Beta Feature: Currently, HashiCorp Consul Service (HCS) on Azure is BETA and not suitable for deployment in production.
HashiCorp Consul Service (HCS) on Azure enables Microsoft Azure users to natively provision HashiCorp-managed Consul servers in any supported Azure region directly through the Azure Marketplace. As a fully managed service, HCS on Azure lowers the barrier to entry for an organization to leverage Consul for service discovery or service mesh across a mix of VM, hybrid/on-premises, and Kubernetes environments while offloading the operational burden to the Site Reliability Engineering (SRE) experts at HashiCorp.
In this guide you will deploy an instance of HashiCorp Consul Service on your Azure subscription and learn the available configuration options for the servers. Finally you will interact with your Consul service using the Consul UI.
To successfully complete this guide, you need previous experience with Azure. We also recommend experience deploying applications from the Azure Marketplace and familiarity with Azure networking regions and VNets.
Note: for production deployments you will need at least 6 vCPUs available in the region, which requires an upgrade to a paid Azure subscription.
»Managed HashiCorp Consul Service on Azure
HCS on Azure is a fully managed service. The HashiCorp SRE team will manage all of the operational tasks including provisioning, monitoring, troubleshooting, and server upgrades. This allows you to adopt Consul for secure service-to-service communication across any Azure-connected environment and to focus on application and workload-specific concerns.
»Setup HCS on Azure
»Create a resource group
First, you will need to define a resource group where you will deploy the Consul service. Create a new one and ensure that it is located in one of the four supported regions.
- (US) East US
- (US) West US 2
- (Europe) West Europe
- (Europe) North Europe
It can take up to 30 seconds for the resource group to converge.
»Create an HCS on Azure datacenter
HCS will be deployed as a managed application, you will be able to locate it in the marketplace under the name "HashiCorp Consul Service on Azure."
You can also access the service directly using the following URL.
Click the Create button to start the configuration process.
»Configure your HCS on Azure datacenter
On the create screen, you'll define parameters for your Consul service.
- On the Basics tab, you will define details such as the resource group, region, and cluster mode.
- The Consul settings tab is optional. You can adapt Consul cluster settings to your use case, such as the visibility of the Consul UI.
We have configured HCS on Azure with several security defaults that cannot be disabled. You will need to take additional steps to configure your Consul clients in order to communicate with your HCS on Azure servers.
- Access Control Lists (ACL) are enabled by default and cannot be disabled. See the next guide for steps to Bootstrap the ACL system.
- Transport Layer Security (TLS) and gossip encryption are on by default and cannot be disabled. You will need to retrieve the TLS certificates and encrypt key in order to participate in agent to agent communication. See the next guide to retrieve the Consul client configuration and certificates.
Subscription: the subscription you are using.
Resource Group: the resource group you created earlier. If you did not create one yet you can do it using the Create new link. In this guide we will use the resource group named
Region: the region where you want the application to be deployed. The supported regions are:
- (US) East US
- (US) West US 2
- (Europe) West Europe
- (Europe) North Europe
Cluster Mode and Number of Servers: two options are available for the mode.
Production creates a highly available Consul datacenter. During the public beta, the only value available for Number of Servers in production mode is
3. To support 3 servers, you will need at least 6 vCPU available in the deployment region.
Non-production creates a single server Consul service. This mode should only be used for testing purposes as the single node configuration makes the enforcement of uptime SLA policies impossible.
Application Name: defines the name of the application deployed inside the resource group. In this guide we will use
NOTE: HashiCorp will deploy resources into the “Managed Resource Group” that is created by this process. This resource group is used only for resources created as part of this managed application and is separate from the resource group used for your VMs and other resources that you list at the top of the page.
In the Azure dashboard, click Next to move to the Consul Settings.
Cluster Name: defines the name for the Consul datacenter you are creating. In this guide we will use
Data Center: defines the datacenter name for your configuration, this is the datacenter you are going to use to configure your clients. This defaults to
Consul Version: helps you select a Consul version to run in your datacenter. Currently, the only available version is
1.7.2. The deployment will run using Consul Enterprise.
External Endpoint: defines whether you want your External Endpoint enabled or disabled. “Enabled” means that your datacenter will have a public IP address. “Disabled” means that you will have no public IPs visible to the internet. Note that if you select “Disabled” you will not be able to connect to the datacenter unless you can route to the VLAN and IP address configured for Consul.
VNET starting IP address: configures the initial IP address for the VNET CIDR range of your Consul datacenter. A prefix of
/24will be applied to the created VNet. The default value should be fine for test environments. In case you are planning to connect the HCS datacenter to an existing VNet that already uses addresses in the default range, or if you have internal policies on the address ranges to use internally, you can adapt your instance to your needs by changing the default value here.
Click Review + Create and then Create to create the cluster. The cluster will be provisioned, which shouldn't take more than 15 minutes.
You can monitor the status of the provisioning process by navigating to your resource group (such as learn-hcs-lab), finding your application (such as learnlab), and examining the Overview section. If you see a message that "The application is still being provisioned", wait a few minutes and refresh the page. Provisioning should take less than 15 minutes.
»Access the Consul UI
There are two options for accessing the Consul UI. The first and quickest is through the Azure dashboard. Alternatively, you can access the UI in a new browser tab.
WARNING: If you selected
disabled for the “External Endpoint” setting
above, none of the options below will permit you to access Consul UI from a
local machine or the Azure UI. If you have a VPN setup with access to the HCS
private network, you can reach the Consul UI via its private URL, exposed under
properties.consulPrivateEndpointUrl property that is in the form
To display the embedded Consul UI open the Azure portal using this link:
This link contains a feature flag that enables IFrame behavior. Once you have done so, navigate to your application and click “Consul UI” in the left hand navigation pane.
You will see the Consul UI. No services will be displayed, but the presence of the Consul logo and the Services page show that it was successful.
»Delete your HCS on Azure datacenter
Continue to the next steps below to read additional guides on how to use your Consul service. Review them if you want to start experimenting with your Consul service and conduct integration tests for your applications.
Remember to delete the test environment at the end of your tests. Follow these steps to remove the application from your resource group.
Navigate to the resource group you deployed (
learn-hcs-labin our case).
Locate the application (
learnlabin our case) and click on it to open the overview.
In the overview screen click on the Delete button as shown on the screen below.
Once you confirm deletion, the Consul service will be removed from your resource group.
In this guide you deployed the managed HashiCorp Consul Service (HCS) on Azure. You learned how to access the Consul UI and how to delete your HCS on Azure.
In the the next guide, retrieve HCS on Azure data including server connection information, Consul client configuration, and Consul certificates. The data retrieved enables you to add Consul clients VMs or AKS clients to HCS on Azure.
If you have any feedback the HashiCorp Consul Service on Azure, including leaving comments and filing bugs, contact HCSfirstname.lastname@example.org.
You can monitor the state of the HashiCorp Consul Service on Azure and subscribe to updates at https://hashicorpcloud.statuspage.io/.