<span class='sub-heading'>Securing service-to-service communication with firewalls doesn’t scale in dynamic settings.</span>
<img src='//placehold.it/516x314'>
<p>East-west firewalls are the main tool for networking security in a static world. They depend on constraining traffic flow and use IP based rules to control ingress and egress traffic. But in a dynamic world where services move across machines and machines are frequently created and destroyed, this perimeter-based approach is difficult to scale as it requires complex network topologies and a large number of short lived firewall rules.</p>
<span class='sub-heading'>Service segmentation for dynamic service authorization.</span>
<img src='//placehold.it/516x314'>
<p>Service segmentation is a new approach to secure the service itself rather than relying on the network. Consul Connect enables high level rules to codify which services are allowed to communicate directly, without IP based rules or networking middleware.</p>
<p>Define and enforce service to service communication with a simple Intentions configuration. Service based rules, instead of IP based rules, make it easy to manage dynamic infrastructure with frequently changing IPs.</p>
<h3>Secure services across any runtime platform</h3>
<p>Secure communication between legacy and modern workloads. Sidecar proxies allow applications to be integrated without code changes and Layer 4 support provides nearly universal protocol compatibility.</p>
<p>TLS certificates are used to identify services and secure communications. Certificates use the SPIFFE format for interoperability with other platforms. Consul can be a certificate authority to simplify deployment, or integrate with external signing authorities like Vault.</p>
<p>All traffic between services is encrypted and authenticated with mutual TLS. Using TLS provides a strong guarantee of the identity of services communicating, and ensure all data in transit is encrypted.</p>