A service mesh is a dedicated layer that provides secure service-to-service communication for on-prem, cloud, or multi-cloud infrastructure. Service meshes are often used in conjunction with the microservice architectural pattern, but can provide value in any scenario where complex networking is involved.
Service meshes typically consist of a control plane and a data plane. The control plane is responsible for securing the mesh, facilitating service discovery, health checking, policy enforcement, and other similar operational concerns. The data plane handles communication between services. Many service mesh solutions employ a sidecar proxy to handle data plane communications, and thus limit the level of awareness the services need to have about the network environment.
Consul is a service mesh solution that offers a software-driven approach to:
- Security (mTLS & ACLs)
- Network segmentation
- Failure handling
- Network observability
Consul's service mesh feature provides service-to-service networking and security through connection authorization and encryption using mutual Transport Layer Security (mTLS). Applications deployed with the service mesh feature enabled can use sidecar proxies in a service mesh configuration to establish TLS connections for inbound and outbound connections, without being aware of Consul at all.
This collection of five tutorials will give you a basic introduction to Consul service mesh with a focus on Kubernetes deployments. You will deploy services in Kubernetes taking advantage of the features provided by Consul.
In this tutorial, you will review the service mesh features of Consul, and prepare a Kubernetes cluster for your Consul deployment.
The tutorials in this collection provide you steps for Minikube or
kind as the default
environment. Even though the example commands and output are based on these tools,
the same command should be applicable to any Kubernetes cluster.
To successfully complete the exercises in these tutorials, you will need:
- A Kubernetes cluster
- Helm to deploy Consul
- kubectl to interact with your Kubernetes cluster and deploy services
If you decide to use
kind, you will also need
Docker installed in your test machine.
»Consul service mesh benefits
The adoption of microservices architectures and cloud infrastructure is requiring new approaches to networking. There are many different vendors and tools, each attempting to solve the problem in different ways. The Consul service mesh solution makes no assumptions about the underlying network and uses a pure software approach with a focus on simplicity and broad compatibility.
Consul service mesh simplifies service discovery in complex networking environments, and streamlines deploying applications into a zero-trust network.
When new versions of a service are deployed and have to exist alongside other instances of the same application, often on different versions, the ability to manage changes in the service landscape of your network becomes crucial. Consul helps you by offering a service catalog, configurable service routing, health checks, automatic load balancing, and geo-failover across multiple instances of the same service.
»Zero-trust security model
The increasing complexity of deployment scenarios places a heavy burden on network security operators and amplifies the limitations inherent with any sort of manual configuration approach. Environments like Kubernetes, or public cloud networks, where IP addresses change often or are unknown, add to the overall complexity of the challenge.
Under the hood, the Consul service mesh is made up of proxies deployed locally alongside each service instance. These proxies, called sidecar proxies, control network communication between their local service instance and other services on the network. The sidecar proxy handles inbound and outbound service connections, and ensures TLS connections between services are both verified and encrypted.
Consul service mesh uses mutual TLS (mTLS) and will automatically generate and distribute the TLS certificates for every service in the mesh. The certificates are used for both:
- service identity verification
- service communication encryption
»Simplify application security with intentions
Once the service sidecar proxies are deployed, communication between services is secure within the mesh. However, you may wish to define a more fine-grained set of policies that specify which services are authorized to communicate with each other. Consul provides this functionality in the form of a feature called intentions. Intentions allow you to define service based access control for services in the Consul service mesh at the network level. You can control which services are allowed or not allowed to establish connections, at a conceptual, service definition level, rather than having to manually manage complex firewall rules and port mappings.
»Consul platform compatibility
»First-class Kubernetes support
Consul offers first-class Kubernetes support by providing an official Helm chart for installing, configuring, and upgrading Consul on Kubernetes. The chart automates the installation and configuration of Consul service mesh for Kubernetes.
»Platform agnostic and multi-cluster mesh
Consul is compatible with all architectures and cloud providers. The service catalog sync and auto-join features permit you to extend the boundaries of your Kubernetes cluster to include services running outside of Kubernetes.
Consul also integrates with HashiCorp Nomad to provide secure service-to-service communication between Nomad jobs and task groups. With a few changes to the job specification, job authors can opt into Connect integration. When Connect is enabled, Nomad will launch a proxy alongside the application in the job file. The Envoy proxy provides secure communication with other applications in the cluster.
»Setup a Kubernetes environment
First, you'll need to follow the directions for installing Minikube, including VirtualBox or a similar virtualization tool.
»Start a Minikube cluster
Start Minikube with the optional
--memory flag specifying the equivalent of
4-8GB of memory so that your pods will have enough resources. Starting Minikube
may take several minutes. It will download an additional 100-300MB of
dependencies and container images.
$ minikube start --memory 4096
When you start a Minikube cluster, Minikube will insert all the required entries into
your KUBECONFIG file, and set the Minikube cluster as the current context. You will
be able interact with your Minikube cluster using
kubectl right away.
Next, use the Minikube dashboard command to launch the local Kubernetes dashboard in a browser. Even if the previous step completed successfully, you may have to wait a minute or two for Minikube to be available. If you receive an error, try again after a few minutes.
$ minikube dashboard
Once it's available, you'll be able to navigate to the dashboard in your web browser. You can view pods, nodes, and other resources.
»Delete the Minikube cluster
When you are done experimenting with your minikube cluster, you can delete it with the delete command as shown below.
The tutorials in this collection assume you have this cluster available. Do not delete your cluster now if you intend to continue working through the rest of the tutorials.
$ minikube delete
In this tutorial you learned the basic concepts of a service mesh network and how Consul features can help you implement one in your environment.
In the next tutorial, Deploy Consul Service Mesh on Kubernetes you will deploy Consul service mesh in a Kubernetes cluster using the Helm chart.