mirror of https://github.com/hashicorp/consul
71 lines
4.0 KiB
Markdown
71 lines
4.0 KiB
Markdown
---
|
|
layout: docs
|
|
page_title: Using Ingress Gateways to Connect External Traffic to Internal Services
|
|
description: >-
|
|
This topic describes how ingress gateways enable traffic from external services to reach services inside the Consul service mesh.
|
|
It provides guidance on how to use Envoy and how to plug into your preferred gateway.
|
|
---
|
|
|
|
# Ingress Gateways
|
|
|
|
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer.
|
|
|
|
Ingress gateways enable ingress traffic from services outside the Consul
|
|
service mesh to services inside the Consul service mesh. An ingress gateway is
|
|
a type of proxy and must be registered as a service in Consul, with the
|
|
[kind](/api/agent/service#kind) set to "ingress-gateway". They are an
|
|
entrypoint for outside traffic and allow you to define what services should be
|
|
exposed and on what port. You configure an ingress gateway by defining a set of
|
|
[listeners](/docs/connect/config-entries/ingress-gateway#listeners) that each map
|
|
to a set of backing
|
|
[services](/docs/connect/config-entries/ingress-gateway#services).
|
|
|
|
To enable easier service discovery, a new Consul [DNS
|
|
subdomain](/docs/discovery/dns#ingress-service-lookups) is provided, on
|
|
`<service>.ingress.<domain>`.
|
|
|
|
For listeners with a
|
|
[protocol](/docs/connect/config-entries/ingress-gateway#protocol) other than
|
|
`tcp`, multiple services can be specified for a single listener. In this
|
|
case, the ingress gateway relies on host/authority headers to decide the
|
|
service that should receive the traffic. The host used to match traffic
|
|
defaults to the [Consul DNS ingress
|
|
subdomain](/docs/discovery/dns#ingress-service-lookups), but can be changed using
|
|
the [hosts](/docs/connect/config-entries/ingress-gateway#hosts) field.
|
|
|
|
![Ingress Gateway Architecture](/img/ingress-gateways.png)
|
|
|
|
## Prerequisites
|
|
|
|
Ingress gateways also require that your Consul datacenters are configured correctly:
|
|
|
|
- You'll need to use Consul version 1.8.0 or newer.
|
|
- Consul [Connect](/docs/agent/options#connect) must be enabled on the datacenter's Consul servers.
|
|
- [gRPC](/docs/agent/options#grpc_port) must be enabled on all client agents.
|
|
|
|
Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with ingress gateway capabilities in Consul.
|
|
|
|
## Running and Using an Ingress Gateway
|
|
|
|
For a complete example of how to allow external traffic inside your Consul service mesh,
|
|
review the [ingress gateway tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-ingress-gateways).
|
|
|
|
## Ingress Gateway Configuration
|
|
|
|
Ingress gateways are configured in service definitions and registered with Consul like other services, with two exceptions.
|
|
The first is that the [kind](/api/agent/service#kind) must be "ingress-gateway". Second,
|
|
the ingress gateway service definition may contain a `Proxy.Config` entry just like a
|
|
Connect proxy service, to define opaque configuration parameters useful for the actual proxy software.
|
|
For Envoy there are some supported [gateway options](/docs/connect/proxies/envoy#gateway-options) as well as
|
|
[escape-hatch overrides](/docs/connect/proxies/envoy#escape-hatch-overrides).
|
|
|
|
-> **Note:** If ACLs are enabled, ingress gateways must be registered with a token granting `service:write` for the ingress gateway's service name,
|
|
`service:read` for all services in the ingress gateway's configuration entry, and `node:read` for all nodes of the services
|
|
in the ingress gateway's configuration entry. These privileges authorize the token to route communications to other Connect services.
|
|
If the Consul client agent on the gateway's node is not configured to use the default gRPC port, 8502, then the gateway's token
|
|
must also provide `agent:read` for its node's name in order to discover the agent's gRPC port. gRPC is used to expose Envoy's xDS API to Envoy proxies.
|
|
|
|
~> [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
|
|
across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different
|
|
sets of services within their datacenter then the ingress gateways **must** be registered with different names.
|