From f3f9e54b0df173d64583486a3a2757788e465b66 Mon Sep 17 00:00:00 2001 From: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Date: Mon, 19 Dec 2022 15:35:05 -0800 Subject: [PATCH] Docs/network segments tutorial docs conversion (#15829) * added a NS folder and refactored main page into the overview page * added NS usage page to NS folder * updated links to NS docs * updated nav * addressed feedback from review --- .../content/docs/agent/config/cli-flags.mdx | 10 +- .../docs/agent/config/config-files.mdx | 2 +- website/content/docs/enterprise/index.mdx | 10 +- .../docs/enterprise/network-segments.mdx | 235 ------------------ .../create-network-segment.mdx | 193 ++++++++++++++ .../network-segments-overview.mdx | 63 +++++ website/data/docs-nav-data.json | 11 +- 7 files changed, 275 insertions(+), 249 deletions(-) delete mode 100644 website/content/docs/enterprise/network-segments.mdx create mode 100644 website/content/docs/enterprise/network-segments/create-network-segment.mdx create mode 100644 website/content/docs/enterprise/network-segments/network-segments-overview.mdx diff --git a/website/content/docs/agent/config/cli-flags.mdx b/website/content/docs/agent/config/cli-flags.mdx index 6cf4f213aa..c965a8921f 100644 --- a/website/content/docs/agent/config/cli-flags.mdx +++ b/website/content/docs/agent/config/cli-flags.mdx @@ -158,7 +158,7 @@ information. the name of the network segment the agent belongs to. An agent can only join and communicate with other agents within its network segment. Ensure the [join operation uses the correct port for this segment](/docs/enterprise/network-segments#join_a_client_to_a_segment). - Review the [Network Segments documentation](/docs/enterprise/network-segments) + Review the [Network Segments documentation](/consul/docs/enterprise/network-segments/create-network-segment) for more details. By default, this is an empty string, which is the `` network segment. @@ -321,13 +321,9 @@ information. This can be dynamically defined with a [go-sockaddr] template that is resolved at runtime. - If Consul is running on the non-default Serf LAN port, the port must - be specified in the join address, or configured as the agent's default Serf port - using the [`ports.serf_lan`](/docs/agent/config/config-files#serf_lan_port) configuration option or - [`-serf-lan-port`](#_serf_lan_port) command line flag. + If Consul is running on a non-default Serf LAN port, you must specify the port number in the address when using the `-retry-join` flag. Alternatively, you can specify the custom port number as the default in the agent's [`ports.serf_lan`](/docs/agent/config/config-files#serf_lan_port) configuration or with the [`-serf-lan-port`](#_serf_lan_port) command line flag when starting the agent. - If using network segments (Enterprise), see [additional documentation on - joining a client to a segment](/docs/enterprise/network-segments#join_a_client_to_a_segment). + If your network contains network segments, refer to the [network segements documentation](/docs/enterprise/network-segments/create-network-segment) for additional information. Here are some examples of using `-retry-join`: diff --git a/website/content/docs/agent/config/config-files.mdx b/website/content/docs/agent/config/config-files.mdx index f11c7c3e9d..7f3a1e6395 100644 --- a/website/content/docs/agent/config/config-files.mdx +++ b/website/content/docs/agent/config/config-files.mdx @@ -708,7 +708,7 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'." - `segments` - (Server agents only) This is a list of nested objects that specifies user-defined network segments, not including the `` segment, which is - created automatically. Review the [Network Segments documentation](/docs/enterprise/network-segments) + created automatically. Refer to the [network segments documentation](/docs/enterprise/network-segments/create-network-segment)for additional information. for more details. - `name` ((#segment_name)) - The name of the segment. Must be a string diff --git a/website/content/docs/enterprise/index.mdx b/website/content/docs/enterprise/index.mdx index 58aa5aca97..a0f9b4c355 100644 --- a/website/content/docs/enterprise/index.mdx +++ b/website/content/docs/enterprise/index.mdx @@ -33,7 +33,7 @@ The following features are [available in several forms of Consul Enterprise](#co ### Complex Network Topology Support - [Network Areas](/docs/enterprise/federation): Support complex network topologies between federated Consul datacenters with pairwise federation rather than full mesh federation -- [Network Segments](/docs/enterprise/network-segments): Support complex network topologies within a Consul datacenter by enforcing boundaries in Consul client gossip traffic +- [Network Segments](/docs/enterprise/network-segments/network-segments-overview): Support complex network topologies within a Consul datacenter by enforcing boundaries in Consul client gossip traffic ### Governance - [OIDC Auth Method](/docs/security/acl/auth-methods/oidc): Manage user access to Consul through an OIDC identity provider instead of Consul ACL tokens directly @@ -80,7 +80,7 @@ Available Enterprise features per Consul form and license include: | [Enhanced Read Scalability](/docs/enterprise/read-scale) | No | Yes | With Global Visibility, Routing, and Scale module | | [Namespaces](/docs/enterprise/namespaces) | All tiers | Yes | With Governance and Policy module | | [Network Areas](/docs/enterprise/federation) | No | Yes | With Global Visibility, Routing, and Scale module | -| [Network Segments](/docs/enterprise/network-segments) | No | Yes | With Global Visibility, Routing, and Scale module | +| [Network Segments](/docs/enterprise/network-segments/network-segments-overview) | No | Yes | With Global Visibility, Routing, and Scale module | | [OIDC Auth Method](/docs/security/acl/auth-methods/oidc) | No | Yes | Yes | | [Redundancy Zones](/docs/enterprise/redundancy) | Not applicable | Yes | With Global Visibility, Routing, and Scale module | | [Sentinel for KV](/docs/enterprise/sentinel) | All tiers | Yes | With Governance and Policy module | @@ -105,7 +105,7 @@ Consul Enterprise feature availability can change depending on your server and c | [Enhanced Read Scalability](/consul/docs/enterprise/read-scale) | ✅ | ✅ | ✅ | | [Namespaces](/consul/docs/enterprise/namespaces) | ✅ | ✅ | ✅ | | [Network Areas](/consul/docs/enterprise/federation) | ✅ | ✅ | ✅ | -| [Network Segments](/consul/docs/enterprise/network-segments) | ✅ | ❌ | ❌ | +| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | ✅ | ❌ | ❌ | | [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | ✅ | ✅ | ✅ | | [Redundancy Zones](/consul/docs/enterprise/redundancy) | ✅ | ✅ | ✅ | | [Sentinel ](/consul/docs/enterprise/sentinel) | ✅ | ✅ | ✅ | @@ -123,7 +123,7 @@ Consul Enterprise feature availability can change depending on your server and c | [Enhanced Read Scalability](/consul/docs/enterprise/read-scale) | ❌ | ❌ | ❌ | | [Namespaces](/consul/docs/enterprise/namespaces) | ✅ | ✅ | ❌ | | [Network Areas](/consul/docs/enterprise/federation) | ✅ | ✅ | ❌ | -| [Network Segments](/consul/docs/enterprise/network-segments) | ❌ | ❌ | ❌ | +| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | ❌ | ❌ | ❌ | | [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | ✅ | ✅ | ❌ | | [Redundancy Zones](/consul/docs/enterprise/redundancy) | ❌ | ❌ | ❌ | | [Sentinel ](/consul/docs/enterprise/sentinel) | ✅ | ✅ | ❌ | @@ -141,7 +141,7 @@ Consul Enterprise feature availability can change depending on your server and c | [Enhanced Read Scalability](/consul/docs/enterprise/read-scale) | ❌ | ❌ | ❌ | | [Namespaces](/consul/docs/enterprise/namespaces) | ✅ | ✅ | ✅ | | [Network Areas](/consul/docs/enterprise/federation) | ❌ | ❌ | ❌ | -| [Network Segments](/consul/docs/enterprise/network-segments) | ❌ | ❌ | ❌ | +| [Network Segments](/consul/docs/enterprise/network-segments/network-segments-overview) | ❌ | ❌ | ❌ | | [OIDC Auth Method](/consul/docs/security/acl/auth-methods/oidc) | ❌ | ❌ | ❌ | | [Redundancy Zones](/consul/docs/enterprise/redundancy) | n/a | n/a | n/a | | [Sentinel ](/consul/docs/enterprise/sentinel) | ✅ | ✅ | ✅ | diff --git a/website/content/docs/enterprise/network-segments.mdx b/website/content/docs/enterprise/network-segments.mdx deleted file mode 100644 index ce419a09b0..0000000000 --- a/website/content/docs/enterprise/network-segments.mdx +++ /dev/null @@ -1,235 +0,0 @@ ---- -layout: docs -page_title: Network Segments (Enterprise) -description: >- - Network segments enable LAN gossip in a datacenter when network rules or firewalls prevent specific sets of clients from communicating directly. Learn about configuring server and client agents to operate in segmented networks. ---- - -# Network Segments - - - -This feature requires version 0.9.3+ of -self-managed Consul Enterprise. -Refer to the [enterprise feature matrix](/docs/enterprise#consul-enterprise-feature-availability) for additional information. - - - -Consul requires full connectivity between all agents (servers and clients) in a -[datacenter](/docs/agent/config/cli-flags#_datacenter) within a given -LAN gossip pool. By default, all Consul agents will be a part of one shared Serf LAN -gossip pool known as the `` network segment, thus requiring full mesh -connectivity within the datacenter. - -![Consul datacenter default agent connectivity: one network segment](/img/network-segments/consul-network-segments-single.png) - -In some environments, full connectivity between all agents is not possible—known as a -"segmented network". This is usually the result of business policies enforced through -network rules or firewalls. To use Consul in a segmented network, you must break up -the LAN gossip pool along network communication boundaries into separate "network -segments". Network segments are isolated LAN gossip pools that only require full -connectivity between agent members on the same segment. - -![Consul datacenter agent connectivity with network segments](/img/network-segments/consul-network-segments-multiple.png) - -Complete the [Network Segments](https://learn.hashicorp.com/tutorials/consul/network-partition-datacenters) tutorial to learn more about network segments. - --> **Info:** Network segments enable you to operate a Consul datacenter without full -mesh (LAN) connectivity between agents. To federate multiple Consul datacenters -without full mesh (WAN) connectivity between all server agents in all datacenters, -use [Network Areas (Enterprise)](/docs/enterprise/federation). - -# Consul Networking Models - -To help set context for this feature, it is useful to understand the various -Consul networking models and their capabilities. - -**Cluster:** A set of Consul servers forming a Raft quorum along with a -collection of Consul clients, all set to the same -[datacenter](/docs/agent/config/cli-flags#_datacenter), and joined together to form -what we will call a "local cluster". Consul clients discover the Consul servers -in their local cluster through the gossip mechanism and make RPC requests to -them. LAN Gossip (OSS) is an open intra-cluster networking model, and Network -Segments (Enterprise) creates multiple segments within one cluster. - -**Federated Cluster:** A set of connected clusters, each representing a unique Consul “datacenter”. These Consul servers are federated together -over the WAN. Consul clients make use of resources in federated clusters by -forwarding RPCs through the Consul servers in their local cluster, but they -never interact with remote Consul servers directly. There are two tutorials that -will guide you through inter-cluster network models: - -1. [WAN gossip (OSS)](https://learn.hashicorp.com/consul/security-networking/datacenters) -1. [Network Areas (Enterprise)](https://learn.hashicorp.com/tutorials/consul/federation-network-areas). - -**LAN Gossip Pool**: A set of Consul agents that have full mesh connectivity -among themselves, and use Serf to maintain a shared view of the members of the -pool for different purposes, like finding a Consul server in a local cluster, -or finding servers in a remote cluster. A **segmented** LAN Gossip Pool limits a -group of agents to only connect with the agents in its segment. - -# Network Segments Configuration - -## Server Configuration - -Server agents are members of all segments. The datacenter includes a `` -segment, as well as additional segments defined in the -[`segments`](/docs/agent/config/config-files#segments) server agent configuration option. -Each additional segment is defined by: - -- a non-empty name -- a unique port -- optionally, a custom bind and advertise address for the additional segment's - Serf LAN listener on the server - -~> **Note:** Prior to Consul 1.7.3, a Consul server agent configured with too -many network segments may not be able to start due to [limitations](https://learn.hashicorp.com/tutorials/consul/network-partition-datacenters#network-segments-limitations) -in Serf. - -### Example Server Configuration - -The following server agent configuration will create two user-defined network -segments: `alpha` and `beta`. - - - -```hcl -segments = [ - { - name = "alpha" - bind = "{{GetPrivateIP}}" - advertise = "{{GetPrivateIP}}" - port = 8303 - }, - { - name = "beta" - bind = "{{GetPrivateIP}}" - advertise = "{{GetPrivateIP}}" - port = 8304 - } -] -``` - -```json -{ - "segments": [ - { - "name": "alpha", - "bind": "{{GetPrivateIP}}", - "advertise": "{{GetPrivateIP}}", - "port": 8303 - }, - { - "name": "beta", - "bind": "{{GetPrivateIP}}", - "advertise": "{{GetPrivateIP}}", - "port": 8304 - } - ] -} -``` - - - -The server [agent configuration](/docs/agent/config/config-files) options relevant to network -segments are: - -- [`ports.serf_lan`](/docs/agent/config/config-files#serf_lan_port): The Serf LAN port on this server - for the `` network segment's gossip pool. -- [`segments`](/docs/agent/config/config-files#segments): A list of user-defined network segments - on this server, including their names and Serf LAN ports. - -## Client Configuration - -Each client agent can only be a member of one segment at a time. This will be the -`` segment unless otherwise specified in the agent's -[`segment`](/docs/agent/config/cli-flags#_segment) agent configuration option. - -### Join a Client to a Segment ((#join_a_client_to_a_segment)) - -For a client agent to [join](/commands/join) the Consul -datacenter, it must connect to another agent (client or server) within its -configured segment. - - - - -Clients A and B specify the same segment S. Client B is already joined to the segment S -LAN gossip pool. Client A wants to join via Client B. In order to do so, Client A -must connect to Client B's configured [Serf LAN port](/docs/agent/config/config-files#serf_lan_port). - - - - -Client A specifies segment S and wants to join the segment S gossip pool via Server 1. -In order to do so, Client A must connect to Server 1's configured [Serf LAN port -for segment S](/docs/agent/config/config-files#segment_port). - - - - -There are several methods to specify the port used by the join operation, listed in order -of precedence: - -1. **Specify an explicit port in the join address**. This can be done at the CLI when starting - the agent (e.g., `consul agent -retry-join "client-b-address:8303"`), or in the agent's - configuration using the [retry-join option](/docs/agent/config/config-files#retry_join). This method - is not compatible with [cloud auto-join](/docs/install/cloud-auto-join#auto-join-with-network-segments). - -2. **Specify an alternate Serf LAN port for the agent**. This can be done at the CLI when starting - the agent (e.g., `consul agent -retry-join "client-b-address" -serf-lan-port 8303`), or in - the agent's configuration using the [serf_lan](/docs/agent/config/config-files#serf_lan_port) option. - When a Serf LAN port is not explicitly specified in the join address, the agent will attempt to - join the target host at the Serf LAN port specified in CLI or agent configuration. - -3. **Use the default Serf LAN port (8301)**. The agent will attempt to join the target host - on port 8301. - --> Agents within a segment can use different port numbers for their Serf LAN port. -For example, on the `` segment, Server S can use port 8301, Client A -can use 8303, and Client B can use 8304. However, if an agent wishes to join a -segment via an agent that uses a different port number, the target agent's Serf LAN -port must be specified in the join address (method 1 above). - -### Example Client Configuration - -The following client agent configuration will cause the agent to: - -- Open a Serf LAN listener port on 8303. -- Attempt to join the cluster via servers on port 8303 (since an alternate port is not - specified in the `retry_join` addresses). - - - -```hcl -node_name = "consul-client1" -retry_join = ["consul-server1", "consul-server2", "consul-server3"] -segment = "alpha" -ports = { - serf_lan = 8303 -} -``` - -```json -{ - "node_name": "consul-client1", - "retry_join": ["consul-server1", "consul-server2", "consul-server3"], - "segment": "alpha", - "ports": { - "serf_lan": 8303 - } -} -``` - - - -The client [agent configuration](/docs/agent/config/config-files) options relevant to network -segments are: - -- [`segment`](/docs/agent/config/config-files#segment-2): The name of the network segment this - client agent belongs to. -- [`ports.serf_lan`](/docs/agent/config/config-files#serf_lan_port): - Serf LAN port for the above segment on this client. This is not required - to match the configured Serf LAN port for other agents on this segment. -- [`retry_join`](/docs/agent/config/config-files#retry_join): A list of agent addresses to join - when starting. Ensure the correct Serf LAN port for this segment is used when joining - the LAN gossip pool using one of the [available configuration methods](#join_a_client_to_a_segment). diff --git a/website/content/docs/enterprise/network-segments/create-network-segment.mdx b/website/content/docs/enterprise/network-segments/create-network-segment.mdx new file mode 100644 index 0000000000..7517e9aefe --- /dev/null +++ b/website/content/docs/enterprise/network-segments/create-network-segment.mdx @@ -0,0 +1,193 @@ +--- +layout: docs +page_title: Create Network Segments +description: >- + Learn how to create Consul network segments to enable services in the LAN gossip pool to communicate across communication boundaries. +--- + +# Create Network Segments + +This topic describes how to create Consul network segments so that services can connect to other services in the LAN gossip pool that have been placed into separate communication boundaries. Refer to [Network Segments Overview](/consul/docs/enterprise/network-segments/network-segments-overview) for additional information. + + +## Requirements + +- Consul Enterprise 0.9.3+ + +## Define segments in the server configuration + +1. Add the `segments` block to your server configuration. Refer to the [`segments`](/consul/docs/agent/config/config-files#segments) documentation for details about how to define the configuration. + + In the following example, an `alpha` segment is configured to listen for traffic on port `8303` and a `beta` segment is configured to listen to traffic on port `8304`: + + + + ```hcl + segments = [ + { + name = "alpha" + bind = "10.0.0.1" + advertise = "10.0.0.1" + port = 8303 + }, + { + name = "beta" + bind = "10.0.0.1" + advertise = "10.0.0.1" + port = 8304 + } + ] + ``` + + ```json + { + "segments": [ + { + "name": "alpha", + "bind": "10.0.0.1", + "advertise": "10.0.0.1", + "port": 8303 + }, + { + "name": "beta", + "bind": "10.0.0.1", + "advertise": "10.0.0.1", + "port": 8304 + } + ] + } + ``` + + + +1. Start the server using the `consul agent` command. Copy the address for each segment listener so that you can [direct clients to join the segment](#configure-clients-to-join-segments) when you start them: + + ```shell-session + $ consul agent -config-file server.hcl + [INFO] serf: EventMemberJoin: server1.dc1 10.20.10.11 + [INFO] serf: EventMemberJoin: server1 10.20.10.11 + [INFO] consul: Started listener for LAN segment "alpha" on 10.20.10.11:8303 + [INFO] serf: EventMemberJoin: server1 10.20.10.11 + [INFO] consul: Started listener for LAN segment "beta" on 10.20.10.11:8304 + [INFO] serf: EventMemberJoin: server1 10.20.10.11 + ``` +1. Verfiy that the server is a member of all segments: + + ```shell-session + $ consul members + Node Address Status Type Build Protocol DC Segment + server1 10.20.10.11:8301 alive server 1.14+ent 2 dc1 + ``` + +## Configure clients to join segments + +Client agents can only be members of one segment at a time. You can direct clients to join a segment by specifying the address and name of the segment with the [`-join`](/consul/docs/agent/config/cli-flags#_join) and [`-segment`](/consul/docs/agent/config/cli-flags#_segment) command line flags when starting the agent. + +```shell-session +$ consul agent -config-file client.hcl -join 10.20.10.11:8303 -segment alpha +``` + +Alternatively, you can add the [`retry_join`](/consul/docs/agent/config/config-files#retry_join) and [`segment`](/consul/docs/agent/config/config-files#segment-1) parameters to your client agent configuration file: + +```hcl +node_name = "consul-client" +server = false +datacenter = "dc1" +data_dir = "consul/client-data" +log_level = "INFO" +retry_join = ["10.20.10.11:8303"] +segment = "alpha" +``` + +## Verify segments + +You can use the CLI, API, or GUI to verify which segments your agents have joined. + + + + + +Run the `consul members` command to verify that the client agents are joined to the correct segments: + + + +```shell-session +$ consul members +Node Address Status Type Build Protocol DC Partition Segment +server 192.168.4.159:8301 alive server 1.14+ent 2 dc1 default +client1 192.168.4.159:8447 alive client 1.14+ent 2 dc1 default alpha +``` + + + +You can also pass the name of a segment in the `-segment` flag to view agents in a specific segment. Note that server agents display their LAN listener port for the specified segment the segment filter applied. In the following example, the command returns port `8303` for alpha, rather than for the `` segment port: + + + +```shell-session +$ consul members -segment alpha +Node Address Status Type Build Protocol DC Segment +server1 10.20.10.11:8301 alive server 1.14+ent 2 dc1 alpha +client1 10.20.10.21:8303 alive client 1.14+ent 2 dc1 alpha +``` + + + +Refer to the [`members`](/consul/commands/members) documentation for additional information. + + + + + +Call the `/agent/members` API endpoint to view members that the agent sees in the cluster gossip pool. + + + +```shell-session +$ curl http://127.0.0.1:8500/v1/agent/members?segment=alpha + +{ + "Addr" : "192.168.4.163", + "DelegateCur" : 4, + "DelegateMax" : 5, + "DelegateMin" : 2, + "Name" : "consul-client", + "Port" : 8447, + "ProtocolCur" : 2, + "ProtocolMax" : 5, + "ProtocolMin" : 1, + "Status" : 1, + "Tags" : { + "build" : "1.13.1+ent:5bd604e6", + "dc" : "dc1", + "ft_admpart" : "1", + "ft_ns" : "1", + "id" : "aeaf70d7-57f7-7eaf-e246-6edfe8386e9c", + "role" : "node", + "segment" : "alpha", + "vsn" : "2", + "vsn_max" : "3", + "vsn_min" : "2" + } +} +``` +Refer to the [`/agent/members` API endpoint documentation](/consul/api-docs/agent#list-members) for additional information. + + + + + + +If the UI is enabled in your agent configuration, the segment name appears in the node’s Metadata tab. + +1. Open the URL for the UI. By default, the UI is `localhost:8500`. +1. Click **Node** in the sidebar and click on the name of the client agent you want to check. +1. Click the **Metadata** tab. The network segment appears as a key-value pair. + + + + + +## Related resources + +You can also create and run a prepared query to query for additional information about the services registered to client nodes. Prepared queries are HTTP API endpoint features that enable you to run complex queries of Consul nodes. Refer [Prepared Query HTTP Endpoint](/consul/api-docs/query) for usage. \ No newline at end of file diff --git a/website/content/docs/enterprise/network-segments/network-segments-overview.mdx b/website/content/docs/enterprise/network-segments/network-segments-overview.mdx new file mode 100644 index 0000000000..b6d50338ec --- /dev/null +++ b/website/content/docs/enterprise/network-segments/network-segments-overview.mdx @@ -0,0 +1,63 @@ +--- +layout: docs +page_title: Network Segments Overview +description: >- + Network segments enable LAN gossip traffic within a datacenter when network rules or firewalls prevent specific sets of clients from communicating directly. Learn about segmented network concepts. +--- + +# Network Segments Overview + +Network segmentation is the practice of dividing a network into multiple segments or subnets that act as independent networks. This topic provides an overview of concepts related to operating Consul in a segmented network. + + + +This feature requires Consul Enterprise version 0.9.3 or later. +Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information. + + + +## Segmented networks + +Consul requires full connectivity between all agents in a datacenter within a LAN gossip pool. In some environments, however, business policies enforced through network rules or firewalls prevent full connectivity between all agents. These environments are called _segmented networks_. Network segments are isolated LAN gossip pools that only require full connectivity between agent members on the same segment. + +To use Consul in a segmented network, you must define the segments in your server agent configuration and direct client agents to join one of the segments. The Consul network segment configuration should match the LAN gossip pool boundaries. The following diagram shows how a network may be segmented: + +![Consul datacenter agent connectivity with network segments](/img/network-segments/consul-network-segments-multiple.png) + +## Default network segment + +By default, all Consul agents are part of a shared Serf LAN gossip pool, referred to as the `` network segment. Because all agents are within the same segment, full mesh connectivity within the datacenter is required. The following diagram shows the `` network segment: + +![Consul datacenter default agent connectivity: one network segment](/img/network-segments/consul-network-segments-single.png) + +## Segment membership + +Server agents are members of all segments. The datacenter includes the `` segment, as well as additional segments defined in the `segments` server agent configuration option. Refer to the [`segments`](/consul/docs/agent/config/config-files#segments) documentation for additional information. + +Each client agent can only be a member of one segment at a time. Client agents are members of the `` segment unless they are configured to join a different segment. +For a client agent to join the Consul datacenter, it must connect to another agent (client or server) within its configured segment. + + + +Complete the [Network Segments](https://learn.hashicorp.com/tutorials/consul/network-partition-datacenters) tutorial to learn more about network segments. + +-> **Info:** Network segments enable you to operate a Consul datacenter without full +mesh (LAN) connectivity between agents. To federate multiple Consul datacenters +without full mesh (WAN) connectivity between all server agents in all datacenters, +use [Network Areas (Enterprise)](/docs/enterprise/federation). + +## Consul networking models + +Network segments are a subset of other Consul networking models. Understanding the broader models will help you segment your network. Refer to [Architecture Overview](/consul/docs/architecture) for additional information about the following concepts. + +### Clusters + +You can segment networks within a Consul _cluster_. A cluster is one or more Consul servers that form a Raft quorum and one or more Consul clients that are members of the same [datacenter](/consul/docs/agent/config/cli-flags#_datacenter). The cluster is sometimes called the _local cluster_. Consul clients discover and make RPC requests to Consul servers in their local cluster through the gossip mechanism. Consul OSS uses LAN gossip for intra-cluster communication between agents. + +### LAN gossip pool + +A set of fully-connected Consul agents is a _LAN gossip pool_. LAN gossip pools use the Serf protocol to maintain a shared view of the members of the pool for different purposes, such as finding a Consul server in a local cluster or finding servers in a remote cluster. A segmented LAN gossip pool limits a group of agents to only connect with the agents in its segment. + +## Network segments versus network areas + +Network segments enable you to operate a Consul datacenter without full mesh connectivity between agents using a LAN gossip pool. To federate multiple Consul datacenters without full mesh connectivity between all server agents in all datacenters, use [network areas](/consul/docs/enterprise/federation). Network areas are a Consul Enterprise capability. \ No newline at end of file diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 996413c504..f63bee29c6 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -1251,7 +1251,16 @@ }, { "title": "Network Segments", - "path": "enterprise/network-segments" + "routes":[ + { + "title": "Network Segments Overview", + "path": "enterprise/network-segments/network-segments-overview" + }, + { + "title": "Create a Network Segment", + "path": "enterprise/network-segments/create-network-segment" + } + ] }, { "title": "Namespaces",