2018-10-08 06:30:07 +00:00
---
2020-04-07 18:55:19 +00:00
layout: docs
2022-09-14 22:48:49 +00:00
page_title: How does Consul Service Mesh Work on Kubernetes?
2020-04-07 18:55:19 +00:00
description: >-
2022-09-16 15:28:32 +00:00
An injection annotation allows Consul to automatically deploy sidecar proxies on Kubernetes pods, enabling Consul's service mesh for containers running on k8s. Learn how to configure sidecars, enable services with multiple ports, change default injection settings.
2018-10-08 06:30:07 +00:00
---
2022-09-14 22:48:49 +00:00
# How does Consul Service Mesh Work on Kubernetes?
2018-10-08 06:30:07 +00:00
2023-06-10 15:35:22 +00:00
Consul service mesh automates service-to-service authorization and encryption across your Consul services. You can use service mesh in Kubernetes-orchestrated networks to secure communication between pods as well as communication between pods and external Kubernetes services.
2023-05-05 17:41:40 +00:00
2023-06-10 15:35:22 +00:00
## Workflow
2018-10-08 06:30:07 +00:00
2023-06-10 15:35:22 +00:00
Consul service mesh is enabled by default when you install Consul on Kubernetes using the Consul Helm chart. Consul also automatically injects sidecars into the pods in your clusters that run Envoy. These sidecar proxies, called Consul dataplanes, are enabled when `connectInject.default` is set to `false` in the Helm chart. Refer to the following documentation for additional information about these concepts:
2018-10-08 06:30:07 +00:00
2023-06-10 15:35:22 +00:00
- [Installation and Configuration](#installation-and-configuration) in this topic
- [Consul Helm chart reference](/consul/docs/k8s/helm)
- [Simplified Service Mesh with Consul Dataplane](/consul/docs/connect/dataplane)
2018-10-08 06:30:07 +00:00
2023-06-10 15:35:22 +00:00
If `connectInject.default` is set to `false` or you want to explicitly enable service mesh sidecar proxy injection for a specific deployment, add the `consul.hashicorp.com/connect-inject` annotation to the pod specification template and set it to `true` when connecting services to the mesh.
2018-10-08 06:30:07 +00:00
2023-06-10 15:35:22 +00:00
### Example
2018-10-08 06:30:07 +00:00
2023-06-10 15:35:22 +00:00
The following example shows a Kubernetes configuration that specifically enables service mesh connections for the `static-server` service. Consul starts and registers a sidecar proxy that listens on port 20000 by default and proxies valid inbound connections to port 8080.
2021-04-16 19:49:02 +00:00
2018-10-08 06:30:07 +00:00
```yaml
apiVersion: v1
2021-04-16 19:49:02 +00:00
kind: Service
2019-11-29 17:17:56 +00:00
metadata:
2021-06-22 23:34:20 +00:00
# This name will be the service name in Consul.
2019-11-29 17:17:56 +00:00
name: static-server
2021-04-16 19:49:02 +00:00
spec:
selector:
app: static-server
ports:
- protocol: TCP
port: 80
targetPort: 8080
2019-11-29 17:17:56 +00:00
---
apiVersion: v1
2021-04-16 19:49:02 +00:00
kind: ServiceAccount
metadata:
name: static-server
---
apiVersion: apps/v1
kind: Deployment
2018-10-08 06:30:07 +00:00
metadata:
2018-10-08 15:24:25 +00:00
name: static-server
2018-10-08 06:30:07 +00:00
spec:
2021-04-16 19:49:02 +00:00
replicas: 1
selector:
matchLabels:
app: static-server
template:
metadata:
name: static-server
labels:
app: static-server
annotations:
'consul.hashicorp.com/connect-inject': 'true'
spec:
containers:
- name: static-server
image: hashicorp/http-echo:latest
args:
- -text="hello world"
- -listen=:8080
ports:
- containerPort: 8080
name: http
2021-06-22 23:34:20 +00:00
# If ACLs are enabled, the serviceAccountName must match the Consul service name.
2021-04-16 19:49:02 +00:00
serviceAccountName: static-server
2018-10-08 06:30:07 +00:00
```
2023-06-10 15:35:22 +00:00
To establish a connection to the Pod using service mesh, a client must use another mesh proxy. The client mesh proxy will use Consul service discovery to find all available upstream proxies and their public ports.
### Service names
When the service is onboarded, the name registered in Consul is set to the name of the Kubernetes Service associated with the Pod. You can specify a custom name for the service in the [`consul.hashicorp.com/connect-service` annotation](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service), but if ACLs are enabled, then the name of the service registered in Consul must match the Pod's `ServiceAccount` name.
### Transparent proxy mode
By default, the Consul service mesh runs in transparent proxy mode. This mode forces inbound and outbound traffic through the sidecar proxy even though the service binds to all interfaces. Transparent proxy infers the location of upstream services using Consul service intentions, and also allows you to use Kubernetes DNS as you normally would for your workloads.
When transparent proxy mode is enabled, all service-to-service traffic is required to use mTLS. While onboarding new services to service mesh, your network may have mixed mTLS and non-mTLS traffic, which can result in broken service-to-service communication. You can temporarily enable permissive mTLS mode during the onboarding process so that existing mesh services can accept traffic from services that are not yet fully onboarded. Permissive mTLS enables sidecar proxies to access both mTLS and non-mTLS traffic. Refer to [Onboard mesh services in transparent proxy mode](/consul/docs/k8s/connect/onboarding-tproxy-mode) for additional information.
2019-10-24 23:51:51 +00:00
2023-05-05 17:41:40 +00:00
### Connecting to Mesh-Enabled Services
2018-10-08 06:30:07 +00:00
2021-04-16 19:49:02 +00:00
The example Deployment specification below configures a Deployment that is capable
2018-10-08 15:24:25 +00:00
of establishing connections to our previous example "static-server" service. The
connection to this static text service happens over an authorized and encrypted
2023-05-05 17:41:40 +00:00
connection via service mesh.
2018-10-08 06:30:07 +00:00
2021-06-22 23:34:20 +00:00
-> **Note:** As of consul-k8s `v0.26.0` and Consul Helm `v0.32.0`, having a Kubernetes
2021-04-16 19:49:02 +00:00
Service is **required** to run services on the Consul Service Mesh.
2018-10-08 06:30:07 +00:00
```yaml
apiVersion: v1
2021-04-16 19:49:02 +00:00
kind: Service
2019-11-29 17:17:56 +00:00
metadata:
2021-06-22 23:34:20 +00:00
# This name will be the service name in Consul.
2019-11-29 17:17:56 +00:00
name: static-client
2021-04-16 19:49:02 +00:00
spec:
selector:
app: static-client
ports:
- port: 80
2019-11-29 17:17:56 +00:00
---
apiVersion: v1
2021-04-16 19:49:02 +00:00
kind: ServiceAccount
metadata:
name: static-client
---
apiVersion: apps/v1
kind: Deployment
2018-10-08 06:30:07 +00:00
metadata:
2018-10-08 15:24:25 +00:00
name: static-client
2018-10-08 06:30:07 +00:00
spec:
2021-04-16 19:49:02 +00:00
replicas: 1
selector:
matchLabels:
app: static-client
template:
metadata:
name: static-client
labels:
app: static-client
annotations:
'consul.hashicorp.com/connect-inject': 'true'
spec:
containers:
- name: static-client
2021-06-29 20:23:36 +00:00
image: curlimages/curl:latest
2021-04-16 19:49:02 +00:00
# Just spin & wait forever, we'll use `kubectl exec` to demo
command: ['/bin/sh', '-c', '--']
args: ['while true; do sleep 30; done;']
2021-06-22 23:34:20 +00:00
# If ACLs are enabled, the serviceAccountName must match the Consul service name.
2021-04-16 19:49:02 +00:00
serviceAccountName: static-client
2018-10-08 06:30:07 +00:00
```
2021-06-22 23:34:20 +00:00
By default when ACLs are enabled or when ACLs default policy is `allow`,
Consul will automatically configure proxies with all upstreams from the same datacenter.
When ACLs are enabled with default `deny` policy,
2023-01-25 16:52:43 +00:00
you must supply an [intention](/consul/docs/connect/intentions) to tell Consul which upstream you need to talk to.
2018-10-08 16:55:55 +00:00
2021-06-22 23:34:20 +00:00
When upstreams are specified explicitly with the
2023-01-25 16:52:43 +00:00
[`consul.hashicorp.com/connect-service-upstreams` annotation](/consul/docs/k8s/annotations-and-labels#consul-hashicorp-com-connect-service-upstreams),
2021-06-22 23:34:20 +00:00
the injector will also set environment variables `<NAME>_CONNECT_SERVICE_HOST`
2021-04-16 19:49:02 +00:00
and `<NAME>_CONNECT_SERVICE_PORT` in every container in the Pod for every defined
2018-10-09 16:30:37 +00:00
upstream. This is analogous to the standard Kubernetes service environment variables, but
2018-10-08 16:55:55 +00:00
point instead to the correct local proxy port to establish connections via
2023-05-05 17:41:40 +00:00
service mesh.
2018-10-08 16:55:55 +00:00
2023-03-24 22:16:06 +00:00
You can verify access to the static text server using `kubectl exec`.
2021-06-22 23:34:20 +00:00
Because transparent proxy is enabled by default,
2023-03-24 22:16:06 +00:00
use Kubernetes DNS to connect to your desired upstream.
2018-10-08 06:30:07 +00:00
2020-05-19 18:32:38 +00:00
```shell-session
2022-01-12 23:05:01 +00:00
$ kubectl exec deploy/static-client -- curl --silent http://static-server/
2018-10-08 06:30:07 +00:00
"hello world"
```
2023-03-24 22:16:06 +00:00
You can control access to the server using [intentions](/consul/docs/connect/intentions).
2023-01-25 16:52:43 +00:00
If you use the Consul UI or [CLI](/consul/commands/intention/create) to
2023-03-24 22:16:06 +00:00
deny communication between
2018-10-08 15:24:25 +00:00
"static-client" and "static-server", connections are immediately rejected
2018-10-08 06:30:07 +00:00
without updating either of the running pods. You can then remove this
intention to allow connections again.
2020-05-19 18:32:38 +00:00
```shell-session
2022-01-12 23:05:01 +00:00
$ kubectl exec deploy/static-client -- curl --silent http://static-server/
2018-10-08 06:30:07 +00:00
command terminated with exit code 52
```
2022-02-24 00:11:52 +00:00
### Kubernetes Pods with Multiple ports
To configure a pod with multiple ports to be a part of the service mesh and receive and send service mesh traffic, you
will need to add configuration so that a Consul service can be registered per port. This is because services in Consul
currently support a single port per service instance.
In the following example, suppose we have a pod which exposes 2 ports, `8080` and `9090`, both of which will need to
receive service mesh traffic.
First, decide on the names for the two Consul services that will correspond to those ports. In this example, the user
chooses the names `web` for `8080` and `web-admin` for `9090`.
Create two service accounts for `web` and `web-admin`:
```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: web
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: web-admin
```
Create two Service objects for `web` and `web-admin`:
```yaml
apiVersion: v1
kind: Service
metadata:
name: web
spec:
selector:
app: web
ports:
- protocol: TCP
port: 80
targetPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: web-admin
spec:
selector:
app: web
ports:
- protocol: TCP
port: 80
targetPort: 9090
```
`web` will target `containerPort` `8080` and select pods labeled `app: web`. `web-admin` will target `containerPort`
`9090` and will also select the same pods.
2022-09-01 18:33:37 +00:00
~> Kubernetes 1.24+ only
In Kubernetes 1.24+ you need to [create a Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets) for each multi-port service that references the ServiceAccount, and the Kubernetes secret must have the same name as the ServiceAccount:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: web
annotations:
kubernetes.io/service-account.name: web
type: kubernetes.io/service-account-token
---
apiVersion: v1
kind: Secret
metadata:
name: web-admin
annotations:
kubernetes.io/service-account.name: web-admin
type: kubernetes.io/service-account-token
```
2022-02-24 00:11:52 +00:00
Create a Deployment with any chosen name, and use the following annotations:
```yaml
consul.hashicorp.com/connect-inject: true
2022-02-24 02:24:15 +00:00
consul.hashicorp.com/transparent-proxy: false
2022-02-24 00:11:52 +00:00
consul.hashicorp.com/connect-service: web,web-admin
consul.hashicorp.com/connect-service-port: 8080,9090
```
Note that the order the ports are listed in the same order as the service names, i.e. the first service name `web`
corresponds to the first port, `8080`, and the second service name `web-admin` corresponds to the second port, `9090`.
The service account on the pod spec for the deployment should be set to the first service name `web`:
```yaml
serviceAccountName: web
```
For reference, the full deployment example could look something like the following:
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: web
spec:
replicas: 1
selector:
matchLabels:
app: web
template:
metadata:
name: web
labels:
app: web
annotations:
'consul.hashicorp.com/connect-inject': 'true'
2022-02-24 02:24:15 +00:00
'consul.hashicorp.com/transparent-proxy': 'false'
2022-02-24 00:11:52 +00:00
'consul.hashicorp.com/connect-service': 'web,web-admin'
'consul.hashicorp.com/connect-service-port': '8080,9090'
spec:
containers:
- name: web
image: hashicorp/http-echo:latest
args:
- -text="hello world"
- -listen=:8080
ports:
- containerPort: 8080
name: http
- name: web-admin
image: hashicorp/http-echo:latest
args:
- -text="hello world from 9090"
- -listen=:9090
ports:
- containerPort: 9090
name: http
serviceAccountName: web
```
After deploying the `web` application, you can test service mesh connections by deploying the `static-client`
2023-05-05 17:41:40 +00:00
application with the configuration in the [previous section](#connecting-to-mesh-enabled-services) and add the
2022-02-24 00:11:52 +00:00
following annotation to the pod template on `static-client`:
```yaml
consul.hashicorp.com/connect-service-upstreams: "web:1234,web-admin:2234"
```
If you exec on to a static-client pod, using a command like:
```shell-session
$ kubectl exec -it static-client-5bd667fbd6-kk6xs -- /bin/sh
```
you can then run:
```shell-session
$ curl localhost:1234
```
to see the output `hello world` and run:
```shell-session
$ curl localhost:2234
```
to see the output `hello world from 9090`.
The way this works is that a Consul service instance is being registered per port on the Pod, so there are 2 Consul
services in this case. An additional Envoy sidecar proxy and `connect-init` init container are also deployed per port in
the Pod. So the upstream configuration can use the individual service names to reach each port as seen in the example.
2022-09-01 18:33:37 +00:00
2022-02-24 00:11:52 +00:00
#### Caveats for Multi-port Pods
* Transparent proxy is not supported for multi-port Pods.
* Metrics and metrics merging is not supported for multi-port Pods.
* Upstreams will only be set on the first service's Envoy sidecar proxy for the pod.
* This means that ServiceIntentions from a multi-port pod to elsewhere, will need to use the first service's name,
`web` in the example above to accept connections from either `web` or `web-admin`. ServiceIntentions from elsewhere
to a multi-port pod can use the individual service names within the multi-port Pod.
* Health checking is done on a per-Pod basis, so if any Kubernetes health checks (like readiness, liveness, etc) are
failing for any container on the Pod, the entire Pod is marked unhealthy, and any Consul service referencing that Pod
will also be marked as unhealthy. So, if `web` has a failing health check, `web-admin` would also be marked as
unhealthy for service mesh traffic.
2018-10-08 06:30:07 +00:00
## Installation and Configuration
2023-05-05 17:41:40 +00:00
The service mesh sidecar proxy is injected via a
2018-10-08 06:30:07 +00:00
[mutating admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks)
2023-05-05 17:41:40 +00:00
call the connect injector provided by the
2018-10-08 06:30:07 +00:00
[consul-k8s project](https://github.com/hashicorp/consul-k8s).
This enables the automatic pod mutation shown in the usage section above.
Installation of the mutating admission webhook is automated using the
2023-01-25 16:52:43 +00:00
[Helm chart](/consul/docs/k8s/installation/install).
2018-10-08 06:30:07 +00:00
2023-05-05 17:41:40 +00:00
To install the connect injector, enable the connect injection feature using
2023-01-25 16:52:43 +00:00
[Helm values](/consul/docs/k8s/helm#configuration-values) and
2018-10-08 06:30:07 +00:00
upgrade the installation using `helm upgrade` for existing installs or
2021-02-17 19:01:52 +00:00
`helm install` for a fresh install.
2018-10-08 06:30:07 +00:00
```yaml
connectInject:
enabled: true
```
This will configure the injector to inject when the
2020-02-04 19:05:25 +00:00
[injection annotation](#consul-hashicorp-com-connect-inject)
is set to `true`. Other values in the Helm chart can be used to limit the namespaces
2018-10-08 06:30:07 +00:00
the injector runs in, enable injection by default, and more.
2022-03-03 16:11:28 +00:00
### Verifying the Installation
To verify the installation, run the
2023-01-25 16:52:43 +00:00
["Accepting Inbound Connections"](/consul/docs/k8s/connect#accepting-inbound-connections)
2022-03-03 16:11:28 +00:00
example from the "Usage" section above. After running this example, run
`kubectl get pod static-server --output yaml`. In the raw YAML output, you should
2023-05-05 17:41:40 +00:00
see connect injected containers and an annotation
2022-03-03 16:11:28 +00:00
`consul.hashicorp.com/connect-inject-status` set to `injected`. This
confirms that injection is working properly.
If you do not see this, then use `kubectl logs` against the injector pod
and note any errors.
2020-02-04 19:05:25 +00:00
### Controlling Injection Via Annotation
By default, the injector will inject only when the
[injection annotation](#consul-hashicorp-com-connect-inject)
on the pod (not the deployment) is set to `true`:
```yaml
annotations:
2020-04-06 20:27:35 +00:00
'consul.hashicorp.com/connect-inject': 'true'
2020-02-04 19:05:25 +00:00
```
### Injection Defaults
If you wish for the injector to always inject, you can set the default to `true`
in the Helm chart:
```yaml
connectInject:
enabled: true
default: true
```
You can then exclude specific pods via annotation:
```yaml
annotations:
2020-04-06 20:27:35 +00:00
'consul.hashicorp.com/connect-inject': 'false'
2020-02-04 19:05:25 +00:00
```
### Controlling Injection Via Namespace
You can control which Kubernetes namespaces are allowed to be injected via
the `k8sAllowNamespaces` and `k8sDenyNamespaces` keys:
```yaml
connectInject:
enabled: true
2020-04-06 20:27:35 +00:00
k8sAllowNamespaces: ['*']
2020-02-04 19:05:25 +00:00
k8sDenyNamespaces: []
```
In the default configuration (shown above), services from all namespaces are allowed
to be injected. Whether or not they're injected depends on the value of `connectInject.default`
and the `consul.hashicorp.com/connect-inject` annotation.
If you wish to only enable injection in specific namespaces, you can list only those
namespaces in the `k8sAllowNamespaces` key. In the configuration below
only the `my-ns-1` and `my-ns-2` namespaces will be enabled for injection.
All other namespaces will be ignored, even if the connect inject [annotation](#consul-hashicorp-com-connect-inject)
is set.
```yaml
connectInject:
enabled: true
2020-04-06 20:27:35 +00:00
k8sAllowNamespaces: ['my-ns-1', 'my-ns-2']
2020-02-04 19:05:25 +00:00
k8sDenyNamespaces: []
```
2020-04-06 20:27:35 +00:00
If you wish to enable injection in every namespace _except_ specific namespaces, you can
2020-02-04 19:05:25 +00:00
use `*` in the allow list to allow all namespaces and then specify the namespaces to exclude in the deny list:
```yaml
2020-08-13 21:29:59 +00:00
connectInject:
2020-02-04 19:05:25 +00:00
enabled: true
2020-04-06 20:27:35 +00:00
k8sAllowNamespaces: ['*']
2020-08-13 21:29:59 +00:00
k8sDenyNamespaces: ['no-inject-ns-1', 'no-inject-ns-2']
2020-02-04 19:05:25 +00:00
```
-> **NOTE:** The deny list takes precedence over the allow list. If a namespace
2020-04-06 20:27:35 +00:00
is listed in both lists, it will **not** be synced.
2020-02-04 19:05:25 +00:00
~> **NOTE:** The `kube-system` and `kube-public` namespaces will never be injected.
### Consul Enterprise Namespaces
Consul Enterprise 1.7+ supports Consul namespaces. When Kubernetes pods are registered
into Consul, you can control which Consul namespace they are registered into.
There are three options available:
2020-04-06 20:27:35 +00:00
1. **Single Destination Namespace** – Register all Kubernetes pods, regardless of namespace,
into the same Consul namespace.
2020-02-04 19:05:25 +00:00
2020-04-09 00:09:01 +00:00
This can be configured with:
2020-02-04 19:05:25 +00:00
2020-04-09 00:09:01 +00:00
```yaml
global:
enableConsulNamespaces: true
2020-04-06 20:27:35 +00:00
2020-04-09 00:09:01 +00:00
connectInject:
enabled: true
consulNamespaces:
consulDestinationNamespace: 'my-consul-ns'
```
2020-02-04 19:05:25 +00:00
2020-04-09 00:09:01 +00:00
-> **NOTE:** If the destination namespace does not exist we will create it.
2020-02-04 19:05:25 +00:00
2020-04-06 20:27:35 +00:00
1. **Mirror Namespaces** - Register each Kubernetes pod into a Consul namespace with the same name as its Kubernetes namespace.
For example, pod `foo` in Kubernetes namespace `ns-1` will be synced to the Consul namespace `ns-1`.
If a mirrored namespace does not exist in Consul, it will be created.
2020-04-07 18:55:19 +00:00
This can be configured with:
2020-04-09 00:09:01 +00:00
```yaml
2020-02-04 19:05:25 +00:00
global:
2020-04-09 00:09:01 +00:00
enableConsulNamespaces: true
2020-04-07 18:55:19 +00:00
2020-04-09 00:09:01 +00:00
connectInject:
enabled: true
consulNamespaces:
mirroringK8S: true
```
2020-02-04 19:05:25 +00:00
2020-04-06 20:27:35 +00:00
1. **Mirror Namespaces With Prefix** - Register each Kubernetes pod into a Consul namespace with the same name as its Kubernetes
namespace **with a prefix**.
For example, given a prefix `k8s-`, pod `foo` in Kubernetes namespace `ns-1` will be synced to the Consul namespace `k8s-ns-1`.
2020-02-04 19:05:25 +00:00
2020-04-09 00:09:01 +00:00
This can be configured with:
2020-04-06 20:27:35 +00:00
2020-04-09 00:09:01 +00:00
```yaml
global:
enableConsulNamespaces: true
2020-04-06 20:27:35 +00:00
2020-04-09 00:09:01 +00:00
connectInject:
enabled: true
consulNamespaces:
mirroringK8S: true
mirroringK8SPrefix: 'k8s-'
```
2020-02-04 19:05:25 +00:00
### Consul Enterprise Namespace Upstreams
2020-04-06 20:27:35 +00:00
2023-01-25 16:52:43 +00:00
When [transparent proxy](/consul/docs/connect/transparent-proxy) is enabled and ACLs are disabled,
2021-06-22 23:34:20 +00:00
the upstreams will be configured automatically across Consul namespaces.
2023-01-25 16:52:43 +00:00
When ACLs are enabled, you must configure it by specifying an [intention](/consul/docs/connect/intentions),
2021-06-22 23:34:20 +00:00
allowing services across Consul namespaces to talk to each other.
If you wish to specify an upstream explicitly via the `consul.hashicorp.com/connect-service-upstreams` annotation,
2020-02-04 19:05:25 +00:00
use the format `[service-name].[namespace]:[port]:[optional datacenter]`:
```yaml
annotations:
2020-04-06 20:27:35 +00:00
'consul.hashicorp.com/connect-inject': 'true'
'consul.hashicorp.com/connect-service-upstreams': '[service-name].[namespace]:[port]:[optional datacenter]'
2020-02-04 19:05:25 +00:00
```
See [consul.hashicorp.com/connect-service-upstreams](#consul-hashicorp-com-connect-service-upstreams) for more details.
2021-06-22 23:34:20 +00:00
-> **Note:** When you specify upstreams via an upstreams annotation, you will need to use
`localhost:<port>` with the port from the upstreams annotation instead of KubeDNS to connect to your upstream
application.