Securely connect your services with Consul service mesh
In this tutorial, you will deploy HashiCups, a demo application, and integrate it with Consul service mesh. After deploying HashiCups, you will explore service-to-service traffic permissions with intentions.
You will use the resources created in this tutorial in the following tutorials to enable external traffic ingress with Consul API Gateway and explore service mesh observability.
In this tutorial, you will:
- Deploy the demo application HashiCups
- View Consul services
- Test the demo application
- Configure service-to-service traffic permissions with intentions
Prerequisites
The tutorial assumes that you have successfully completed the first tutorial in this getting started collection.
For this tutorial, you will need:
Deploy the demo application
In this section, you will deploy the demo application HashiCups that will let you explore Consul's service mesh features.
Consul uses Envoy proxy sidecars to provide service mesh capabilities to your applications. In this case, each HashiCups Kubernetes deployment spec contains the consul.hashicorp.com/connect-inject: "true"
Kubernetes annotation. This annotation deploys an Envoy proxy sidecar alongside the application.
Deploy the HashiCups application.
Check the pods to confirm they are all running.
Tip
The initial HashiCups deployment will take about 1-2 minutes to complete.
The diagram below shows the services running in your Kubernetes cluster. This includes the service mesh layer and HashiCups microservice application pods.
View Consul services
In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh.
In your terminal, run the CLI command consul catalog services
to return the list of services registered in Consul. Notice each service has a corresponding sidecar proxy.
This configuration deployed Consul in secure mode with ACLs set to a default deny policy and is automatically managed by Consul and Kubernetes. This means that the only allowed service-to-service communications are the ones explicitly specified by intentions.
Run the CLI command consul intention list
to return the list of intentions defined in Consul.
Since you have not defined any intentions yet, at this time Consul will deny all service-to-service traffic.
Test the demo application
Open a separate terminal window and expose the HashiCups UI with kubectl port-forward
using the nginx
service name as the target.
Open http://localhost:8080 in your browser. Notice that while you can reach the nginx
instance because of the port forwarding, the nginx
service is unable to access its upstreams and the connection is refused. This is expected behavior since you have not defined any intentions yet.
Create intentions
To see how intentions affect communication between the services in your service mesh, you will create intentions following the "least-privilege" principle that allow communication between your services.
Open hashicups/intentions/allow.yaml
to review the intentions configuration file. This file defines multiple intentions that will allow the HashiCups services to interact with each other.
Deploy the service intentions to allow the HashiCups services to interact with each other.
Confirm applied intentions
Open a separate terminal window and expose the HashiCups UI with kubectl port-forward
using the nginx
service name as the target.
Check out the HashiCups UI at http://localhost:8080. Notice that the application is now fully functional.
Next steps
In this tutorial, you deployed the demo application HashiCups into your Consul service mesh. After deploying HashiCups, you used intentions to control communication between services in your service mesh.
In the next tutorial, you will deploy a Consul API Gateway to control ingress into your service mesh applications.
For more information about the topics covered in this tutorial, refer to the following resources: