Service mesh solves the networking and security challenges of operating microservices and cloud infrastructure. Consul is a service mesh solution that offers a software-driven approach to routing and segmentation. It also brings additional benefits such as failure handling, retries, and network observability.
Consul "connect", HashiCorp's service mesh feature, provides service-to-service networking and security through connection authorization and encryption using mutual Transport Layer Security (mTLS). Applications deployed with the "connect" feature can use sidecar proxies in a service mesh configuration to establish TLS connections for inbound and outbound connections, without being aware of Consul at all.
This collection of five tutorials will give you a basic introduction to Consul service mesh with a focus on Kubernetes deployments. You will learn how to deploy services in Kubernetes taking advantage of the features provided by Consul.
In this tutorial, you will learn about the service mesh features of Consul, and prepare a Kubernetes cluster for your Consul deployment.
The tutorials in this collection provide you steps for Shipyard and Minikube as the default environment. Even though the example commands and output are based on these tools, the same command should be applicable to any Kubernetes cluster.
To successfully complete the exercises in these tutorials, you will need:
- A Kubernetes cluster.
- Helm to deploy Consul.
- kubectl to interact with your Kubernetes cluster and deploy services.
If you decide to use Shipyard, you will also need Docker installed in your test machine.
»Discover Consul service mesh benefits
The adoption of microservices architectures and cloud infrastructure is offering new approaches to networking. There are many different vendors and tools, each attempting to solve the problem in different ways. The Consul service mesh solution makes no assumptions about the underlying network and uses a pure software approach with a focus on simplicity and broad compatibility.
Consul addresses the new microservices architecture challenges with service discovery and allowing operators to deploy applications into a zero-trust network.
»Provide service discovery
When new versions of a service/app are constantly deployed and have to exist alongside other instances of the same application, often on different versions, the capability to reflect changes in the service landscape in your network becomes crucial. Consul helps you by offering a service catalog, health checks, automatic load balancing, and geo-failover across multiple instances of the same service.
»Introduce zero-trust security model
The increasing complexity of deployment scenarios also puts a heavy burden on network security and shows the limitation of any sort of manual configuration. Environments like Kubernetes, or cloud providers, where IP addresses change often or are unknown adds to the overall complexity of the configuration.
Under the hood, a service mesh is made up of proxies deployed locally alongside each service instance, which control network communication between their local instance and other services on the network. A per-service proxy sidecar transparently handles inbound and outbound service connections, automatically verifying and encrptying TLS connections between services.
Consul service mesh uses mutual TLS (mTLS) and will automatically generate and distribute the TLS certificates for every service in the mesh. The certificates are used for both:
- service identity verification
- service communication encryption
»Simplify application security
Once the service sidecar proxies are deployed, it is still necessary to authorize communication between services. Consul helps you secure service communication at the network level by enabling you to manage service-to-service communication permissions using intentions. Intentions define service based access control for services in the Consul service mesh and are used to control which services are allowed or not allowed to establish connections.
»Consul platform compatibility
»First-class Kubernetes support
Consul offers first-class Kubernetes support by providing an official Helm chart for installing, configuring, and upgrading Consul on Kubernetes. The chart helps you automate the installation and configuration of Consul service mesh for Kubernetes.
»Platform agnostic and multi-cluster mesh
While offering a first class integration with Kubernetes, Consul is also compatible with all architectures and cloud providers. The service catalog sync and auto-join features permit you to extend the boundaries of your Kubernetes cluster to include services running outside of Kubernetes.
»Setup a Kubernetes environment
First, you'll need to follow the directions for installing Minikube, including VirtualBox or a similar virtualization tool.
Start Minikube with the optional
--memory flag specifying the equivalent of
4-8GB of memory so that your pods will have enough resources. Starting Minikube
may take several minutes. It will download an additional 100-300MB of
dependencies and container images.
$ minikube start --memory 4096
Next, use the Minikube dashboard command to launch the local Kubernetes dashboard in a browser. Even if the previous step completed successfully, you may have to wait a minute or two for Minikube to be available. If you receive an error, try again after a few minutes.
$ minikube dashboard
Once it's available, you'll be able to navigate to the dashboard in your web browser. You can view pods, nodes, and other resources.
In this tutorial you learned the basic concepts of a service mesh network and how Consul features can help you implement one in your environment.
In the next tutorial Deploy Consul Service Mesh on Kubernetes we will learn how to deploy Consul service mesh in a Kubernetes cluster using the Helm chart.