the following content.
```json
{
"service_prefix": {
"": {
"policy": "read"
}
}
}
{
"service": {
"mesh-gateway": {
"policy": "write"
}
}
}
```
Next, create and name a new ACL policy using the file you just made.
```text
$ consul acl policy create \
-name mesh-gateway \
-rules @mesh-gateway-policy.json
```
Generate a token for each gateway from the new policy.
```text
$ consul acl token create -description "mesh-gateway primary datacenter token" \
-policy-name mesh-gateway
```
```text
$ consul acl token create \
-description "mesh-gateway secondary datacenter token" \
-policy-name mesh-gateway
```
Youll apply those tokens when you deploy the gateways.
### Deploy the Gateway for your primary datacenter
Register and start the gateway in your primary datacenter with the following
command.
```text
$ consul connect envoy -mesh-gateway -register \
-service-name "gateway-primary"
-address "<your private address>" \
-wan-address "<your externally accessible address>"\
-token=<token for the primary dc gateway>
```
### Deploy the Gateway for your Secondary Datacenter
Register and start the gateway in your secondary datacenter with the following
command.
```text
$ consul connect envoy -mesh-gateway -register \
-service-name "gateway-secondary"
-address "<your private address>" \
-wan-address "<your externally accessible address>"\
-token=<token for the secondary dc gateway>
```
### Configure Sidecar Proxies to use Gateways
Next, create a [centralized
configuration](https://www.consul.io/docs/agent/config_entries/proxy-defaults.html)
file for all the sidecar proxies in both datacenters called
`proxy-defaults.json`. This file will instruct the sidecar proxies to send all
their inter-datacenter traffic through the gateways. It should contain the
following:
```json
{
"Kind": "proxy-defaults",
"Name": "global",
"MeshGateway": "local"
}
```
Write the centralized configuration you just created with the following command.
```text
$ consul config write proxy-defaults.json
```
Once this step is complete, you will have set up Consul Connect with gateways
across multiple datacenters. Now you are ready to register the services that
will use Connect.
## Register a Service in Each Datacenter to Use Connect
You can register a service to use a sidecar proxy by including a sidecar proxy
stanza in its registration file. For this guide, you can use socat to act as a
backend service and register a dummy service called web to represent the client
service. Those names are used in our examples. If you have services that you
would like to connect, feel free to use those instead.
~> **Caution:** Connect takes its default intention policy from Consuls default
ACL policy. If you have set your default ACL policy to deny (as is recommended
for secure operation) and are adding Connect to already registered services,
those services may lose connection to each other until you set an intention
between them to allow communication.
### Register a back end service in one datacenter
In one datacenter register a backend service and add an Envoy sidecar proxy
registration. To do this you will either create a new registration file or edit
an existing one to include a sidecar proxy stanza. If you are using socat as
your backend service, you will create a new file called `socat.json` that will
contain the below snippet. Since you have ACLs enabled, you will have to [create
a token for the
service](/consul/security-networking/production-acls#apply-individual-tokens-to-the-services).
```json
{
"service": {
"name": "socat",
"port": 8181,
"token": "<token here>",
"connect": {"sidecar_service": {} }
}
}
```
Note the Connect stanza of the registration with the `sidecar_service` and
`token` options. This is what you would add to an existing service registration
if you are not using socat as an example.
Reload the client with the new or modified registration.
```text
$ consul reload
```
Then start Envoy specifying which service it will proxy.
```text
$ consul connect envoy -sidecar-for socat
```
If you are using socat as your example, start it now on the port you specified
in your registration by running the following command.
```text
$ socat -v tcp-l:8181,fork exec:"/bin/cat"
```
Check that the socat service is running by accessing it using netcat on the same
node. It will echo back anything you type.
```text
$ nc 127.0.0.1 8181
hello
hello
echo
echo
```
Stop the running netcat service by typing `ctrl + c`.
### Register a front end service in the other datacenter
Now in your other datacenter, you will register a service (with a sidecar proxy)
that calls your backend service. Your registration will need to list the backend
service as your upstream. Like the backend service, you can use an example
service, which will be called web, or append the connect stanza to an existing
registration with some customization.
To use web as your front end service, create a registration file called
`web.json` that contains the following snippet.
```json
{
"service": {
"name": "web",
"port": 8080,
"token": "<token here>",
"connect": {
"sidecar_service": {
"proxy": {
"upstreams": [{
"destination_name": "socat",
"datacenter": "primary",
"local_bind_port": 8181
}]
}
}
}
}
}
```
Note the Connect part of the registration, which specifies socat as an
upstream. If you are using another service as a back end, replace `socat` with
its name and the `8181` with its port.
Reload the client with the new or modified registration.
```text
$ consul reload
```
Then start Envoy and specify which service it will proxy.
```text
$ consul connect envoy -sidecar-for web
```
## Configure Intentions to Allow Communication Between Services
Now that your services both use Connect, you will need to configure intentions
in order for them to communicate with each other. Add an intention to allow the
front end service to access the back end service. For web and socat the command
would look like this.
```text
$ consul intention create web socat
```
Consul will automatically forward intentions initiated in the in the secondary
datacenter to the primary datacenter, where the servers will write them. The
servers in the primary datacenter will then automatically replicate the written
intentions back to the secondary datacenter.
## Test the connection
Now that you have services using Connect, verify that they can contact each
other. If you have been using the example web and socat services, from the node
and datacenter where you registered the web service, start netcat and type
something for it to echo.
```text
$ nc 127.0.0.1 8181
hello
hello
echo
echo
```
## Summary
In this guide you configured two WAN-joined datacenters to use Consul Connect,
deployed gateways in each datacenter, and connected two services to each other
across datacenters.
Gateways know where to route traffic because of Server Name Indication (SNI)
where the client service sends the destination as part of the TLS handshake.
Because gateways rely on TLS to discover the traffics destination, they require
Consul Connect to route traffic.
### Next Steps
Now that youve seen how to deploy gateways to proxy inter-datacenter traffic,
you can deploy multiple gateways for redundancy or availability. The gateways
and proxies will automatically round-robin load balance traffic between the
gateways.
If you are using Kubernetes you can configure Connect and deploy gateways for
your Kubernetes cluster using the Helm chart. Learn more in the [Consuls
Kubernetes documentation](https://www.consul.io/docs/platform/k8s/helm.html)
Visit the Consul documentation for a full list of configurations for [Consul
Connect](https://www.consul.io/docs/connect/index.html), including [mesh gateway
configuration options](https://www.consul.io/docs/connect/mesh_gateway.html).