consul/website/content/docs/enterprise/network-segments/network-segments-overview.mdx

62 lines
4.6 KiB
Plaintext

---
layout: docs
page_title: Network Segments Overview
description: >-
Network segments enable LAN gossip traffic within a datacenter when network rules or firewalls prevent specific sets of clients from communicating directly. Learn about segmented network concepts.
---
# Network Segments Overview
Network segmentation is the practice of dividing a network into multiple segments or subnets that act as independent networks. This topic provides an overview of concepts related to operating Consul in a segmented network.
<EnterpriseAlert>
This feature requires Consul Enterprise version 0.9.3 or later.
Refer to the [enterprise feature matrix](/consul/docs/enterprise#consul-enterprise-feature-availability) for additional information.
</EnterpriseAlert>
## Segmented networks
Consul requires full connectivity between all agents in a datacenter within a LAN gossip pool. In some environments, however, business policies enforced through network rules or firewalls prevent full connectivity between all agents. These environments are called _segmented networks_. Network segments are isolated LAN gossip pools that only require full connectivity between agent members on the same segment.
To use Consul in a segmented network, you must define the segments in your server agent configuration and direct client agents to join one of the segments. The Consul network segment configuration should match the LAN gossip pool boundaries. The following diagram shows how a network may be segmented:
![Consul datacenter agent connectivity with network segments](/img/network-segments/consul-network-segments-multiple.png)
## Default network segment
By default, all Consul agents are part of a shared Serf LAN gossip pool, referred to as the `<default>` network segment. Because all agents are within the same segment, full mesh connectivity within the datacenter is required. The following diagram shows the `<default>` network segment:
![Consul datacenter default agent connectivity: one network segment](/img/network-segments/consul-network-segments-single.png)
## Segment membership
Server agents are members of all segments. The datacenter includes the `<default>` segment, as well as additional segments defined in the `segments` server agent configuration option. Refer to the [`segments`](/consul/docs/agent/config/config-files#segments) documentation for additional information.
Each client agent can only be a member of one segment at a time. Client agents are members of the `<default>` segment unless they are configured to join a different segment.
For a client agent to join the Consul datacenter, it must connect to another agent (client or server) within its configured segment.
Read the [Network Segments documentation](/consul/docs/enterprise/network-segments/network-segments-overview) to learn more about network segments.
-> **Info:** Network segments enable you to operate a Consul datacenter without full
mesh (LAN) connectivity between agents. To federate multiple Consul datacenters
without full mesh (WAN) connectivity between all server agents in all datacenters,
use [Network Areas (Enterprise)](/consul/docs/enterprise/federation).
## Consul networking models
Network segments are a subset of other Consul networking models. Understanding the broader models will help you segment your network. Refer to [Architecture Overview](/consul/docs/architecture) for additional information about the following concepts.
### Clusters
You can segment networks within a Consul _cluster_. A cluster is one or more Consul servers that form a Raft quorum and one or more Consul clients that are members of the same [datacenter](/consul/docs/agent/config/cli-flags#_datacenter). The cluster is sometimes called the _local cluster_. Consul clients discover and make RPC requests to Consul servers in their local cluster through the gossip mechanism. Consul CE uses LAN gossip for intra-cluster communication between agents.
### LAN gossip pool
A set of fully-connected Consul agents is a _LAN gossip pool_. LAN gossip pools use the Serf protocol to maintain a shared view of the members of the pool for different purposes, such as finding a Consul server in a local cluster or finding servers in a remote cluster. A segmented LAN gossip pool limits a group of agents to only connect with the agents in its segment.
## Network segments versus network areas
Network segments enable you to operate a Consul datacenter without full mesh connectivity between agents using a LAN gossip pool. To federate multiple Consul datacenters without full mesh connectivity between all server agents in all datacenters, use [network areas](/consul/docs/enterprise/federation). Network areas are a Consul Enterprise capability.