mirror of
https://github.com/status-im/consul.git
synced 2025-01-11 22:34:55 +00:00
26a0ea1c39
Removing automatic connection wording for applications for the time being. From @blake > They can automatically establish TLS connections without being aware that TLS is happening. They are aware that they’re routed through the Connect proxy, the app has to configure itself to use the local upstream port.
67 lines
3.2 KiB
Markdown
67 lines
3.2 KiB
Markdown
---
|
|
layout: "docs"
|
|
page_title: "Connect (Service Segmentation)"
|
|
sidebar_current: "docs-connect-index"
|
|
description: |-
|
|
Consul Connect provides service-to-service connection authorization and
|
|
encryption using mutual TLS.
|
|
---
|
|
|
|
# Connect
|
|
|
|
Consul Connect provides service-to-service connection authorization and
|
|
encryption using mutual Transport Layer Security (TLS). Applications can use
|
|
[sidecar proxies](/docs/connect/proxies.html) in a service mesh configuration to
|
|
establish TLS connections for inbound and outbound connections without being aware
|
|
of Connect at all. Applications may also [natively integrate with Connect](/docs/connect/native.html)
|
|
for optimal performance and security. Connect can help you secure your services and provide data
|
|
about service-to-service
|
|
communications.
|
|
|
|
Review the video below to learn more about Consul Connect from HashiCorp's co-founder Armon.
|
|
|
|
<iframe src="https://www.youtube.com/embed/8T8t4-hQY74" frameborder="0" allowfullscreen="true" width="560" height="315" ></iframe>
|
|
|
|
## Application Security
|
|
|
|
Connect enables secure deployment best-practices with automatic
|
|
service-to-service encryption, and identity-based authorization.
|
|
Connect uses the registered service identity (rather than IP addresses) to
|
|
enforce access control with [intentions](/docs/connect/intentions.html). This
|
|
makes it easier to reason about access control and enables services to be
|
|
rescheduled by orchestrators including Kubernetes and Nomad. Intention
|
|
enforcement is network agnostic, so Connect works with physical networks, cloud
|
|
networks, software-defined networks, cross-cloud, and more.
|
|
|
|
## Observability
|
|
|
|
One of the key benefits of Consul Connect is the uniform and consistent view it can
|
|
provide of all the services on your network, irrespective of their different
|
|
programming languages and frameworks. When you configure Consul Connect to use
|
|
sidecar proxies, those proxies "see" all service-to-service traffic and can
|
|
collect data about it. Consul Connect can configure Envoy proxies to collect
|
|
layer 7 metrics and export them to tools like Prometheus. Correctly instrumented
|
|
applications can also send open tracing data through Envoy.
|
|
|
|
## Getting Started With Connect
|
|
|
|
There are several ways to try Connect in different environments.
|
|
|
|
- The [Connect introduction guide](https://learn.hashicorp.com/consul/getting-started/connect)
|
|
is a simple walk through of connecting two services on your local machine
|
|
using only Consul Connect, and configuring your first intention.
|
|
|
|
- The [Envoy guide](https://learn.hashicorp.com/consul/developer-segmentation/connect-envoy)
|
|
walks through using Envoy as a proxy. It uses Docker to run components
|
|
locally without installing anything else.
|
|
|
|
- The [Kubernetes guide](https://learn.hashicorp.com/consul/getting-started-k8s/minikube)
|
|
walks you through configuring Consul Connect in Kubernetes using the Helm
|
|
chart, and using intentions. You can run the guide on Minikube or an existing
|
|
Kubernetes cluster.
|
|
|
|
- The [observability guide](https://learn.hashicorp.com/consul/kubernetes/l7-observability-k8s)
|
|
shows how to deploy a basic metrics collection and visualization pipeline on
|
|
a Minikube or Kubernetes cluster using the official Helm charts for Consul,
|
|
Prometheus, and Grafana.
|