Workshops
Book a 90-minute product workshop led by HashiCorp engineers and product experts during HashiConf Digital Reserve your spot

HashiCorp Consul Service on Azure

Connect VM-based Applications to HashiCorp Consul Service on Azure

In the Discover HashiCorp Consul Service on Azure Configuration guide you retrieved information about HCS on Azure. The data your retrieved enables you to add Consul clients to your HCS on Azure.

In this guide, you will create an Azure VM and install a Consul client. You will configure the Consul client to connect to your managed HashiCorp Consul Service (HCS) on Azure servers. After joining the Consul client you will have a four node Consul datacenter, three HCS on Azure servers and one Consul client.

»Prerequisites

To successfully complete this guide you will need access to HashiCorp Consul Service on Azure. Additionally, you will need Consul server connection information, Consul client configuration, the ca.pem, and an ACL token.

Complete the Discover HashiCorp Consul Service on Azure Configuration guide to retrieve the Consul service information.

You will need the following Azure experience and tools.

»Create an Azure VM and configure networking

To add a Consul client to HCS on Azure, you will need to provision a virtual machine (VM) within a virtual network (VNet) that you manage. The quickest way to do this is to create a new Azure VM within your resource group with its own associated VNet. You will then need to set up a peering connection between your new VNet and the VNet created for HCS on Azure (the VNet for the Managed Resource Group).

The following requirements provide you guidelines on how to simplify the configuration and are a valid setup for test environments. You should always follow your internal policies when planning for production.

  1. Use the Azure console to create a VM in the same resource group where you created the managed HCS on Azure.
  2. At creation time of your VM’s and the associated VNet, ensure that you use a CIDR that does not overlap with the CIDR range selected. HCS on Azure defaults to 172.25.16.0/20, if you use Azure defaults with address range in 10.x.x.x you should have no issues when following the steps below.

To follow along with the steps in this guide, you will need to create a Linux VM. However, the same logical steps can also be applied to Mac OSX or Windows.

»Configure peer VNets to communicate with HCS on Azure

In order for your new VM to communicate with the Consul servers deployed by HCS on Azure, you must establish network connectivity between your new VNet and the VNet created for HCS on Azure. To establish network connectivity, you must configure bi-directional peering.

There are two prerequisites to setting up VNet peering:

  • Your user account must have permissions to create, read, and delete VNet peering. Check Microsoft documentation to learn more on these permissions.
  • VNets attempting to peer cannot have overlapping address spaces.

To locate the HCS on Azure VNet, navigate to the “Managed Resource Group”. On the "Overview" page, for your HCS on Azure instance, you will find the HCS on Azure listing. Note that the group was created by HashiCorp to contain managed resources for HCS on Azure instances, this is not the same resource group you created for your new VM.

To initialize peering, click the VNet resource, for example hvn-consul-ama-consul-learn-test-vnet, and then select Peerings under Settings in the navigation tree. Use the Add button to create a new peering.

Create a VNet with the name of your client VNet. Be sure to enter names for the peering connection in both directions. Finally, ensure that network access is enabled in both directions under “Configure virtual network access settings”.

Peering HCS VNet with VM VNet

»Test connectivity

Once peering is set up, you should be able to ping your Consul servers deployed with HCS on Azure from your VM. You can use either the IP of one of the server nodes or the private URI of your Consul service .

You can retrieve the IP for the Consul servers deployed with HCS on Azure using the Consul UI on Azure Dashboard.

Azure Marketplace Consul UI Azure Dashboard

Use ping to confirm you can reach the nodes.

$ ping 172.25.16.4
PING 172.25.16.4 (172.25.16.4) 56(84) bytes of data.
64 bytes from 172.25.16.4: icmp_seq=1 ttl=64 time=3.38 ms
64 bytes from 172.25.16.4: icmp_seq=2 ttl=64 time=1.37 ms
64 bytes from 172.25.16.4: icmp_seq=3 ttl=64 time=2.65 ms
64 bytes from 172.25.16.4: icmp_seq=4 ttl=64 time=2.62 ms
##...

»Configure your Consul client

Download the Consul binary to your Azure VM. Be sure to use the same version of Consul as your Consul servers deployed with HCS on Azure.

You will also need to copy the following files to the VM:

  • consul-config.json containing the Consul client configuration.
  • ca.pem containing the CA certificates to be used for TLS encryption.

Review the Discover HashiCorp Consul Service on Azure Configuration guide if you have not yet retrieved these files from the Consul service.

»Client configuration file

Create the client configuration, consul-config.json, from the consulCaFile. Ensure that the ca.pem containing the CA certificate for TLS encryption has been copied to the VM.

{
  "ca_file": "./ca.pem",
  "verify_outgoing": true,
  "datacenter": "dc1",
  "encrypt": "MAwu95CjdTSu76IFTAH82g==",
  "server": false,
  "log_level": "INFO",
  "ui": true,
  "retry_join": [
    "11ea8486-2c78-014a-9f84-0242ac110005.private.consul.az.hashicorp.cloud"
  ],
  "auto_encrypt": {
    "tls": true
  }
}

»ACL configuration

Enable ACLs on the client. You can use the bootstrap token generated in the Discover HashiCorp Consul Service on Azure Configuration guide or create a new token. In production, you should create client specific token with minimum privileges.

$ cat acl-config.json
{
  "acl": {
    "tokens": {
      "agent": "06f0a6e4-ce89-b7a4-8429-4d5f987ff3c1"
    }
  }
}

»Join the client to HCS on Azure servers

Once configuration is completed you will have three files located in the same directory:

These files complete the configuration for your client node. You can now start Consul on the VM.

$ consul agent --config-dir . --data-dir=/tmp/consul

»Verify new node appears on UI

Check the Consul UI to ensure the new client is listed under the nodes tab.

Consul UI from the Azure dashboard showing the new VM node

»Next Steps

You now have a four node Consul datacenter with your Azure VM Consul client and your three servers deployed with HCS on Azure. You can now provision existing test infrastructure or services. Keep testing with on of the following Consul Learn guides: