2018-05-29 21:07:40 +00:00
---
2020-04-07 18:55:19 +00:00
layout: docs
2022-09-16 15:28:32 +00:00
page_title: Service Mesh Configuration - Overview
2020-04-07 18:55:19 +00:00
description: >-
2023-05-05 17:41:40 +00:00
Learn how to enable and configure Consul's service mesh capabilities in agent configurations, and how to integrate with schedulers like Kubernetes and Nomad. Consul's service mesh capabilities are provided by the ""connect"" subsystem.
2018-05-29 21:07:40 +00:00
---
2022-09-13 20:48:39 +00:00
# Service Mesh Configuration Overview
2018-05-29 21:07:40 +00:00
2022-04-25 17:04:06 +00:00
There are many configuration options exposed for Consul service mesh. The only option
2022-04-26 20:12:53 +00:00
that must be set is the `connect.enabled` option on Consul servers to enable Consul service mesh.
2023-02-28 22:09:56 +00:00
All other configurations are optional and have defaults suitable for many environments.
2018-05-29 21:07:40 +00:00
2023-05-05 17:41:40 +00:00
The noun _connect_ is used throughout this documentation to refer to the connect
subsystem that provides Consul's service mesh capabilities.
Where you encounter the _noun_ connect, it is usually functionality specific to
service mesh.
2022-04-25 17:04:06 +00:00
2023-02-28 22:09:56 +00:00
## Agent configuration
2018-05-29 21:07:40 +00:00
2023-05-05 17:41:40 +00:00
Begin by enabling service mesh for your Consul
cluster. By default, service is disabled. Enabling service mesh requires changing
2018-05-29 21:07:40 +00:00
the configuration of only your Consul _servers_ (not client agents). To enable
2023-05-05 17:41:40 +00:00
service mesh, add the following to a new or existing
2023-01-25 16:52:43 +00:00
[server configuration file](/consul/docs/agent/config/config-files). In an existing cluster, this configuration change requires a Consul server restart, which you can perform one server at a time to maintain availability. In HCL:
2018-05-29 21:07:40 +00:00
2022-04-25 17:04:06 +00:00
<CodeTabs heading="Enable Consul service mesh" tabs={[ "HCL", "JSON" ]}>
2018-05-29 21:07:40 +00:00
```hcl
connect {
enabled = true
}
```
2022-04-25 17:04:06 +00:00
```json
"connect": {
"enabled": true
}
```
</CodeTabs>
2023-05-05 17:41:40 +00:00
This will enable service mesh and configure your Consul cluster to use the
2018-05-29 21:07:40 +00:00
built-in certificate authority for creating and managing certificates.
You may also configure Consul to use an external
2023-01-25 16:52:43 +00:00
[certificate management system](/consul/docs/connect/ca), such as
2022-09-14 22:45:42 +00:00
[Vault](https://www.vaultproject.io/).
2018-05-29 21:07:40 +00:00
2023-05-05 17:41:40 +00:00
Services and proxies may always register with service mesh settings, but unless
service mesh is enabled on the server agents, their attempts to communicate will fail
because they have no means to obtain or verify service mesh TLS certificates.
2018-05-29 21:07:40 +00:00
2023-05-05 17:41:40 +00:00
Other optional service mesh configurations that you can set in the server
2019-06-14 05:52:50 +00:00
configuration file include:
2023-01-25 16:52:43 +00:00
- [certificate authority settings](/consul/docs/agent/config/config-files#connect)
- [token replication](/consul/docs/agent/config/config-files#acl_tokens_replication)
- [dev mode](/consul/docs/agent/config/cli-flags#_dev)
- [server host name verification](/consul/docs/agent/config/config-files#tls_internal_rpc_verify_server_hostname)
2018-06-22 23:25:27 +00:00
2023-05-05 17:41:40 +00:00
If you would like to use Envoy as your service mesh proxy you will need to [enable
2023-01-25 16:52:43 +00:00
gRPC](/consul/docs/agent/config/config-files#grpc_port).
2019-06-14 05:52:50 +00:00
2023-05-05 17:41:40 +00:00
Additionally if you plan on using the observability features of Consul service mesh, it can
2019-06-14 05:52:50 +00:00
be convenient to configure your proxies and services using [configuration
2023-01-25 16:52:43 +00:00
entries](/consul/docs/agent/config-entries) which you can interact with using the
2019-06-14 05:52:50 +00:00
CLI or API, or by creating configuration entry files. You will want to enable
[centralized service
2023-01-25 16:52:43 +00:00
configuration](/consul/docs/agent/config/config-files#enable_central_service_config) on
2019-06-14 05:52:50 +00:00
clients, which allows each service's proxy configuration to be managed centrally
via API.
2023-05-05 17:41:40 +00:00
!> **Security note:** Enabling service mesh is enough to try the feature but doesn't
automatically ensure complete security. Please read the [service mesh production
2023-01-25 16:52:43 +00:00
tutorial](/consul/tutorials/developer-mesh/service-mesh-production-checklist) to understand the additional steps
2018-06-22 23:38:28 +00:00
needed for a secure deployment.
2023-02-28 22:09:56 +00:00
## Centralized proxy and service configuration
2019-06-14 05:52:50 +00:00
2023-02-28 22:09:56 +00:00
If your network contains many instances of the same service and many colocated sidecar proxies, you can specify global settings for proxies or services in [Configuration Entries](/consul/docs/agent/config-entries). You can override the centralized configurations for individual proxy instances in their
2023-09-06 23:55:18 +00:00
[sidecar service definitions](/consul/docs/connect/proxies/deploy-sidecar-services),
2019-06-14 05:52:50 +00:00
and the default protocols for service instances in their [service
2023-02-28 22:09:56 +00:00
definitions](/consul/docs/services/usage/define-services).
2019-06-14 05:52:50 +00:00
## Schedulers
2023-05-05 17:41:40 +00:00
Consul service mesh is especially useful if you are using an orchestrator like Nomad
2019-06-14 05:52:50 +00:00
or Kubernetes, because these orchestrators can deploy thousands of service instances
which frequently move hosts. Sidecars for each service can be configured through
these schedulers, and in some cases they can automate Consul configuration,
sidecar deployment, and service registration.
### Nomad
2023-05-05 17:41:40 +00:00
Consul service mesh can be used with Nomad to provide secure service-to-service
2019-06-14 05:52:50 +00:00
communication between Nomad jobs and task groups. The ability to use the dynamic
2023-05-05 17:41:40 +00:00
port feature of Nomad makes Consul service mesh particularly easy to use. Learn about how to
configure Consul service mesh on Nomad by reading the
2023-01-25 16:52:43 +00:00
[integration documentation](/consul/docs/connect/nomad).
2019-06-14 05:52:50 +00:00
### Kubernetes
2018-06-22 23:25:27 +00:00
2023-05-05 17:41:40 +00:00
The Consul Helm chart can automate much of Consul's service mesh configuration, and
2019-06-14 05:52:50 +00:00
makes it easy to automatically inject Envoy sidecars into new pods when they are
2023-01-25 16:52:43 +00:00
deployed. Learn about the [Helm chart](/consul/docs/k8s/helm) in general,
2020-10-14 15:23:05 +00:00
or if you are already familiar with it, check out its
2023-05-05 17:41:40 +00:00
[service mesh specific configurations](/consul/docs/k8s/connect).