Virtual Event
Join us for the next HashiConf Digital October 12-15, 2020 Register for Free

HashiCorp Consul Service on Azure

Connect VM-based Applications to HashiCorp Consul Service on Azure

In the previous tutorial, Discover HashiCorp Consul Service on Azure Configuration, you retrieved information about HCS on Azure. The data you retrieved enables you to add Consul clients to your HCS on Azure.

In this tutorial, you will create an Azure VM and install a Consul client. You will configure the Consul client to connect to your managed HashiCorp Consul Service (HCS) on Azure servers. After joining the Consul client, you will have a four-node Consul datacenter, three HCS on Azure servers, and one Consul client.


To successfully complete this tutorial you will need access to HashiCorp Consul Service on Azure. Additionally, you will need Consul server connection information, Consul client configuration, the ca.pem CA cert file, and an ACL token with the correct permissions.

Complete the Discover HashiCorp Consul Service on Azure Configuration tutorial to retrieve the Consul service information.

You will need the following Azure experience and tools.

»Create an Azure VM and configure networking

To add a Consul client to HCS on Azure, you will need to provision a virtual machine (VM) within a virtual network (VNet) that you manage. The quickest way to do this is to create a new Azure VM within your resource group with its own associated VNet. You will then need to set up a peering connection between your new VNet and the VNet created for HCS on Azure (the VNet for the Managed Resource Group).

The following requirements provide you guidelines on how to simplify the configuration, and are a valid setup for test environments. You should always follow your internal policies when planning for production.

  1. Use the Azure console to create a VM in the same resource group where you created the managed HCS on Azure.
  2. At the creation time of your VM and the associated VNet, ensure that you use a CIDR block that does not overlap with the CIDR block selected. HCS on Azure defaults to if you use Azure defaults with address range in 10.x.x.x you should have no issues when following the steps below.

To follow along with the steps in this tutorial, you will need to create a Linux VM. However, the same logical steps can also be applied to Mac OSX or Windows.

»Configure peer VNets to communicate with HCS on Azure

In order for your new VM to communicate with the Consul servers deployed by HCS on Azure, you must establish network connectivity between your new VNet and the VNet created for HCS on Azure. To establish network connectivity, you must configure bi-directional peering.

There are two prerequisites to setting up VNet peering:

  • Your user account must have permissions to create, read, and delete VNet peering. Check Microsoft documentation to learn more on these permissions.
  • VNets attempting to peer cannot have overlapping address spaces.

To locate the HCS on Azure VNet, navigate to the “Managed Resource Group”. On the "Overview" page, for your HCS on Azure instance, you will find the HCS on Azure listing. Note that the group was created by HashiCorp to contain managed resources for HCS on Azure instances, this is not the same resource group you created for your new VM.

To initialize peering, click the VNet resource, for example hvn-consul-ama-consul-learn-test-vnet, and then select Peerings under Settings in the navigation tree. Use the Add button to create a new peering.

Create a VNet with the name of your client VNet. Be sure to enter names for the peering connection in both directions. Finally, ensure that network access is enabled in both directions under “Configure virtual network access settings”.

Peering HCS VNet with VM VNet

»Test connectivity

Once peering is set up, you should be able to ping your Consul servers deployed with HCS on Azure from your VM. You can use either the IP of one of the server nodes or the private URI of your Consul service .

You can retrieve the IP for the Consul servers deployed with HCS on Azure using the Consul UI on Azure Dashboard.

Azure Marketplace Consul UI Azure Dashboard

Use ping to confirm you can reach the nodes.

$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=3.38 ms
64 bytes from icmp_seq=2 ttl=64 time=1.37 ms
64 bytes from icmp_seq=3 ttl=64 time=2.65 ms
64 bytes from icmp_seq=4 ttl=64 time=2.62 ms

»Configure your Consul client

Download the Consul binary to your Azure VM. Be sure to use the same version of Consul as your Consul servers deployed with HCS on Azure.

You will also need to copy the following files to the VM:

  • consul.json containing the Consul client configuration.
  • ca.pem containing the CA certificates to be used for TLS encryption.

Review the Discover HashiCorp Consul Service on Azure Configuration guide if you have not yet retrieved these files from the Consul service.

»Provision configuration files

Copy the consul.json and ca.pem files you retrieved in the previous tutorial to the VM.

$ cat consul.json 
  "acl": {
    "enabled": true,
    "down_policy": "async-cache",
    "default_policy": "deny",
    "tokens": {
      "agent": ""
  "ca_file": "./ca.pem",
  "verify_outgoing": true,
  "datacenter": "dc1",
  "encrypt": "Lb64vf/kICB4wiW+gmnHhw==",
  "server": false,
  "log_level": "INFO",
  "ui": true,
  "retry_join": [
  "auto_encrypt": {
    "tls": true

»ACL configuration

Add a client token to your client configuration. You can use the administrative token generated in the Discover HashiCorp Consul Service on Azure Configuration guide or create a new token. In production, you should create a client-specific token with minimum privileges.

Edit consul.json and add the token for the client agent. Use your favorite editor to change the agent token in the ACL section:

$ vim consul.json
  "acl": {
    "enabled": true,
    "down_policy": "async-cache",
    "default_policy": "deny",
    "tokens": {
      "agent": "<your-agent-token>"
  ## ...

»Join the client to HCS on Azure servers

Once configuration is completed you will have three files located in the same directory:

  • consul.json containing the Consul client configuration.
  • ca.pem containing the CA certificates to be used for TLS encryption.

These files complete the configuration for your client node. You can now start Consul on the VM.

$ consul agent --config-dir . --data-dir=/tmp/consul

»Verify new node appears on UI

Check the Consul UI to ensure the new client is listed under the nodes tab.

Consul UI from the Azure dashboard showing the new VM node

»Next steps

You now have a four node Consul datacenter with your Azure VM Consul client and your three servers deployed with HCS on Azure. You can now provision existing test infrastructure or services. Keep testing with on of the following Consul Learn tutorials: