consul/website/pages/docs/connect/gateways/terminating-gateway.mdx

128 lines
8.4 KiB
Markdown

---
layout: docs
page_title: Internal <> External Services - Terminating Gateways
sidebar_title: Internal <> External Services - Terminating Gateways
description: >-
A terminating gateway enables traffic from services in the Consul
service mesh to services outside the mesh. This section details
how to configure and run a terminating gateway.
---
# Terminating Gateways
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer.
Terminating gateways enable connectivity from services in the Consul service mesh to
services outside the mesh. These gateways effectively act as Connect proxies that can
represent more than one service. They terminate Connect mTLS connections, enforce intentions,
and forward requests to the appropriate destination.
![Terminating Gateway Architecture](/img/terminating-gateways.png)
For additional use cases and usage patterns, review the tutorial for
[understanding terminating gateways](https://learn.hashicorp.com/tutorials/consul/service-mesh-terminating-gateways).
~> **Known limitations:** Terminating gateways currently do not support targeting service subsets with
[L7 configuration](/docs/connect/l7-traffic-management). They route to all instances of a service with no capabilities
for filtering by instance.
## Security Considerations
~> We recommend that terminating gateways are not exposed to the WAN or open internet. This is because terminating gateways
hold certificates to decrypt Consul Connect traffic directed at them and may be configured with credentials to connect
to linked services. Connections over the WAN or open internet should flow through [mesh gateways](/docs/connect/mesh-gateway)
whenever possible since they are not capable of decrypting traffic or connecting directly to services.
By specifying a path to a [CA file](/docs/agent/config-entries/terminating-gateway#cafile) connections
from the terminating gateway will be encrypted using one-way TLS authentication. If a path to a
[client certificate](/docs/agent/config-entries/terminating-gateway#certfile)
and [private key](/docs/agent/config-entries/terminating-gateway#keyfile) are also specified connections
from the terminating gateway will be encrypted using mutual TLS authentication.
If none of these are provided, Consul will **only** encrypt connections to the gateway and not
from the gateway to the destination service.
When certificates for linked services are rotated, the gateway must be restarted to pick up the new certificates from disk.
To avoid downtime, perform a rolling restart to reload the certificates. Registering multiple terminating gateway instances
with the same [name](https://www.consul.io/docs/commands/connect/envoy#service) provides additional fault tolerance
as well as the ability to perform rolling restarts.
-> **Note:** If certificates and keys are configured the terminating gateway will upgrade HTTP connections to TLS.
Client applications can issue plain HTTP requests even when connecting to servers that require HTTPS.
## Prerequisites
Each terminating gateway needs:
1. A local Consul client agent to manage its configuration.
2. General network connectivity to services within its local Consul datacenter.
Terminating gateways also require that your Consul datacenters are configured correctly:
- You'll need to use Consul version 1.8.0 or newer.
- Consul [Connect](/docs/agent/options#connect) must be enabled on the datacenter's Consul servers.
- [gRPC](/docs/agent/options#grpc_port) must be enabled on all client agents.
Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with terminating gateway capabilities in Consul.
- Terminating gateway proxies receive their configuration through Consul, which
automatically generates it based on the gateway's registration. Currently Consul
can only translate terminating gateway registration information into Envoy
configuration, therefore the proxies acting as terminating gateways must be Envoy.
Connect proxies that send upstream traffic through a gateway aren't
affected when you deploy terminating gateways. If you are using non-Envoy proxies as
Connect proxies they will continue to work for traffic directed at services linked to
a terminating gateway as long as they discover upstreams with the
[/health/connect](/api/health#list-nodes-for-connect-capable-service) endpoint.
## Running and Using a Terminating Gateway
For a complete example of how to enable connections from services in the Consul service mesh to
services outside the mesh, review the [terminating gateway tutorial](https://learn.hashicorp.com/tutorials/consul/teminating-gateways-connect-external-services).
## Terminating Gateway Configuration
Terminating gateways are configured in service definitions and registered with Consul like other services, with two exceptions.
The first is that the [kind](/api/agent/service#kind) must be "terminating-gateway". Second,
the terminating gateway service definition may contain a `Proxy.Config` entry just like a
Connect proxy service, to define opaque configuration parameters useful for the actual proxy software.
For Envoy there are some supported [gateway options](/docs/connect/proxies/envoy#gateway-options) as well as
[escape-hatch overrides](/docs/connect/proxies/envoy#escape-hatch-overrides).
-> **Note:** If ACLs are enabled, terminating gateways must be registered with a token granting `node:read` on the nodes
of all services in its configuration entry. The token must also grant `service:write` for the terminating gateway's service name **and**
the names of all services in the terminating gateway's configuration entry. These privileges will authorize the gateway
to terminate mTLS connections on behalf of the linked services and then route the traffic to its final destination.
If the Consul client agent on the gateway's node is not configured to use the default gRPC port, 8502, then the gateway's token
must also provide `agent:read` for its node's name in order to discover the agent's gRPC port. gRPC is used to expose Envoy's xDS API to Envoy proxies.
Linking services to a terminating gateway is done with a `terminating-gateway`
[configuration entry](/docs/agent/config-entries/terminating-gateway). This config entry can be applied via the
[CLI](/docs/commands/config/write) or [API](/api/config#apply-configuration).
Gateways with the same name in Consul's service catalog are configured with a single configuration entry.
This means that additional gateway instances registered with the same name will determine their routing based on the existing configuration entry.
Adding replicas of a gateway that routes to a particular set of services requires running the
[envoy subcommand](/docs/commands/connect/envoy#terminating-gateways) on additional hosts and specifying
the same gateway name with the `service` flag.
~> [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
across all federated Consul datacenters. If terminating gateways in different Consul datacenters need to route to different
sets of services within their datacenter then the terminating gateways **must** be registered with different names.
The services that the terminating gateway will proxy for must be registered with Consul, even the services outside the mesh. They must also be registered
in the same Consul datacenter as the terminating gateway. Otherwise the terminating gateway will not be able to
discover the services' addresses. These services can be registered with a local Consul agent.
If there is no agent present, the services can be registered [directly in the catalog](/api/catalog#register-entity)
by sending the registration request to a client or server agent on a different host.
All services registered in the Consul catalog must be associated with a node, even when their node is
not managed by a Consul client agent. All agent-less services with the same address can be registered under the same node name and address.
However, ensure that the [node name](/api/catalog#node) for external services registered directly in the catalog
does not match the node name of any Consul client agent node. If the node name overlaps with the node name of a Consul client agent,
Consul's [anti-entropy sync](/docs/internals/anti-entropy) will delete the services registered via the `/catalog/register` HTTP API endpoint.
For a complete example of how to register external services review the
[external services tutorial](https://learn.hashicorp.com/tutorials/consul/service-registration-external-services).