consul/website/content/docs/connect/cluster-peering/index.mdx

59 lines
4.4 KiB
Markdown

---
layout: docs
page_title: What is Cluster Peering?
description: >-
This page details the cluster peering process for connecting Consul clusters across datacenters, including differences between cluster peering and the similar concept of WAN federation.
---
# What is Cluster Peering?
~> **Cluster peering is currently in beta**: Functionality associated with cluster peering is subject to change. You should never use the beta release in secure environments or production scenarios. Features in beta may have performance issues, scaling issues, and limited support.
You can create peering connections between two or more independent clusters so that services deployed to different partitions or datacenters can communicate.
## Overview
Cluster peering allows Consul clusters in different datacenters to communicate with each other. The cluster peering process consists of the following steps:
1. Create a peering token in one cluster.
1. Use the peering token to establish peering with a second cluster.
1. Export services between clusters.
1. Create intentions to authorize services for peers.
For detailed instructions on setting up cluster peering, refer to [Create and Manage Peering Connections](/docs/connect/cluster-peering/create-manage-peering).
### Differences between WAN federation and cluster peering
WAN federation and cluster peering are different ways to connect clusters. The most important distinction is that WAN federation assumes clusters are owned by the same operators, so it maintains and replicates global states such as ACLs and configuration entries. As a result, WAN federation requires a _primary datacenter_ to serve as an authority for replicated data.
Regardless of whether you connect your clusters through WAN federation or cluster peering, human and machine users can use either method to discover services in other clusters or dial them through the service mesh.
| | WAN Federation | Cluster Peering |
| :------------------------------------------------- | :------------: | :-------------: |
| Connects clusters across datacenters | ✅ | ✅ |
| Shares support queries and service endpoints | ✅ | ✅ |
| Connects clusters owned by different operators | ❌ | ✅ |
| Functions without declaring primary datacenter | ❌ | ✅ |
| Replicates exported services for service discovery | ❌ | ✅ |
| Shares key/value stores | ✅ | ❌ |
| Uses gossip protocol | ✅ | ❌ |
| Forwards service requests for service discovery | ✅ | ❌ |
## Beta release features and constraints
The cluster peering beta includes the following features and functionality:
- Mesh Gateways for _service to service traffic_ between clusters are available. For more information on configuring mesh gateways across peers, refer to [Service-to-service Traffic Across Peered Clusters](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-peers).
- You can generate peering tokens, establish, list, read, and delete peerings, and manage intentions for peering connections with both the API and the UI.
- You can configure [transparent proxies](/docs/connect/transparent-proxy) for peered services.
- You can use the [`peering` rule for ACL enforcement](/docs/security/acl/acl-rules#peering) of peering APIs.
Not all features and functionality are available in the beta release. In particular, consider the following technical constraints:
- Mesh gateways for _server to server traffic_ are not available.
- Dynamic routing features such as splits, custom routes, and redirects cannot target services in a peered cluster.
- Configuring service failover across peers is not supported for service mesh.
- Consul datacenters that are already federated stay federated. You do not need to migrate WAN federated clusters to cluster peering.
- The `consul intention` CLI command is not supported. To manage intentions that specify services in peered clusters, use [configuration entries](/docs/connect/config-entries/service-intentions).
- Accessing key/value stores across peers is not supported.
- Non-enterprise Consul instances cannot sync services with namespaces outside of the `default` namespace.