HashiCorp Learn
Infrastructure
  • TerraformTerraformLearn terraformDocs
  • PackerPackerLearn packerDocs
  • VagrantVagrantLearn vagrantDocs
Security
  • VaultVaultLearn vaultDocs
  • BoundaryBoundaryLearn boundaryDocs
Networking
  • ConsulConsulLearn consulDocs
Applications
  • NomadNomadLearn nomadDocs
  • WaypointWaypointLearn waypointDocs
  • HashiCorp Cloud Platform (HCP) LogoHashiCorp Cloud Platform (HCP)HashiCorp Cloud Platform (HCP)Docs
Type '/' to Search
Loading account...
  • Bookmarks
  • Manage Account
  • Overview
  • Infrastructure Planning
  • Deployment
  • Networking
  • Security
  • Monitoring
  • Failure Recovery
DocsForum
Back to consul
Datacenter DeploymentView Collection
    IntroductionConsul Reference ArchitectureDeployment GuideBackup Consul Data and StateProduction Readiness ChecklistNext Steps

Production Readiness Checklist

  • 5 min
  • Products Usedconsul
  • This tutorial also appears in: Datacenter Deploy.

Below is a checklist that can help you deploy your first datacenter. This checklist is not an exhaustive list and you may need to add additional tasks depending on your environment.

»Infrastructure Planning

  • Review the reference diagram and requirements.

»Ports

Refer to the API documentation for specific port numbers or alternate configuration options.

  • DNS server
  • HTTP API
  • HTTPS API
  • gRPC API
  • Serf LAN port
  • Serf WAN port
  • Server RPC address
  • Inclusive minimum port number to use for automatically assigned sidecar service registrations.
  • Sidecar_max_port

»Deployment

»Consul Servers

  • Read the release notes for the Consul version.
  • Consul binary has been distributed to all servers.
  • Customize the server configuration file or files.
  • Autopilot is configured or disabled.
  • TLS encryption is enabled for RPC and consensus communication.
  • Gossip encryption configured.
  • ACLs bootstrapped.
  • Telemetry configured.

»Consul Clients

  • Consul binary has been distributed to all clients.
  • The configuration file has been customized.
  • TLS enabled for RPC communication
  • Gossip encryption configured
  • External Service Monitor has been deployed to nodes that cannot run a Consul client.

»Networking

»Configure DNS Caching

Refer to the DNS caching tutorial for step by step instructions and considerations around DNS performance.

  • Stale reads have been configured in the agent configuration file.
  • Negative response caching have been configured in the agent configuration file.
  • TTL values have been configured in the agent configuration file.

»Setup DNS Forwarding

Refer to the DNS forwarding tutorial for instructions on integrating Consul with system DNS.

  • BIND, dnsmasq, Unbound, systemd-resolved, or iptables has been configured.

»Security

»Encryption of Communication

  • TLS: RPC encryption for both incoming and outgoing communication.
  • Gossip Encryption. Both incoming and outgoing communication.

»Enable ACLs

Refer to the "Secure Consul with Access Control Lists (ACLs)" tutorial for instructions on setting up access control lists.

  • Tokens have been created for all agents and services.

»Setup a Certificate Authority

Refer to the "Secure Consul Agent Communication with TLS Encryption for instructions on setting up a certificate authority.

  • Agent certificates have been created and distributed to all agents.

»Monitoring

  • Telemetry has been enabled.
  • API has been configured. New user and token have been created.

»Failure Recovery

  • Backups are being periodically captured.
  • Outage recovery plan has been outlined.


PreviousBackup Consul Data and StateNextNext Steps
HashiCorp
  • System Status
  • Terms of Use
  • Security
  • Privacy
stdin: is not a tty