github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10097 Commits
1702 Branches
457 Tags
697 MiB
 
 
 
 
 
 
Tree: de01a1e279
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'de01a1e279'
${ noResults }
consul/website/source/segmentation.html.erb

207 lines
11 KiB
Raw Blame History

---
description: |-
Consul is a highly available and distributed service discovery and KV
store designed with support for the modern data center to make distributed
systems and configuration easy.
---
<div class='consul-connect'>
<section class='g-hero'>
<span>New Feature</span>
<h1>Service segmentation made easy</h1>
<p>Secure service-to-service communication with automatic TLS encryption and identity-based authorization</p>
<div>
<a href="/downloads.html" class="g-btn download">
<svg xmlns="http://www.w3.org/2000/svg" width="20" height="22" viewBox="0 0 20 22">
<path d="M9.292 15.706a1 1 0 0 0 1.416 0l3.999-3.999a1 1 0 1 0-1.414-1.414L11 12.586V1a1 1 0 1 0-2 0v11.586l-2.293-2.293a1 1 0 1 0-1.414 1.414l3.999 3.999zM20 16v3c0 1.654-1.346 3-3 3H3c-1.654 0-3-1.346-3-3v-3a1 1 0 1 1 2 0v3c0 .551.448 1 1 1h14c.552 0 1-.449 1-1v-3a1 1 0 1 1 2 0z"/>
</svg>
Download
</a>
<a href="https://learn.hashicorp.com/consul/getting-started/connect" class="g-btn dark-outline">Explore Docs</a>
</div>
</section>
<section class='g-section'>
<div class='g-container'>
<div class='g-timeline no-intro'>
<div>
<span class='line'></span>
<span class='line'>
<svg xmlns="http://www.w3.org/2000/svg" width="11" height="15" viewBox="0 0 11 15">
<path fill="#CA2171" d="M0 0v15l5.499-3.751L11 7.5 5.499 3.749.002 0z"/>
</svg>
</span>
<span class='dot'></span>
<h3>The Challenge</h3>
<span class='sub-heading'>Securing service-to-service communication with firewalls doesn’t scale in dynamic settings.</span>
<div id='segmentation-challenge-animation' class='g-animation-block'>
<%= inline_svg 'consul-connect/svgs/segmentation-challenge.svg' %>
</div>
<p>East-west firewalls use IP-based rules to secure ingress and
egress traffic. But in a dynamic world where services move across
machines and machines are frequently created and destroyed, this
perimeter-based approach is difficult to scale as it results in
complex network topologies and a sprawl of short-lived
firewall rules.</p>
</div>
<div>
<span class='dot'></span>
<h3>The Solution</h3>
<span class='sub-heading'>Service segmentation for dynamic service authorization.</span>
<div id='segmentation-solution-animation' class='g-animation-block'>
<%= inline_svg 'consul-connect/svgs/segmentation-solution.svg' %>
</div>
<p>Service segmentation is a new approach to secure the service itself
rather than relying on the network. Consul uses service policies to
codify which services are allowed to communicate. These policies
scale across datacenters and large fleets without IP-based rules or
networking middleware.</p>
</div>
</div>
</div>
</section>
<section class='g-section border-top'>
<div class='g-container'>
<div class='intro'>
<h2>Features</h2>
</div>
<div class='g-text-asset large'>
<div>
<div>
<h3>Service Access Graph </h3>
<p>Define and enforce service to service communication with a simple Intentions configuration. Service based rules, instead of IP-based rules, make it easy to manage dynamic infrastructure with frequently changing machines and service locations.</p>
<p>
<a class="learn-more" href='/docs/connect/intentions.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
</p>
</div>
</div>
<div>
<picture>
<source type="image/webp" srcset="
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_230.webp 230w,
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_844.webp 844w,
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_1290.webp 1290w" />
<source type="image/jpg" srcset="
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_230.jpg 230w,
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_844.jpg 844w,
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_1290.jpg 1290w" />
<img src='/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_1290.jpg' alt='Service Access Graph'>
</picture>
</div>
</div>
</div>
</section>
<section class='g-section border-top'>
<div class='g-container'>
<div class='g-text-asset reverse'>
<div>
<div>
<h3>Secure services across any runtime platform</h3>
<p>Secure communication between legacy and modern workloads. Sidecar proxies allow applications to be integrated without code changes and Layer 4 support provides nearly universal protocol compatibility.</p>
<p>
<a class="learn-more" href='/docs/connect/proxies.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
</p>
</div>
</div>
<div>
<picture>
<source type="image/webp" srcset="
/assets/images/consul-connect/grid_3/grid_3_300.webp 300w,
/assets/images/consul-connect/grid_3/grid_3_976.webp 976w,
/assets/images/consul-connect/grid_3/grid_3_1256.webp 1256w" />
<source type="image/png" srcset="
/assets/images/consul-connect/grid_3/grid_3_300.png 300w,
/assets/images/consul-connect/grid_3/grid_3_976.png 976w,
/assets/images/consul-connect/grid_3/grid_3_1256.png 1256w" />
<img src='/assets/images/consul-connect/grid_3/grid_3_1256.png' alt='Secure services across any runtime platform'>
</picture>
</div>
</div>
</div>
</section>
<section class='g-section border-top'>
<div class='g-container'>
<div class='g-text-asset'>
<div>
<div>
<h3>Certificate-Based Service Identity</h3>
<p>TLS certificates are used to identify services and secure communications. Certificates use the SPIFFE format for interoperability with other platforms. Consul can be a certificate authority to simplify deployment, or integrate with external signing authorities like Vault.</p>
<p>
<a class="learn-more" href='/docs/connect/ca.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
</p>
</div>
</div>
<div class='logos'>
<div>
<img src='/assets/images/consul-connect/logos/vault.png' alt='Vault'>
<img src='/assets/images/consul-connect/logos/spiffe.png' alt='Spiffe'>
</div>
</div>
</div>
</div>
</section>
<section class='g-section border-top'>
<div class='g-container'>
<div class='g-text-asset reverse'>
<div>
<div>
<h3>Encrypted communication</h3>
<p>All traffic between services is encrypted and authenticated with mutual TLS. Using TLS provides a strong guarantee of the identity of services communicating, and ensures all data in transit is encrypted.</p>
<p>
<a class="learn-more" href='/docs/connect/security.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
</p>
</div>
</div>
<div class='code-sample'>
<div>
<span></span>
<div class='code'><code>$ consul connect proxy -service web \
-service-addr 127.0.0.1:8000
-listen <code class="keyword">10.0.1.109:7200</code>
==> Consul Connect proxy starting...
Configuration mode: Flags
Service: web
Public listener: <code class="keyword">10.0.1.109:7200</code> => 127.0.0.1:8000
...
$ tshark -V \
-Y "ssl.handshake.certificate" \
-O "ssl" \
-f <code class="keyword">"dst port 7200"</code>
Frame 39: 899 bytes on wire (7192 bits), 899 bytes captured (7192 bits) on interface 0
Internet Protocol Version 4, Src: 10.0.1.110, Dst: <code class="keyword">10.0.1.109</code>
Transmission Control Protocol, Src Port: 61918, Dst Port: 7200, Seq: 136, Ack: 916, Len: 843
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Version: TLS 1.2 (0x0303)
Handshake Protocol: Certificate
RDNSequence item: 1 item (id-at-commonName=<code class="keyword">Consul CA 7</code>)
RelativeDistinguishedName item (id-at-commonName=<code class="keyword">Consul CA 7</code>)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: <code class="keyword">Consul CA 7</code></code>
</div>
</div>
</div>
</div>
</div>
</section>
<section class='g-section g-cta-section'>
<div>
<h2>Ready to get started?</h2>
<a href="/downloads.html" class="g-btn white download">
<svg xmlns="http://www.w3.org/2000/svg" width="20" height="22" viewBox="0 0 20 22">
<path d="M9.292 15.706a1 1 0 0 0 1.416 0l3.999-3.999a1 1 0 1 0-1.414-1.414L11 12.586V1a1 1 0 1 0-2 0v11.586l-2.293-2.293a1 1 0 1 0-1.414 1.414l3.999 3.999zM20 16v3c0 1.654-1.346 3-3 3H3c-1.654 0-3-1.346-3-3v-3a1 1 0 1 1 2 0v3c0 .551.448 1 1 1h14c.552 0 1-.449 1-1v-3a1 1 0 1 1 2 0z"/>
</svg>
Download
</a>
<a href="https://learn.hashicorp.com/consul/getting-started/connect" class="g-btn white-outline">Explore docs</a>
</div>
</section>
</div>