Skip to main content
Just announced HashiConf Global full schedule: keynotes, sessions, labs & more. Register Now
Type '/' to Search

A new platform for documentation and tutorials is launching soon.

We are migrating Learn content into HashiCorp Developer, our new developer experience.

Production Readiness Checklist

This tutorial also appears in: Associate Tutorials.

Below is a checklist that can help you deploy your first datacenter. This checklist is not an exhaustive list and you may need to add additional tasks depending on your environment.

»Infrastructure Planning

»Ports

Refer to the API documentation for specific port numbers or alternate configuration options.

  • dns, DNS server port
  • http, HTTP API port
  • https, HTTPS API port
  • grpc, gRPC API port
  • serf_lan, Serf LAN port
  • serf_wan, Serf WAN port
  • server, server RPC address port
  • sidecar_min_port, inclusive minimum port number to use for automatically assigned sidecar service registrations
  • sidecar_max_port, inclusive maximum port number to use for automatically assigned sidecar service registrations
  • expose_min_port, inclusive minimum port number to use for automatically assigned exposed check listeners
  • expose_max_port, inclusive maximum port number to use for automatically assigned exposed check listeners

»Deployment

»Consul Servers

»Consul Clients

  • Consul binary has been distributed to all clients.
  • The configuration file has been customized.
  • TLS enabled for RPC communication
  • Gossip encryption configured
  • External Service Monitor has been deployed to nodes that cannot run a Consul client.

»Networking

»Configure DNS Caching

Refer to the DNS caching tutorial for step by step instructions and considerations around DNS performance.

  • Stale reads have been configured in the agent configuration file.
  • Negative response caching have been configured in the agent configuration file.
  • TTL values have been configured in the agent configuration file.

»Setup DNS Forwarding

Refer to the DNS forwarding tutorial for instructions on integrating Consul with system DNS.

  • BIND, dnsmasq, Unbound, systemd-resolved, or iptables has been configured.

»Security

»Encryption of Communication

  • TLS: RPC encryption for both incoming and outgoing communication.
  • Gossip Encryption. Both incoming and outgoing communication.

»Enable ACLs

Refer to the Secure Consul with Access Control Lists (ACLs) tutorial for instructions on setting up access control lists.

  • Tokens have been created for all agents and services.

»Setup a Certificate Authority

Refer to the Secure Consul Agent Communication with TLS Encryption tutorial for instructions on setting up a certificate authority.

  • Agent certificates have been created and distributed to all agents.

»Monitoring

  • Telemetry has been enabled.
  • API has been configured. New user and token have been created.

Official Grafana dashboard: If your are using Grafana to monitor your Consul datacenter health, we suggest you to use the Consul Server Monitoring Dashboard maintained by the Consul team at HashiCorp.

»Failure Recovery

stdin: is not a tty