Production Readiness Checklist

Below is a checklist that can help you deploy your first datacenter. This checklist is not an exhaustive list and you may need to add additional tasks depending on your environment.

»Infrastructure Planning

• Review the reference diagram and requirements.

»Ports

Refer to the API documentation for specific port numbers or alternate configuration options.

• DNS server
• HTTP API
• HTTPS API
• gRPC API
• Serf LAN port
• Serf WAN port
• Server RPC address
• Inclusive minimum port number to use for automatically assigned sidecar service registrations.
• Sidecar_max_port

»Deployment

»Consul Servers

• Read the release notes for the Consul version.
• Consul binary has been distributed to all servers.
• Customize the server configuration file or files.
• Autopilot is configured or disabled.
• TLS encryption is enabled for RPC and consensus communication.
• Gossip encryption configured.
• ACLs bootstrapped.
• Telemetry configured.

»Consul Clients

• Consul binary has been distributed to all clients.
• The configuration file has been customized.
• TLS enabled for RPC communication
• Gossip encryption configured
• External Service Monitor has been deployed to nodes that cannot run a Consul client.

»Networking

»Configure DNS Caching

Refer to the DNS caching tutorial for step by step instructions and considerations around DNS performance.

• Stale reads have been configured in the agent configuration file.
• Negative response caching have been configured in the agent configuration file.
• TTL values have been configured in the agent configuration file.

»Setup DNS Forwarding

Refer to the DNS forwarding tutorial for instructions on integrating Consul with system DNS.

• BIND, dnsmasq, Unbound, systemd-resolved, or iptables has been configured.

»Security

»Encryption of Communication

• TLS: RPC encryption for both incoming and outgoing communication.
• Gossip Encryption. Both incoming and outgoing communication.

»Enable ACLs

Refer to the "Secure Consul with Access Control Lists (ACLs)" tutorial for instructions on setting up access control lists.

• Tokens have been created for all agents and services.

»Setup a Certificate Authority

Refer to the "Secure Consul Agent Communication with TLS Encryption for instructions on setting up a certificate authority.

• Agent certificates have been created and distributed to all agents.

»Monitoring

• Telemetry has been enabled.
• API has been configured. New user and token have been created.

»Failure Recovery

• Backups are being periodically captured.
• Outage recovery plan has been outlined.