---
layout: docs
page_title: Connect - Built-in Proxy
description: Consul Connect comes with a built-in proxy for testing and development.
---

# Built-In Proxy Options

~> **Note:** The built-in proxy is not supported for production deployments. It does not
support many of the Connect service mesh features, and is not under active development.
The [Envoy proxy](/docs/connect/proxies/envoy) should be used for production deployments.

Consul comes with a built-in L4 proxy for testing and development with Consul
Connect service mesh.

## Proxy Config Key Reference

Below is a complete example of all the configuration options available
for the built-in proxy.

```json
{
  "service": {
    ...
    "connect": {
      "proxy": {
        "config": {
          "bind_address": "0.0.0.0",
          "bind_port": 20000,
          "local_service_address": "127.0.0.1:1234",
          "local_connect_timeout_ms": 1000,
          "handshake_timeout_ms": 10000,
          "upstreams": [...]
        },
        "upstreams": [
          {
            ...
            "config": {
              "connect_timeout_ms": 1000
            }
          }
        ]
      }
    }
  }
}
```

All fields are optional with a reasonable default.

- `bind_address` - The address the proxy will bind its
  _public_ mTLS listener to. It defaults to the same address the agent binds to.

- `bind_port` - The port the proxy will bind its _public_
  mTLS listener to. If not provided, the agent will assign a random port from its
  configured proxy port range specified by [`sidecar_min_port`](/docs/agent/config/config-files#sidecar_min_port)
  and [`sidecar_max_port`](/docs/agent/config/config-files#sidecar_max_port).

- `local_service_address`- The `[address]:port`
  that the proxy should use to connect to the local application instance. By default
  it assumes `127.0.0.1` as the address and takes the port from the service definition's
  `port` field. Note that allowing the application to listen on any non-loopback
  address may expose it externally and bypass Connect's access enforcement. It may
  be useful though to allow non-standard loopback addresses or where an alternative
  known-private IP is available for example when using internal networking between
  containers.

- `local_connect_timeout_ms` - The number
  of milliseconds the proxy will wait to establish a connection to the _local application_
  before giving up. Defaults to `1000` or 1 second.

- `handshake_timeout_ms` - The number of milliseconds
  the proxy will wait for _incoming_ mTLS connections to complete the TLS handshake.
  Defaults to `10000` or 10 seconds.

- `upstreams`- **Deprecated** Upstreams are now specified
  in the `connect.proxy` definition. Upstreams specified in the opaque config map
  here will continue to work for compatibility but it's strongly recommended that
  you move to using the higher level [upstream configuration](/docs/connect/registration/service-registration#upstream-configuration-reference).

## Proxy Upstream Config Key Reference

All fields are optional with a reasonable default.

- `connect_timeout_ms` - The number of milliseconds
  the proxy will wait to establish a TLS connection to the discovered upstream instance
  before giving up. Defaults to `10000` or 10 seconds.