Day 1: Security and Network Operations

Introduction

Security and Networking

This learning track is part of the Day 1 learning path, and will cover how to secure and set up networking for your first Consul cluster. It assumes that you have already completed the Day 1: Deploying Your First Datacenter track.

By following this track you will learn about:

Gossip Encryption

By the end of this guide, you will be able to configure gossip encryption on a your cluster. Gossip communication between all agents in the cluster can be secured with a symmetric key.

Gossip Encryption

Securing Agent Communication with TLS Encryption

By the end of the this guide, you will know how to generate certificates for your cluster. This guide will cover how to create a Certificate Authority(CA), and how to generate server certificates and client certificates. Encrypting both incoming and outgoing communication is crucial for securing the cluster.

Securing Agent Communication with TLS Encryption

Securing Consul with ACLs

By the end of this guide, you will have ACLs configured on the Consul agents, servers and clients. For each step, you will be able to recognize if the process is not properly executed. Optionally, you can also configure the anonyomous token and token for the UI.

Securing Consul with ACLs

Managing ACL Policies

By the end of this guide, you will be able to discover the minimum privileges required for any datacenter operation.

Managing ACL Policies

DNS Caching

By the end of this guide, you will be able to update the parameters for tuning stale reads, negative response caching, and TTL in the agent's configuration file.

DNS Caching

Forwarding DNS

By the end of this guide, you will be able to setup DNS forwarding from BIND, dnsmasq, Unbound, systemd-resolved, iptables, or macOS. You will also be able to test and troubleshoot the DNS service after the initial setup.

Forwarding DNS

Datacenter Federation with WAN Gossip

By the end of this guide, you will connect two datacenters using WAN gossip. This guide includes two methods for connecting the Consul servers, on the command line or in the agent's configuration file.

Datacenter Federation