mirror of https://github.com/hashicorp/consul
Format traffic behaviors table
parent
65dce3476f
commit
a2a7b56292
|
@ -104,16 +104,16 @@ you may register the service as a node in the Consul catalog.
|
|||
The [`destination`](/docs/connect/config-entries/service-defaults#terminating-gateway-destination) field of the `ServiceDefaults` Custom Resource Definition (CRD) allows clients to dial an external service directly. For this method to work, [`TransparentProxy`](/docs/connect/transparent-proxy) must be enabled.
|
||||
The following table describes traffic behaviors when using the `destination` field to route traffic through a terminating gateway:
|
||||
|
||||
| External Services Layer | Client dials | Client uses TLS | Allowed | Notes |
|
||||
|---|---|---|---|---|
|
||||
| L4 | Hostname | Yes | Allowed | `CAFiles` are not allowed because traffic is already end-to-end encrypted by the client. |
|
||||
| L4 | IP | Yes | Allowed | `CAFiles` are not allowed because traffic is already end-to-end encrypted by the client. |
|
||||
| L4 | Hostname | No | Not allowed | The sidecar is not protocol aware and can not identify traffic going to the external service. |
|
||||
| L4 | IP | No | Allowed | There are no limitations on dialing IPs without TLS. |
|
||||
| L7 | Hostname | Yes | Not allowed | Because traffic is already encrypted before the sidecar, it cannot route as L7 traffic. |
|
||||
| L7 | IP | Yes | Not allowed | Because traffic is already encrypted before the sidecar, it cannot route as L7 traffic. |
|
||||
| L7 | Hostname | No | Allowed | A `Host` or `:authority` header is required. |
|
||||
| L7 | IP | No | Allowed | There are no limitations on dialing IPs without TLS. |
|
||||
| External Services Layer | Client dials | Client uses TLS | Allowed | Notes |
|
||||
| ----------------------- | ------------ | --------------- | ----------- | --------------------------------------------------------------------------------------------- |
|
||||
| L4 | Hostname | Yes | Allowed | `CAFiles` are not allowed because traffic is already end-to-end encrypted by the client. |
|
||||
| L4 | IP | Yes | Allowed | `CAFiles` are not allowed because traffic is already end-to-end encrypted by the client. |
|
||||
| L4 | Hostname | No | Not allowed | The sidecar is not protocol aware and can not identify traffic going to the external service. |
|
||||
| L4 | IP | No | Allowed | There are no limitations on dialing IPs without TLS. |
|
||||
| L7 | Hostname | Yes | Not allowed | Because traffic is already encrypted before the sidecar, it cannot route as L7 traffic. |
|
||||
| L7 | IP | Yes | Not allowed | Because traffic is already encrypted before the sidecar, it cannot route as L7 traffic. |
|
||||
| L7 | Hostname | No | Allowed | A `Host` or `:authority` header is required. |
|
||||
| L7 | IP | No | Allowed | There are no limitations on dialing IPs without TLS. |
|
||||
|
||||
You can provide a `caFile` to secure traffic between unencrypted clients that connect to external services through the terminating gateway.
|
||||
Refer to [Create the configuration entry for the terminating gateway](#create-the-configuration-entry-for-the-terminating-gateway) for details.
|
||||
|
|
Loading…
Reference in New Issue