Day 1: Deploying Your First Datacenter

Appendix: Production Checklist

Below is a checklist that can help you deploy your first datacenter. This checklist is not an exhaustive list and you may need to add additional tasks depending on your environment.

» Infrastructure Planning

» Ports

Refer to the API documentation for specific port numbers or alternate configuration options.

  • DNS server
  • HTTP API
  • HTTPS API
  • gRPC API
  • Serf LAN port
  • Serf WAN port
  • Server RPC address
  • Inclusive minimum port number to use for automatically assigned sidecar service registrations.
  • Sidecar_max_port

» Deployment

» Consul Servers

» Consul Clients

  • Consul binary has been distributed to all clients.
  • The configuration file has been customized.
  • TLS enabled for RPC communication
  • Gossip encryption configured
  • External Service Monitor has been deployed to nodes that cannot run a Consul client.

» Networking

» Configure DNS Caching

Refer to the DNS caching guide for step by step instructions and considerations around DNS performance.

  • Stale reads have been configured in the agent configuration file.
  • Negative response caching have been configured in the agent configuration file.
  • TTL values have been configured in the agent configuration file.

» Setup DNS Forwarding

Refer to the DNS forwarding guide for instructions on integrating Consul with system DNS.

  • BIND, dnsmasq, Unbound, systemd-resolved, or iptables has been configured.

» Security

» Encryption of Communication

  • TLS: RPC encryption for both incoming and outgoing communication.
  • Gossip Encryption. Both incoming and outgoing communication.

» Enable ACLs

Refer to the Securing Consul with ACLs guide for instructions on setting up access control lists.

  • Tokens have been created for all agents and services.

» Setup a Certificate Authority

Refer to the Certificate guide for instructions on setting up a certificate authority.

  • Agent certificates have been created and distributed to all agents.

» Monitoring

  • Telemetry has been enabled.
  • API has been configured. New user and token have been created.

» Failure Recovery