Day 1: Deploying Your First Datacenter

Appendix: Production Checklist

Below is a checklist that can help you deploy your first datacenter. This checklist is not an exhaustive list and you may need to add additional tasks depending on your environment.

Infrastructure Planning

Ports

Refer to the API documentation for specific port numbers or alternate configuration options.

  • DNS server
  • HTTP API
  • HTTPS API
  • gRPC API
  • Serf LAN port
  • Serf WAN port
  • Server RPC address
  • Inclusive minimum port number to use for automatically assigned sidecar service registrations.
  • Sidecar_max_port

Deployment

Consul Servers

Consul Clients

  • Consul binary has been distributed to all clients.
  • The configuration file has been customized.
  • TLS enabled for RPC communication
  • Gossip encryption configured
  • External Service Monitor has been deployed to nodes that cannot run a Consul client.

Networking

Configure DNS Caching

Refer to the DNS caching guide for step by step instructions and considerations around DNS performance.

  • Stale reads have been configured in the agent configuration file.
  • Negative response caching have been configured in the agent configuration file.
  • TTL values have been configured in the agent configuration file.

Setup DNS Forwarding

Refer to the DNS forwarding guide for instructions on integrating Consul with system DNS.

  • BIND, dnsmasq, Unbound, systemd-resolved, or iptables has been configured.

Security

Encryption of Communication

  • TLS: RPC encryption for both incoming and outgoing communication.
  • Gossip Encryption. Both incoming and outgoing communication.

Enable ACLs

Refer to the Securing Consul with ACLs guide for instructions on setting up access control lists.

  • Tokens have been created for all agents and services.

Setup a Certificate Authority

Refer to the Certificate guide for instructions on setting up a certificate authority.

  • Agent certificates have been created and distributed to all agents.

Monitoring

  • Telemetry has been enabled.
  • API has been configured. New user and token have been created.

Failure Recovery