diff --git a/website/source/docs/connect/intentions.html.md b/website/source/docs/connect/intentions.html.md index b39a62b10b..589b3329fe 100644 --- a/website/source/docs/connect/intentions.html.md +++ b/website/source/docs/connect/intentions.html.md @@ -44,6 +44,11 @@ The intention above is a deny intention with a source of "web" and destination of "db". This says that connections from web to db are not allowed and the connection will be rejected. +When an intention is modified, existing connections will not be affected. +This means that changing a connection from "allow" to "deny" today +_will not_ kill the connection. Addressing this shortcoming is on +the near term roadmap for Consul. + ### Wildcard Intentions An intention source or destination may also be the special wildcard @@ -156,5 +161,5 @@ for registered services. Because all the intention data is cached locally, the agents can fail static. Even if the agents are severed completely from the Consul servers, inbound connection authorization continues to work for a configured amount of time. -Changes to intentions will not be picked up until the partition heals, but +Changes to intentions will not be picked up until the partition heals, but will then automatically take effect when connectivity is restored. diff --git a/website/source/intro/getting-started/connect.html.md b/website/source/intro/getting-started/connect.html.md index b963b3d296..a2477b3cfd 100644 --- a/website/source/intro/getting-started/connect.html.md +++ b/website/source/intro/getting-started/connect.html.md @@ -185,6 +185,11 @@ connection again. Intentions allow services to be segmented via a centralized control plane (Consul). To learn more, read the reference documentation on [intentions](/docs/connect/intentions.html). +Note that in the current release of Consul, changing intentions will not +affect existing connections. Therefore, you must establish a new connection +to see the effects of a changed intention. This will be addressed in the near +term in a future version of Consul. + ## Next Steps We've now configured a service on a single agent and used Connect for