mirror of https://github.com/hashicorp/consul
54 lines
2.9 KiB
Markdown
54 lines
2.9 KiB
Markdown
---
|
|
layout: "docs"
|
|
page_title: "Consul Enterprise Multi-Datacenter Connect"
|
|
sidebar_current: "docs-enterprise-connect-multi-datacenter"
|
|
description: |-
|
|
Consul Enterprise supports cross datacenter connections using Consul Connect.
|
|
---
|
|
|
|
# Consul Connect Multi-Datacenter
|
|
|
|
[Consul Enterprise](https://www.hashicorp.com/consul.html) enables service-to-service
|
|
connections across multiple Consul datacenters. This includes replication of intentions
|
|
and federation of Certificate Authority trust.
|
|
|
|
Sidecar proxy's [upstream configuration](/docs/connect/registration/service-registration.html#upstream-configuration-reference)
|
|
may specify an alternative datacenter or a prepared query that can address services
|
|
in multiple datacenters (such as the [geo failover](https://learn.hashicorp.com/consul/developer-discovery/geo-failover) pattern).
|
|
|
|
[Intentions](/docs/connect/intentions.html) verify connections between services by
|
|
source and destination name seamlessly across datacenters. Support for constraining Intentions
|
|
by source or destination datacenter is planned for the near future.
|
|
|
|
It is assumed that workloads can communicate between datacenters via existing network
|
|
routes and VPN tunnels, potentially using Consul's
|
|
[`translate_wan_addrs`](/docs/agent/options.html#translate_wan_addrs) to ensure remote
|
|
workloads discover an externally routable IP.
|
|
|
|
# Replication
|
|
|
|
Intention replication happens automatically but requires the [`primary_datacenter`](/docs/agent/options.html#primary_datacenter)
|
|
configuration to be set to specify a datacenter that is authoritative
|
|
for intentions. In production setups with ACLs enabled, the [replication token](/docs/agent/options.html#acl_tokens_replication)
|
|
must also be set in secondary datacenter server's configuration.
|
|
|
|
# Certificate Authority Federation
|
|
|
|
The primary datacenter also acts as the root Certificate Authority (CA) for Connect.
|
|
The primary datacenter generates a trust-domain UUID and obtains a root certificate
|
|
from the configured CA provider which defaults to the built-in one.
|
|
|
|
Secondary datacenters fetch the root CA public key and trust-domain ID from the primary and
|
|
generate their own key and Certificate Signing Request (CSR) for an intermediate CA certificate.
|
|
This CSR is signed by the root in the primary datacenter and the certificate is returned.
|
|
The secondary datacenter can now use this intermediate to sign new Connect certificates
|
|
in the secondary datacenter without WAN communication. CA keys are never replicated between
|
|
datacenters.
|
|
|
|
The secondary maintains watches on the root CA certificate in the primary. If the CA root
|
|
changes for any reason such as rotation or migration to a new CA, the secondary automatically
|
|
generates new keys and has them signed by the primary datacenter's new root before initiating
|
|
an automatic rotation of all issued certificates in use throughout the secondary datacenter.
|
|
This makes CA root key rotation fully automatic and with zero downtime across multiple data
|
|
centers.
|