Book a 90-minute product workshop led by HashiCorp engineers and product experts during HashiConf Digital Reserve your spot

HashiCorp Consul Service on Azure

Discover HashiCorp Consul Service on Azure Configuration

In the Deploy HashiCorp Consul Service on Azure guide you deployed three HashiCorp Consul Service (HCS) on Azure servers. The next step, before deploying clients and services, is to discover information about your servers. In this guide, you will retrieve the HCS on Azure data including server connection information, Consul agent configuration, and Consul certificates.


To successfully complete this guide, you need previous experience with Azure. You will also need the following:

»Retrieve HashiCorp Consul Service properties

Use the Azure CLI tool to retrieve information about your managed HCS on Azure.

»Login into Azure

First, login into Azure using the CLI tool.

$ az login
To sign in, use a web browser to open the page and enter the code A2J3NELBP to authenticate.

The command redirects you to a web page where you can authorize your login. Use the same credentials for this login as you used to access the Azure console and create your HCS on Azure servers.

»Setup environment variables

Once you have logged in with the Azure CLI tool, you need to set several environment variables. The variables will allow you to retrieve the HCS on Azure properties.

  • Subscription ID: The ID for the subscription you are using for this test.
  • Resource group: The resource group you used to deploy the Consul service .
  • Managed app name: This is the name you picked for your Consul service. In this guide, it is learnlab.
  • Cluster name: the name you defined earlier for the Consul service. In this guide, it is consul-learn-test.

Use the export command to save the configuration information as environment variables.

$ export subscription_id=<Your Azure subscription ID>
$ export resource_group=<The resource group>
$ export managed_app_name=<Your HCS on Azure instance name>
$ export cluster_name=<The name you gave to the Consul service>

»Retrieve Consul client configuration and certificates

Now that you have set the HCS on Azure properties as environment variables, you can retrieve Consul client configuration and certificates.

First, use the Azure CLI tool.

$ az resource show \
  --ids "/subscriptions/${subscription_id}/resourceGroups/${resource_group}/providers/Microsoft.Solutions/applications/${managed_app_name}/customconsulClusters/${cluster_name}" \
  --api-version 2018-09-01-preview
  "name": "consul-learn-test",
  "properties": {
    "consulCaFile": "<<base64 encoded CA certificate>>",
    "consulClusterId": "11ea8540-30fd-c98d-9e92-0242ac110005",
    "consulConfigFile": "<<base64 encoded Consul client configuration file>>",
    "consulConnect": "enabled",
    "consulDatacenter": "dc1",
    "consulExternalEndpoint": "enabled",
    "consulExternalEndpointUrl": "",
    "consulInitialVersion": "v1.7.2",
    "consulNumServers": "3",
    "consulPrivateEndpointUrl": "",
    "consulVnetCidr": "",
    "location": "eastus"
  "resourceGroup": "mrg-hcs-production-preview-20200423102144",
  "sku": null,
  "tags": null,
  "type": "Microsoft.CustomProviders/resourceProviders/consulClusters"

From the output above, the two files you will need are:

  • consulCaFile: a base64 encoded certificate for the Consul CA. Save the parameter value in a file called ca.pem.encoded
  • consulConfigFile: a base64 encoded Consul client configuration file.

Save the value of consulCaFile in a file called ca.pem.encoded and the value for consulConfigFilein a file called consul.json.encoded.

Next, decode the information so that you can get the basic configuration file for your client and generate the CA certificates used by Consul to enforce TLS.

»Consul client configuration

Decode the configuration from the consul.json.encoded file.

$ cat consul.json.encoded | base64 --decode | jq . > consul.json
$ cat consul.json
  "acl": {
    "enabled": true,
    "down_policy": "async-cache",
    "default_policy": "deny"
  "ca_file": "./ca.pem",
  "verify_outgoing": true,
  "datacenter": "dc1",
  "encrypt": "gKIfPXW6NThYUAfiPOwdyw==",
  "server": false,
  "log_level": "INFO",
  "ui": true,
  "retry_join": [
  "auto_encrypt": {
    "tls": true

The configuration includes the gossip encryption key which is also used on servers to secure gossip communication.

»TLS certificates

Decode the certificates from the ca.pem.encoded file.

$ cat ca.pem.encoded | base64 --decode > ca.pem

You can verify the certificates using openssl.

$ openssl x509 -noout -text -in ca.pem
        ## ...
        Issuer: CN =
            ## ...
        Subject: CN = 11ea8540-30fd-c98d-9e92-0242ac110005.consul
        Subject Public Key Info:
            ## ...

        X509v3 extensions:
            ## ...

            X509v3 Subject Alternative Name:
    ## ...

The ca.pem certificate is used to enforce mTLS.

»Bootstrap the ACL system

With the HCS on Azure URI, it is possible to use the /v1/acl/bootstrap API to set up ACLs. You will need to configure Consul clients with ACLs to fully secure your Consul datacenter.

export server_url=<External endpoint URI for your HCS on Azure datacenter>

The external endpoint URI can be found by navigating to the Resource Group containing the Managed Application. Navigate to Consul Clusters in the side menu, click on the cluster name, and click on Properties in the side menu. The properties.consulExternalEndpointUrl, which will be in the format <CLUSTER ID>, is the external endpoint URI.

$ curl -sX PUT https://${server_url}/v1/acl/bootstrap

The output from the ACL endpoint will return a bootstrap token in the SecretID parameter.

  "ID": "06f0a6e4-ce89-b7a4-8429-4d5f987ff3c1",
  "AccessorID": "06a5246d-81ce-352f-67ef-34b4aab8ed99",
  "SecretID": "06f0a6e4-ce89-b7a4-8429-4d5f987ff3c1",
  "Description": "Bootstrap Token (Global Management)",
  "Policies": [
      "ID": "00000000-0000-0000-0000-000000000001",
      "Name": "global-management"

Using the bootstrap token, identified by the value of SecretID, you can create policies and tokens to define ACLs for your client nodes.

»Next Steps

In this guide you used the Azure CLI tool to discover information about HCS on Azure and to bootstrap the ACL system in your Consul datacenter. With the Consul server agent configuration, the TLS certificate, and the ACL token you created, you can now add Consul clients to your Consul service. Continue to the Connect VM-based Applications to HashiCorp Consul Service on Azure guide to connect an Azure VM and install a Consul client or Connect an Azure Kubernetes Service (AKS) cluster to HashiCorp Consul Service on Azure guide to connect Consul clients deployed into a Kubernetes cluster.

To learn more about the Consul ACL system and how to create ACL tokens, complete the Secure Consul with ACLs guide.

To learn more about TLS encryption and configuration settings, read the Secure Agent Communication with TLS Encryption guide.

If you have any feedback for the HashiCorp Engineering or SRE team, including leaving comments and filing bugs, please contact