consul/website/content/docs/enterprise/network-segments.mdx

237 lines
9.6 KiB
Markdown

---
layout: docs
page_title: Network Segments (Enterprise)
description: >-
Network segments enable LAN gossip in a datacenter when network rules or firewalls prevent specific sets of clients from communicating directly. Learn about configuring server and client agents to operate in segmented networks.
---
# Network Segments
<EnterpriseAlert>
This feature requires version 0.9.3+ of
self-managed Consul Enterprise.
Refer to the{' '}
<a href="/consul/docs/enterprise#consul-enterprise-feature-availability">enterprise feature matrix</a>
{' '}for additional information.
</EnterpriseAlert>
Consul requires full connectivity between all agents (servers and clients) in a
[datacenter](/docs/agent/config/cli-flags#_datacenter) within a given
LAN gossip pool. By default, all Consul agents will be a part of one shared Serf LAN
gossip pool known as the `<default>` network segment, thus requiring full mesh
connectivity within the datacenter.
![Consul datacenter default agent connectivity: one network segment](/img/network-segments/consul-network-segments-single.png)
In some environments, full connectivity between all agents is not possible—known as a
"segmented network". This is usually the result of business policies enforced through
network rules or firewalls. To use Consul in a segmented network, you must break up
the LAN gossip pool along network communication boundaries into separate "network
segments". Network segments are isolated LAN gossip pools that only require full
connectivity between agent members on the same segment.
![Consul datacenter agent connectivity with network segments](/img/network-segments/consul-network-segments-multiple.png)
Complete the [Network Segments](https://learn.hashicorp.com/tutorials/consul/network-partition-datacenters) tutorial to learn more about network segments.
-> **Info:** Network segments enable you to operate a Consul datacenter without full
mesh (LAN) connectivity between agents. To federate multiple Consul datacenters
without full mesh (WAN) connectivity between all server agents in all datacenters,
use [Network Areas (Enterprise)](/docs/enterprise/federation).
# Consul Networking Models
To help set context for this feature, it is useful to understand the various
Consul networking models and their capabilities.
**Cluster:** A set of Consul servers forming a Raft quorum along with a
collection of Consul clients, all set to the same
[datacenter](/docs/agent/config/cli-flags#_datacenter), and joined together to form
what we will call a "local cluster". Consul clients discover the Consul servers
in their local cluster through the gossip mechanism and make RPC requests to
them. LAN Gossip (OSS) is an open intra-cluster networking model, and Network
Segments (Enterprise) creates multiple segments within one cluster.
**Federated Cluster:** A set of connected clusters, each representing a unique Consul “datacenter”. These Consul servers are federated together
over the WAN. Consul clients make use of resources in federated clusters by
forwarding RPCs through the Consul servers in their local cluster, but they
never interact with remote Consul servers directly. There are two tutorials that
will guide you through inter-cluster network models:
1. [WAN gossip (OSS)](https://learn.hashicorp.com/consul/security-networking/datacenters)
1. [Network Areas (Enterprise)](https://learn.hashicorp.com/tutorials/consul/federation-network-areas).
**LAN Gossip Pool**: A set of Consul agents that have full mesh connectivity
among themselves, and use Serf to maintain a shared view of the members of the
pool for different purposes, like finding a Consul server in a local cluster,
or finding servers in a remote cluster. A **segmented** LAN Gossip Pool limits a
group of agents to only connect with the agents in its segment.
# Network Segments Configuration
## Server Configuration
Server agents are members of all segments. The datacenter includes a `<default>`
segment, as well as additional segments defined in the
[`segments`](/docs/agent/config/config-files#segments) server agent configuration option.
Each additional segment is defined by:
- a non-empty name
- a unique port
- optionally, a custom bind and advertise address for the additional segment's
Serf LAN listener on the server
~> **Note:** Prior to Consul 1.7.3, a Consul server agent configured with too
many network segments may not be able to start due to [limitations](https://learn.hashicorp.com/tutorials/consul/network-partition-datacenters#network-segments-limitations)
in Serf.
### Example Server Configuration
The following server agent configuration will create two user-defined network
segments: `alpha` and `beta`.
<CodeTabs heading="Example network segments configuration for server agents">
```hcl
segments = [
{
name = "alpha"
bind = "{{GetPrivateIP}}"
advertise = "{{GetPrivateIP}}"
port = 8303
},
{
name = "beta"
bind = "{{GetPrivateIP}}"
advertise = "{{GetPrivateIP}}"
port = 8304
}
]
```
```json
{
"segments": [
{
"name": "alpha",
"bind": "{{GetPrivateIP}}",
"advertise": "{{GetPrivateIP}}",
"port": 8303
},
{
"name": "beta",
"bind": "{{GetPrivateIP}}",
"advertise": "{{GetPrivateIP}}",
"port": 8304
}
]
}
```
</CodeTabs>
The server [agent configuration](/docs/agent/config/config-files) options relevant to network
segments are:
- [`ports.serf_lan`](/docs/agent/config/config-files#serf_lan_port): The Serf LAN port on this server
for the `<default>` network segment's gossip pool.
- [`segments`](/docs/agent/config/config-files#segments): A list of user-defined network segments
on this server, including their names and Serf LAN ports.
## Client Configuration
Each client agent can only be a member of one segment at a time. This will be the
`<default>` segment unless otherwise specified in the agent's
[`segment`](/docs/agent/config/cli-flags#_segment) agent configuration option.
### Join a Client to a Segment ((#join_a_client_to_a_segment))
For a client agent to [join](/commands/join) the Consul
datacenter, it must connect to another agent (client or server) within its
configured segment.
<Tabs>
<Tab heading="Join via another client">
Clients A and B specify the same segment S. Client B is already joined to the segment S
LAN gossip pool. Client A wants to join via Client B. In order to do so, Client A
must connect to Client B's configured [Serf LAN port](/docs/agent/config/config-files#serf_lan_port).
</Tab>
<Tab heading="Join via a server">
Client A specifies segment S and wants to join the segment S gossip pool via Server 1.
In order to do so, Client A must connect to Server 1's configured [Serf LAN port
for segment S](/docs/agent/config/config-files#segment_port).
</Tab>
</Tabs>
There are several methods to specify the port used by the join operation, listed in order
of precedence:
1. **Specify an explicit port in the join address**. This can be done at the CLI when starting
the agent (e.g., `consul agent -retry-join "client-b-address:8303"`), or in the agent's
configuration using the [retry-join option](/docs/agent/config/config-files#retry_join). This method
is not compatible with [cloud auto-join](/docs/install/cloud-auto-join#auto-join-with-network-segments).
2. **Specify an alternate Serf LAN port for the agent**. This can be done at the CLI when starting
the agent (e.g., `consul agent -retry-join "client-b-address" -serf-lan-port 8303`), or in
the agent's configuration using the [serf_lan](/docs/agent/config/config-files#serf_lan_port) option.
When a Serf LAN port is not explicitly specified in the join address, the agent will attempt to
join the target host at the Serf LAN port specified in CLI or agent configuration.
3. **Use the default Serf LAN port (8301)**. The agent will attempt to join the target host
on port 8301.
-> Agents within a segment can use different port numbers for their Serf LAN port.
For example, on the `<default>` segment, Server S can use port 8301, Client A
can use 8303, and Client B can use 8304. However, if an agent wishes to join a
segment via an agent that uses a different port number, the target agent's Serf LAN
port must be specified in the join address (method 1 above).
### Example Client Configuration
The following client agent configuration will cause the agent to:
- Open a Serf LAN listener port on 8303.
- Attempt to join the cluster via servers on port 8303 (since an alternate port is not
specified in the `retry_join` addresses).
<CodeTabs heading="Example network segment configuration for client agents">
```hcl
node_name = "consul-client1"
retry_join = ["consul-server1", "consul-server2", "consul-server3"]
segment = "alpha"
ports = {
serf_lan = 8303
}
```
```json
{
"node_name": "consul-client1",
"retry_join": ["consul-server1", "consul-server2", "consul-server3"],
"segment": "alpha",
"ports": {
"serf_lan": 8303
}
}
```
</CodeTabs>
The client [agent configuration](/docs/agent/config/config-files) options relevant to network
segments are:
- [`segment`](/docs/agent/config/config-files#segment-2): The name of the network segment this
client agent belongs to.
- [`ports.serf_lan`](/docs/agent/config/config-files#serf_lan_port):
Serf LAN port for the above segment on this client. This is not required
to match the configured Serf LAN port for other agents on this segment.
- [`retry_join`](/docs/agent/config/config-files#retry_join) or
[`start_join`](/docs/agent/config/config-files#start_join): A list of agent addresses to join
when starting. Ensure the correct Serf LAN port for this segment is used when joining
the LAN gossip pool using one of the [available configuration methods](#join_a_client_to_a_segment).