mirror of https://github.com/hashicorp/consul
74 lines
4.0 KiB
Markdown
74 lines
4.0 KiB
Markdown
---
|
||
layout: docs
|
||
page_title: Service Mesh on Consul
|
||
description: >-
|
||
Consul’s service mesh makes application and microservice networking secure and observable with identity-based authentication, mutual TLS (mTLS) encryption, and explicit service-to-service authorization enforced by sidecar proxies. Learn how Consul’s service mesh works and get started on VMs or Kubernetes.
|
||
---
|
||
|
||
# Consul Service Mesh
|
||
|
||
Consul Service Mesh provides service-to-service connection authorization and
|
||
encryption using mutual Transport Layer Security (TLS). Consul Connect is used interchangeably
|
||
with the name Consul Service Mesh and is what this document will use to refer to for Service Mesh functionality within Consul.
|
||
Applications can use [sidecar proxies](/consul/docs/connect/proxies) in a service mesh configuration to
|
||
establish TLS connections for inbound and outbound connections without being aware of Connect at all.
|
||
Applications may also [natively integrate with Connect](/consul/docs/connect/native) for optimal performance and security.
|
||
Connect can help you secure your services and provide data about service-to-service communications.
|
||
|
||
Review the video below to learn more about Consul Connect from HashiCorp's co-founder Armon.
|
||
|
||
<iframe
|
||
src="https://www.youtube.com/embed/8T8t4-hQY74"
|
||
frameborder="0"
|
||
allowfullscreen="true"
|
||
width="560"
|
||
height="315"
|
||
></iframe>
|
||
|
||
## Application Security
|
||
|
||
Connect enables secure deployment best-practices with automatic
|
||
service-to-service encryption, and identity-based authorization.
|
||
Connect uses the registered service identity (rather than IP addresses) to
|
||
enforce access control with [intentions](/consul/docs/connect/intentions). This
|
||
makes it easier to reason about access control and enables services to be
|
||
rescheduled by orchestrators including Kubernetes and Nomad. Intention
|
||
enforcement is network agnostic, so Connect works with physical networks, cloud
|
||
networks, software-defined networks, cross-cloud, and more.
|
||
|
||
## Observability
|
||
|
||
One of the key benefits of Consul Connect is the uniform and consistent view it can
|
||
provide of all the services on your network, irrespective of their different
|
||
programming languages and frameworks. When you configure Consul Connect to use
|
||
sidecar proxies, those proxies "see" all service-to-service traffic and can
|
||
collect data about it. Consul Connect can configure Envoy proxies to collect
|
||
layer 7 metrics and export them to tools like Prometheus. Correctly instrumented
|
||
applications can also send open tracing data through Envoy.
|
||
|
||
## Getting Started With Consul Service Mesh
|
||
|
||
There are several ways to try Connect in different environments.
|
||
|
||
- The [Getting Started with Consul Service Mesh collection](/consul/tutorials/kubernetes-deploy/service-mesh?utm_source=docs)
|
||
walks you through installing Consul as service mesh for Kubernetes using the Helm
|
||
chart, deploying services in the service mesh, and using intentions to secure service
|
||
communications.
|
||
|
||
- The [Getting Started With Consul for Kubernetes](/consul/tutorials/get-started-kubernetes?utm_source=docs) tutorials guides you through installing Consul on Kubernetes to set up a service mesh for establishing communication between Kubernetes services.
|
||
|
||
- The [Secure Service-to-Service Communication tutorial](/consul/tutorials/developer-mesh/service-mesh-with-envoy-proxy?utm_source=docs)
|
||
is a simple walk through of connecting two services on your local machine
|
||
using Consul Connect's built-in proxy and configuring your first intention. The guide also includes an introduction to
|
||
using Envoy as the Connect sidecar proxy.
|
||
|
||
- The [Kubernetes tutorial](/consul/tutorials/kubernetes/kubernetes-minikube?utm_source=docs)
|
||
walks you through configuring Consul Connect in Kubernetes using the Helm
|
||
chart, and using intentions. You can run the guide on Minikube or an existing
|
||
Kubernetes cluster.
|
||
|
||
- The [observability tutorial](/consul/tutorials/kubernetes/kubernetes-layer7-observability)
|
||
shows how to deploy a basic metrics collection and visualization pipeline on
|
||
a Minikube or Kubernetes cluster using the official Helm charts for Consul,
|
||
Prometheus, and Grafana.
|