consul/website/pages/docs/connect/ingress-gateway.mdx

86 lines
4.7 KiB
Plaintext

---
layout: docs
page_title: Connect - Ingress Gateways
sidebar_title: Ingress Gateways <sup> Beta </sup>
description: >-
An ingress gateway enables ingress traffic from services outside the Consul
service mesh to services inside the Consul service mesh. This section details
how to use Envoy and describes how you can plug in a gateway of your choice.
---
# Ingress Gateways <sup> Beta </sup>
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer.
Ingress gateways enable ingress traffic from services outside the Consul
service mesh to services inside the Consul service mesh. An ingress gateway is
a type of proxy and must be registered as a service in Consul, with the
[kind](/api/agent/service#kind) set to "ingress-gateway". They are an
entrypoint for outside traffic and allow you to define what services should be
exposed and on what port. You configure an ingress gateway by defining a set of
[listeners](/docs/agent/config-entries/ingress-gateway#listeners) that each map
to a set of backing
[services](/docs/agent/config-entries/ingress-gateway#services).
Depending on the
[protocol](/docs/agent/config-entries/ingress-gateway#protocol) defined for a
listener, multiple services can be specified for a single listener. In this
case, the ingress gateway relies on host/authority headers to decide the
service that should receive the traffic.
To enable easier service discovery, a new Consul [DNS
subdomain](/docs/agent/dns#ingress-service-lookups) is provided, on
`<service>.ingress.<domain>`.
![Ingress Gateway Architecture](/img/ingress-gateways.png)
## Prerequisites
Ingress gateways also require that your Consul datacenters are configured correctly:
- You'll need to use Consul version 1.8.0.
- Consul [Connect](/docs/agent/options#connect) must be enabled on the datacenter's Consul servers.
- [gRPC](/docs/agent/options#grpc_port) must be enabled on all client agents.
Currently, [Envoy](https://www.envoyproxy.io/) is the only proxy with ingress gateway capabilities in Consul.
## Running and Using an Ingress Gateway
You must complete the following steps to configure an ingress gateway to proxy traffic to services in the Consul service mesh:
1. On a host with a Consul client agent, start an Envoy proxy using the [envoy
subcommand](/docs/commands/connect/envoy), specifying the `ingress` gateway
type:
```shell
$ consul connect envoy -gateway=ingress -register -service ingress-service \
-address '{{ GetInterfaceIP "eth0" }}:8888'
```
2. Create and apply an `ingress-gateway` [configuration entry](/docs/agent/config-entries/ingress-gateway) that defines
a set of listeners that expose the desired backing services. The config entry can be applied via the
[CLI](/docs/commands/config/write) or [API](/api/config#apply-configuration).
3. Ensure that [Consul intentions](/docs/commands/intention) are setup to allow connections from the ingress gateway to the backing services.
4. **Optionally** use the `<service>.ingress.<domain>` [DNS subdomain](/docs/agent/dns#ingress-service-lookups) to discover the ingress
gateways for a service.
## Ingress Gateway Configuration
Ingress gateways are configured in service definitions and registered with Consul like other services, with two exceptions.
The first is that the [kind](/api/agent/service#kind) must be "ingress-gateway". Second,
the ingress gateway service definition may contain a `Proxy.Config` entry just like a
Connect proxy service, to define opaque configuration parameters useful for the actual proxy software.
For Envoy there are some supported [gateway options](/docs/connect/proxies/envoy#gateway-options) as well as
[escape-hatch overrides](/docs/connect/proxies/envoy#escape-hatch-overrides).
-> **Note:** If ACLs are enabled, ingress gateways must be registered with a token granting `service:write` for the ingress gateway's service name,
`service:read` for all services in the ingress gateway's configuration entry, and `node:read` for all nodes of the services
in the ingress gateway's configuration entry. These privileges authorize the token to route communications to other Connect services.
If the Consul client agent on the gateway's node is not configured to use the default gRPC port, 8502, then the gateway's token
must also provide `agent:read` for its node's name in order to discover the agent's gRPC port. gRPC is used to expose Envoy's xDS API to Envoy proxies.
~> [Configuration entries](/docs/agent/config-entries) are global in scope. A configuration entry for a gateway name applies
across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different
sets of services within their datacenter then the ingress gateways **must** be registered with different names.