mirror of https://github.com/hashicorp/consul
194 lines
6.3 KiB
Markdown
194 lines
6.3 KiB
Markdown
---
|
||
layout: docs
|
||
page_title: Create Network Segments
|
||
description: >-
|
||
Learn how to create Consul network segments to enable services in the LAN gossip pool to communicate across communication boundaries.
|
||
---
|
||
|
||
# Create Network Segments
|
||
|
||
This topic describes how to create Consul network segments so that services can connect to other services in the LAN gossip pool that have been placed into separate communication boundaries. Refer to [Network Segments Overview](/consul/docs/enterprise/network-segments/network-segments-overview) for additional information.
|
||
|
||
|
||
## Requirements
|
||
|
||
- Consul Enterprise 0.9.3+
|
||
|
||
## Define segments in the server configuration
|
||
|
||
1. Add the `segments` block to your server configuration. Refer to the [`segments`](/consul/docs/agent/config/config-files#segments) documentation for details about how to define the configuration.
|
||
|
||
In the following example, an `alpha` segment is configured to listen for traffic on port `8303` and a `beta` segment is configured to listen to traffic on port `8304`:
|
||
|
||
<CodeTabs heading="Example network segments configuration for server agents">
|
||
|
||
```hcl
|
||
segments = [
|
||
{
|
||
name = "alpha"
|
||
bind = "10.0.0.1"
|
||
advertise = "10.0.0.1"
|
||
port = 8303
|
||
},
|
||
{
|
||
name = "beta"
|
||
bind = "10.0.0.1"
|
||
advertise = "10.0.0.1"
|
||
port = 8304
|
||
}
|
||
]
|
||
```
|
||
|
||
```json
|
||
{
|
||
"segments": [
|
||
{
|
||
"name": "alpha",
|
||
"bind": "10.0.0.1",
|
||
"advertise": "10.0.0.1",
|
||
"port": 8303
|
||
},
|
||
{
|
||
"name": "beta",
|
||
"bind": "10.0.0.1",
|
||
"advertise": "10.0.0.1",
|
||
"port": 8304
|
||
}
|
||
]
|
||
}
|
||
```
|
||
|
||
</CodeTabs>
|
||
|
||
1. Start the server using the `consul agent` command. Copy the address for each segment listener so that you can [direct clients to join the segment](#configure-clients-to-join-segments) when you start them:
|
||
|
||
```shell-session
|
||
$ consul agent -config-file server.hcl
|
||
[INFO] serf: EventMemberJoin: server1.dc1 10.20.10.11
|
||
[INFO] serf: EventMemberJoin: server1 10.20.10.11
|
||
[INFO] consul: Started listener for LAN segment "alpha" on 10.20.10.11:8303
|
||
[INFO] serf: EventMemberJoin: server1 10.20.10.11
|
||
[INFO] consul: Started listener for LAN segment "beta" on 10.20.10.11:8304
|
||
[INFO] serf: EventMemberJoin: server1 10.20.10.11
|
||
```
|
||
1. Verfiy that the server is a member of all segments:
|
||
|
||
```shell-session
|
||
$ consul members
|
||
Node Address Status Type Build Protocol DC Segment
|
||
server1 10.20.10.11:8301 alive server 1.14+ent 2 dc1 <all>
|
||
```
|
||
|
||
## Configure clients to join segments
|
||
|
||
Client agents can only be members of one segment at a time. You can direct clients to join a segment by specifying the address and name of the segment with the [`-join`](/consul/docs/agent/config/cli-flags#_join) and [`-segment`](/consul/docs/agent/config/cli-flags#_segment) command line flags when starting the agent.
|
||
|
||
```shell-session
|
||
$ consul agent -config-file client.hcl -join 10.20.10.11:8303 -segment alpha
|
||
```
|
||
|
||
Alternatively, you can add the [`retry_join`](/consul/docs/agent/config/config-files#retry_join) and [`segment`](/consul/docs/agent/config/config-files#segment-1) parameters to your client agent configuration file:
|
||
|
||
```hcl
|
||
node_name = "consul-client"
|
||
server = false
|
||
datacenter = "dc1"
|
||
data_dir = "consul/client-data"
|
||
log_level = "INFO"
|
||
retry_join = ["10.20.10.11:8303"]
|
||
segment = "alpha"
|
||
```
|
||
|
||
## Verify segments
|
||
|
||
You can use the CLI, API, or GUI to verify which segments your agents have joined.
|
||
|
||
<Tabs>
|
||
|
||
<Tab heading="CLI">
|
||
|
||
Run the `consul members` command to verify that the client agents are joined to the correct segments:
|
||
|
||
<CodeBlockConfig>
|
||
|
||
```shell-session
|
||
$ consul members
|
||
Node Address Status Type Build Protocol DC Partition Segment
|
||
server 192.168.4.159:8301 alive server 1.14+ent 2 dc1 default <all>
|
||
client1 192.168.4.159:8447 alive client 1.14+ent 2 dc1 default alpha
|
||
```
|
||
|
||
</CodeBlockConfig>
|
||
|
||
You can also pass the name of a segment in the `-segment` flag to view agents in a specific segment. Note that server agents display their LAN listener port for the specified segment the segment filter applied. In the following example, the command returns port `8303` for alpha, rather than for the `<default>` segment port:
|
||
|
||
<CodeBlockConfig>
|
||
|
||
```shell-session
|
||
$ consul members -segment alpha
|
||
Node Address Status Type Build Protocol DC Segment
|
||
server1 10.20.10.11:8301 alive server 1.14+ent 2 dc1 alpha
|
||
client1 10.20.10.21:8303 alive client 1.14+ent 2 dc1 alpha
|
||
```
|
||
|
||
</CodeBlockConfig>
|
||
|
||
Refer to the [`members`](/consul/commands/members) documentation for additional information.
|
||
|
||
</Tab>
|
||
|
||
<Tab heading="API">
|
||
|
||
Call the `/agent/members` API endpoint to view members that the agent sees in the cluster gossip pool.
|
||
|
||
<CodeBlockConfig highlight="21">
|
||
|
||
```shell-session
|
||
$ curl http://127.0.0.1:8500/v1/agent/members?segment=alpha
|
||
|
||
{
|
||
"Addr" : "192.168.4.163",
|
||
"DelegateCur" : 4,
|
||
"DelegateMax" : 5,
|
||
"DelegateMin" : 2,
|
||
"Name" : "consul-client",
|
||
"Port" : 8447,
|
||
"ProtocolCur" : 2,
|
||
"ProtocolMax" : 5,
|
||
"ProtocolMin" : 1,
|
||
"Status" : 1,
|
||
"Tags" : {
|
||
"build" : "1.13.1+ent:5bd604e6",
|
||
"dc" : "dc1",
|
||
"ft_admpart" : "1",
|
||
"ft_ns" : "1",
|
||
"id" : "aeaf70d7-57f7-7eaf-e246-6edfe8386e9c",
|
||
"role" : "node",
|
||
"segment" : "alpha",
|
||
"vsn" : "2",
|
||
"vsn_max" : "3",
|
||
"vsn_min" : "2"
|
||
}
|
||
}
|
||
```
|
||
|
||
</CodeBlockConfig>
|
||
|
||
Refer to the [`/agent/members` API endpoint documentation](/consul/api-docs/agent#list-members) for additional information.
|
||
|
||
</Tab>
|
||
<Tab heading="UI">
|
||
|
||
If the UI is enabled in your agent configuration, the segment name appears in the node’s Metadata tab.
|
||
|
||
1. Open the URL for the UI. By default, the UI is `localhost:8500`.
|
||
1. Click **Node** in the sidebar and click on the name of the client agent you want to check.
|
||
1. Click the **Metadata** tab. The network segment appears as a key-value pair.
|
||
|
||
</Tab>
|
||
</Tabs>
|
||
|
||
|
||
## Related resources
|
||
|
||
You can also create and run a prepared query to query for additional information about the services registered to client nodes. Prepared queries are HTTP API endpoint features that enable you to run complex queries of Consul nodes. Refer [Prepared Query HTTP Endpoint](/consul/api-docs/query) for usage. |