Below is a checklist that can help you deploy your first datacenter. This checklist is not an exhaustive list and you may need to add additional tasks depending on your environment.
»Infrastructure Planning
- Review the reference diagram and requirements.
»Ports
Refer to the API documentation for specific port numbers or alternate configuration options.
dns, DNS server porthttp, HTTP API porthttps, HTTPS API portgrpc, gRPC API portserf_lan, Serf LAN portserf_wan, Serf WAN portserver, server RPC address portsidecar_min_port, inclusive minimum port number to use for automatically assigned sidecar service registrationssidecar_max_port, inclusive maximum port number to use for automatically assigned sidecar service registrationsexpose_min_port, inclusive minimum port number to use for automatically assigned exposed check listenersexpose_max_port, inclusive maximum port number to use for automatically assigned exposed check listeners
»Deployment
»Consul Servers
- Read the release notes for the Consul version.
- Consul binary has been distributed to all servers.
- Customize the server configuration file or files.
- Autopilot is configured or disabled.
- TLS encryption is enabled for RPC and consensus communication.
- Gossip encryption configured.
- ACLs bootstrapped.
- Telemetry configured.
»Consul Clients
- Consul binary has been distributed to all clients.
- The configuration file has been customized.
- TLS enabled for RPC communication
- Gossip encryption configured
- External Service Monitor has been deployed to nodes that cannot run a Consul client.
»Networking
»Configure DNS Caching
Refer to the DNS caching tutorial for step by step instructions and considerations around DNS performance.
- Stale reads have been configured in the agent configuration file.
- Negative response caching have been configured in the agent configuration file.
- TTL values have been configured in the agent configuration file.
»Setup DNS Forwarding
Refer to the DNS forwarding tutorial for instructions on integrating Consul with system DNS.
- BIND, dnsmasq, Unbound, systemd-resolved, or iptables has been configured.
»Security
»Encryption of Communication
- TLS: RPC encryption for both incoming and outgoing communication.
- Gossip Encryption. Both incoming and outgoing communication.
»Enable ACLs
Refer to the Secure Consul with Access Control Lists (ACLs) tutorial for instructions on setting up access control lists.
- Tokens have been created for all agents and services.
»Setup a Certificate Authority
Refer to the Secure Consul Agent Communication with TLS Encryption tutorial for instructions on setting up a certificate authority.
- Agent certificates have been created and distributed to all agents.
»Monitoring
- Telemetry has been enabled.
- API has been configured. New user and token have been created.
Official Grafana dashboard: If your are using Grafana to monitor your Consul datacenter health, we suggest you to use the Consul Server Monitoring Dashboard maintained by the Consul team at HashiCorp.
»Failure Recovery
- Backups are being periodically captured.
- Outage recovery plan has been outlined.
