applied additional feedback from review

This commit is contained in:
trujillo-adam 2022-09-29 11:13:19 -07:00
parent fc5fdc27d0
commit 4d1fb3b11b
4 changed files with 28 additions and 63 deletions

View File

@ -30,18 +30,6 @@ You can also add the `consul-lambda-extension` plugin as a layer in your Lambda
Refer to [Invoke Services from Lambda Functions](/docs/lambda/invoke-from-lambda) for additional information about registering Lambda functions into Consul.
## Cross-datacenter communication
You can use the following Consul features to send cross-datacenter requests between Lambda functions and mesh services.
### Mesh gateway WAN federation
Mesh gateways enable you to route traffic to services within and across Consul datacenters. WAN federation refers to designating a _primary datacenter_ that contains authoritative information about all datacenters, including service mesh configurations and access control list (ACL) resources. Refer to [Mesh Gateways for WAN Federation](/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways) for additional information.
Consul mesh gateways are required to send requests from Lambda functions to mesh services. Refer to [Mesh Gateways between Datacenters](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters) for additional information.
Note that mesh gateways do not implement L7 traffic management by default. As a result, requests from Lambda functions ignore service routes and splitters.
#### Admin partitions
If admin partitions are enabled and the datacenters are federated across the WAN using mesh gateways, then you can only route requests from Lambda functions by applying an [`exported-services`](/docs/connect/config-entries/exported-services) configuration entry to export their service instances. This is required even if the upstream for the Lambda function is in the same admin partition. Otherwise, Consul does not populate the mesh gateways with the routing information.
You can also use the [admin partitions](/docs/enterprise/partitions) feature included with Consul Enterprise to define separate administrative areas within a datacenter. If admin partitions are not enabled and the datacenters are federated across the WAN using mesh gateways, then you can route all services through the mesh gateways by default. You do not need to use the [`exported-services`](/docs/connect/config-entries/exported-services) configuration entry to export service instances.

View File

@ -14,7 +14,6 @@ This topic describes how to invoke services in the mesh from Lambda functions re
The following steps describe the process:
1. Deploy the services you want to allow the Lambda function to invoke.
1. (Optional) Enable L7 traffic management in the local datacenter.
1. Deploy the mesh gateway.
1. Deploy the Lambda registrator.
1. Invoke the the Lambda function.
@ -25,7 +24,7 @@ The layer runs an external Lambda extension that starts a sidecar proxy. The pro
## Prerequisites
You must deploy the destination services and mesh gateway prior to deploying your Lambda service with the `consul-lambda-extension` layer. Its not required, but you can also enable L7 traffic management in the local datacenter prior to implementing the `consul-lambda-extension` layer.
You must deploy the destination services and mesh gateway prior to deploying your Lambda service with the `consul-lambda-extension` layer.
### Deploy the destination service
@ -79,36 +78,7 @@ spec:
serviceAccountName: static-server
```
### Enable L7 traffic management (optional)
Mesh gateways do not implement L7 traffic management features, but you can enable L7 in the local data center so that your service can use service resolvers, splitters, and routers.
1. Define an `exported-services` configuration entry. Refer to [Exported Services](/docs/connect/config-entries/exported-services) for additional information. The following example exports `static-server` service instances to a peered cluster specified in the `PeerName` field.
<CodeBlock filename="static-server-configuration-entry.hcl">
```hcl
Kind = "exported-services"
Name = "default"
Services = [
{
Name = "static-server"
Consumers = [
{
PeerName = "<name of the peered cluster that dials the exported service>"
}
]
}
]
```
</CodeBlock>
1. Apply the configuration using the Consul CLI or by using a custom resource definition (CRD) if Consul is running on Kubernetes. The following example shows the command line usage:
```shell-session
$ consul config write static-server-configuration-entry.hcl
```
### Deploy the mesh gateway
The mesh gateway must be running and registered to the Lambda functions Consul datacenter. Refer to the following documentation and tutorials for instructions:
@ -292,7 +262,7 @@ Define the following environment variables in your Lambda functions to configure
## Invoke the Lambda function
You can create an _intention_ in Consul prior to invoking the Lambda function. Intentions define access control for services in the mesh. Refer to [Service Mesh Intentions](/docs/connect/intentions) for additional information.
If _intentions_ are enabled in the Consul service mesh, you must create an intention that allows the Lambda function's Consul service to invoke all upstream services prior to invoking the Lambda function. Refer to [Service Mesh Intentions](/docs/connect/intentions) for additional information.
There are several ways to invoke Lambda functions. In the following example, the `aws lambda invoke` CLI command invokes the function.:

View File

@ -7,7 +7,7 @@ description: >-
# Automate Lambda Function Registeration
This topic describes how to automate Lambda function registration using the Consul Lambda registrator module for Terraform.
This topic describes how to automate Lambda function registration using Consul's Lambda registrator module for Terraform.
## Introduction
@ -43,7 +43,7 @@ Verify that your environment meets the requirements specified in [Lambda Functio
## Configuration
The Lambda registrator module stores data in the AWS parameter store. You can configure the type of data stored and how to store it.
The Lambda registrator stores data in the AWS parameter store. You can configure the type of data stored and how to store it.
### Optional: Store the CA certificate in Parameter Store

View File

@ -6,7 +6,7 @@ description: >-
---
# Lambda Function Registration Requirements
Verify that your network meets the requirements and that you have completed the prerequisites before registering Lambda functions.
Verify that your environment meets the requirements and that you have completed the prerequisites before registering Lambda functions.
## Introduction
@ -53,23 +53,16 @@ enables an IAM user or role to invoke the `example` Lambda function:
Define AWS IAM credentials in environment variables, EC2 metadata or
ECS metadata. On [AWS EKS](https://aws.amazon.com/eks/), associate an IAM role with the proxy's `ServiceAccount`. Refer to the [AWS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) documentation for instructions.
### Optional: Set up a Terminating Gateway
### Mesh gateway
If you intend to invoke Lambda services through a terminating gateway, the gateway must be registered and running in the Consul datacenter. Refer to the following documentation and tutorials for instructions on how to set up a terminating gateway:
A mesh gateway is required in the following scenarios:
- [Terminating gateways documentation](/docs/connect/gateways#terminating-gateways)
- [Terminating gateways on Kubernetes documentation](/docs/k8s/connect/terminating-gateways)
- [Connect External Services to Consul With Terminating Gateways tutorial](https://learn.hashicorp.com/tutorials/consul/teminating-gateways-connect-external-services)
* Invoking mesh services from Lambda functions
* Invoking Lambda functions from a service deployed to a separate Consul data center
To register a Lambda service with a terminating gateway, add the service to the
`Services` field of the terminating gateway's `terminating-gateway`
configuration entry.
Mesh gateways are optional for enabling services to invoke Lambda functions if they are in the same datacenter.
### Run a Mesh Gateway
A mesh gateway is required to enable Lambda functions to invoke mesh services, but optional to enable services to invoke Lambda functions.
You can set up a mesh gateway so that you can invoke Lambda services across datacenters and admin partitions. The mesh gateway must be running and registered in the relevant Consul datacenters and partitions. Refer to the following documentation and tutorials for instructions on how to set up mesh gateways:
The mesh gateway must be running and registered in the relevant Consul datacenters and admin partitions. Refer to the following documentation and tutorials for instructions on how to set up mesh gateways:
- [Mesh gateway documentation](/docs/connect/gateways#mesh-gateways)
- [Connect Services Across Datacenters with Mesh Gateways tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-gateways)
@ -78,3 +71,17 @@ You can set up a mesh gateway so that you can invoke Lambda services across data
When using admin partitions, you must add Lambda services to the `Services`
field of [the `exported-services` configuration
entry](/docs/connect/config-entries/exported-services).
### Optional: Terminating gateway
A terminating gateway is an access point in a Consul datacenter to an external service or node. Terminating gateways are optional when invoking Lambda functions from a mesh service, but they do not play a role when invoking services from Lambda functions.
Refer to the following documentation and tutorials for instructions on how to set up a terminating gateway:
- [Terminating gateways documentation](/docs/connect/gateways#terminating-gateways)
- [Terminating gateways on Kubernetes documentation](/docs/k8s/connect/terminating-gateways)
- [Connect External Services to Consul With Terminating Gateways tutorial](https://learn.hashicorp.com/tutorials/consul/teminating-gateways-connect-external-services)
To register a Lambda service with a terminating gateway, add the service to the
`Services` field of the terminating gateway's `terminating-gateway`
configuration entry.