consul/website/source/docs/connect/index.html.md

---
layout: "docs"
page_title: "Connect (Service Segmentation)"
sidebar_current: "docs-connect-index"
description: |-
  Consul Connect provides service-to-service connection authorization and encryption using mutual TLS.
---

# Connect

Consul Connect provides service-to-service connection authorization
and encryption using mutual TLS. Applications can use
[sidecar proxies](/docs/connect/proxies.html)
to automatically establish TLS connections for inbound and outbound connections
without being aware of Connect at all. Applications may also
[natively integrate with Connect](/docs/connect/native.html)
for optimal performance and security.

## How it Works

TODO

## Eliminating East-West Firewalls

East-west firewalls are the typical tool for network security in a static world.
East-west is the transfer of data from server to server within a datacenter,
versus North-south traffic which describes end user to server communications.

These firewalls wrap services with ingress/egress policies. This perimeter-based
approach is difficult to scale in a dynamic world with dozens or hundreds of
services or where machines may be frequently created or destroyed. Firewalls
create a sprawl of rules for each service instance that quickly becomes
overly difficult to maintain.

Service security in a dynamic world is best solved through service-to-service
authentication and authorization. Instead of IP-based network security,
services can be deployed to low-trust networks and rely on service-identity
based security over in-transit data encryption.

Connect enables service segmentation by securing service-to-service
communications through mutual TLS and transparent proxying on zero-trust
networks. This allows direct service communication without relying on firewalls
for east-west traffic security.
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`---`
			`layout: "docs"`
			`page_title: "Connect (Service Segmentation)"`
			`sidebar_current: "docs-connect-index"`
			`description: \|-`
			`Consul Connect provides service-to-service connection authorization and encryption using mutual TLS.`
			`---`

			`# Connect`

			`Consul Connect provides service-to-service connection authorization`
			`and encryption using mutual TLS. Applications can use`
			`[sidecar proxies](/docs/connect/proxies.html)`
			`to automatically establish TLS connections for inbound and outbound connections`
			`without being aware of Connect at all. Applications may also`
			`[natively integrate with Connect](/docs/connect/native.html)`
			`for optimal performance and security.`

			`## How it Works`

			`TODO`

			`## Eliminating East-West Firewalls`

			`East-west firewalls are the typical tool for network security in a static world.`
			`East-west is the transfer of data from server to server within a datacenter,`
			`versus North-south traffic which describes end user to server communications.`

			`These firewalls wrap services with ingress/egress policies. This perimeter-based`
			`approach is difficult to scale in a dynamic world with dozens or hundreds of`
			`services or where machines may be frequently created or destroyed. Firewalls`
			`create a sprawl of rules for each service instance that quickly becomes`
			`overly difficult to maintain.`

			`Service security in a dynamic world is best solved through service-to-service`
			`authentication and authorization. Instead of IP-based network security,`
			`services can be deployed to low-trust networks and rely on service-identity`
			`based security over in-transit data encryption.`

			`Connect enables service segmentation by securing service-to-service`
			`communications through mutual TLS and transparent proxying on zero-trust`
			`networks. This allows direct service communication without relying on firewalls`
			`for east-west traffic security.`