Securely connect your services with Consul service mesh

10min
|
Consul

Deployment

In this tutorial, you will deploy HashiCups, a demo application, and integrate it with Consul service mesh. After deploying HashiCups, you will explore service-to-service traffic permissions with intentions.

You will use the resources created in this tutorial in the following tutorials to enable external traffic ingress with Consul API Gateway and explore service mesh observability.

In this tutorial, you will:

Deploy the demo application HashiCups
View Consul services
Test the demo application
Configure service-to-service traffic permissions with intentions

Prerequisites

Deploy the demo application

In this section, you will deploy the demo application HashiCups that will let you explore Consul's service mesh features.

Consul uses Envoy proxy sidecars to provide service mesh capabilities to your applications. In this case, each HashiCups Kubernetes deployment spec contains the consul.hashicorp.com/connect-inject: "true" Kubernetes annotation. This annotation deploys an Envoy proxy sidecar alongside the application.

Sample service with annotation

## ...apiVersion: apps/v1kind: Deployment## ...spec:  replicas: 1  ## ...  template:    metadata:      labels:        service: frontend        app: frontend      annotations:        consul.hashicorp.com/connect-inject: "true"    spec:      serviceAccountName: frontend      containers:        - name: frontend        ## ...

Deploy the HashiCups application.

$ kubectl apply --filename hashicups/v1/

Check the pods to confirm they are all running.

$ kubectl get pods --namespace defaultNAMESPACE            NAME                                           READY   STATUS    RESTARTS   AGEdefault              frontend-5d7f97456b-4h7mj                      2/2     Running   0          67sdefault              nginx-7445d8d8c4-nmht9                         2/2     Running   0          67sdefault              payments-6888957c45-r5lks                      2/2     Running   0          68sdefault              product-api-7fcf6cd96f-brdvf                   2/2     Running   0          67sdefault              product-api-db-855dbcc787-4pv9k                2/2     Running   0          67sdefault              public-api-7b985f985c-8hwwf                    2/2     Running   0          67s

Tip

The initial HashiCups deployment will take about 1-2 minutes to complete.

The diagram below shows the services running in your Kubernetes cluster. This includes the service mesh layer and HashiCups microservice application pods.

Application Architecture Diagram

View Consul services

In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh.

In your terminal, run the CLI command consul catalog services to return the list of services registered in Consul. Notice each service has a corresponding sidecar proxy.

$ consul catalog servicesconsulfrontendfrontend-sidecar-proxynginxnginx-sidecar-proxypaymentspayments-sidecar-proxyproduct-apiproduct-api-dbproduct-api-db-sidecar-proxyproduct-api-sidecar-proxypublic-apipublic-api-sidecar-proxy

This configuration deployed Consul in secure mode with ACLs set to a default deny policy and is automatically managed by Consul and Kubernetes. This means that the only allowed service-to-service communications are the ones explicitly specified by intentions.

Run the CLI command consul intention list to return the list of intentions defined in Consul.

$ consul intention listThere are no intentions.

Since you have not defined any intentions yet, at this time Consul will deny all service-to-service traffic.

Output the HCP Consul Dedicated URL value to your terminal and paste it in your browser.

$ export $CONSUL_HTTP_ADDRlearn-hcp-eks-cluster.public.consul.00000000-0000-0000-0000-000000000000.aws.hashicorp.cloud

Output the token value to your terminal and copy the value to your clipboard. You will use this ACL token to authenticate in the Consul UI.

$ echo $CONSUL_HTTP_TOKENfe0dd5c3-f2e1-81e8-cde8-49d26cee5efc

On the left navigation pane, click the Services tab to review your deployed services. Notice how Consul automatically created services for each HashiCups service.

Consul UI Services Page

In the left navigation pane, click the Intentions tab. Since you deployed Consul with ACLS and have not defined any intentions, this shows no intentions and Consul will deny all service-to-service traffic.

Consul UI Intentions

In your terminal, run the following curl command to return the list of services registered in Consul.

$ curl -k \    --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \    $CONSUL_HTTP_ADDR/v1/catalog/services

Sample output:

{"consul":[],"frontend":[],"frontend-sidecar-proxy":[],"nginx":[],"nginx-sidecar-proxy":[],"payments":[],"payments-sidecar-proxy":[],"product-api":[],"product-api-db":[],"product-api-db-sidecar-proxy":[],"product-api-sidecar-proxy":[],"public-api":[],"public-api-sidecar-proxy":[]}

Run the following curl command to return the list of intentions defined in Consul.

$ curl -k \    --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \    $CONSUL_HTTP_ADDR/v1/connect/intentions

Sample output:

[]

Since you have not defined any intentions yet, at this time Consul will deny all service-to-service traffic.

In this section, you will view your Consul services with the CLI, UI, and/or API to explore the details of your service mesh.

In your terminal, run the CLI command consul catalog services to return the list of services registered in Consul. Notice each service has a corresponding sidecar proxy.

$ consul catalog servicesconsulfrontendfrontend-sidecar-proxynginxnginx-sidecar-proxypaymentspayments-sidecar-proxyproduct-apiproduct-api-dbproduct-api-db-sidecar-proxyproduct-api-sidecar-proxypublic-apipublic-api-sidecar-proxy

$ consul intention listThere are no intentions.

Output the HCP Consul Dedicated URL value to your terminal and paste it in your browser.

$ export $CONSUL_HTTP_ADDRlearn-hcp-aks-cluster.public.consul.00000000-0000-0000-0000-000000000000.azure.hashicorp.cloud

Output the token value to your terminal and copy the value to your clipboard. You will use this ACL token to authenticate in the Consul UI.

$ echo $CONSUL_HTTP_TOKENfe0dd5c3-f2e1-81e8-cde8-49d26cee5efc

On the left navigation pane, click the Services tab to review your deployed services. Notice how Consul automatically created services for each HashiCups service.

Consul UI Services Page

Consul UI Intentions

In your terminal, run the following curl command to return the list of services registered in Consul.

$ curl -k \    --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \    $CONSUL_HTTP_ADDR/v1/catalog/services

Sample output:

{"consul":[],"frontend":[],"frontend-sidecar-proxy":[],"nginx":[],"nginx-sidecar-proxy":[],"payments":[],"payments-sidecar-proxy":[],"product-api":[],"product-api-db":[],"product-api-db-sidecar-proxy":[],"product-api-sidecar-proxy":[],"public-api":[],"public-api-sidecar-proxy":[]}

Run the following curl command to return the list of intentions defined in Consul.

$ curl -k \    --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \    $CONSUL_HTTP_ADDR/v1/connect/intentions

Sample output:

[]

Since you have not defined any intentions yet, at this time Consul will deny all service-to-service traffic.

Test the demo application

Open a separate terminal window and expose the HashiCups UI with kubectl port-forward using the nginx service name as the target.

$ kubectl port-forward svc/nginx --namespace default 8080:80

Open http://localhost:8080 in your browser. Notice that while you can reach the nginx instance because of the port forwarding, the nginx service is unable to access its upstreams and the connection is refused. This is expected behavior since you have not defined any intentions yet.

HashiCups Connection Error

Create intentions

To see how intentions affect communication between the services in your service mesh, you will create intentions following the "least-privilege" principle that allow communication between your services.

Open hashicups/intentions/allow.yaml to review the intentions configuration file. This file defines multiple intentions that will allow the HashiCups services to interact with each other.

---apiVersion: consul.hashicorp.com/v1alpha1kind: ServiceIntentionsmetadata: name: frontend namespace: default# Allow traffic from nginx to frontendspec: destination:   name: frontend sources:   - name: nginx     action: allow---apiVersion: consul.hashicorp.com/v1alpha1kind: ServiceIntentionsmetadata: name: public-api namespace: default# Allow traffic from nginx to public-apispec: destination:   name: public-api sources:   - name: nginx     action: allow## ...

Deploy the service intentions to allow the HashiCups services to interact with each other.

$ kubectl apply --filename hashicups/intentions/allow.yaml

Confirm applied intentions

Open a separate terminal window and expose the HashiCups UI with kubectl port-forward using the nginx service name as the target.

$ kubectl port-forward svc/nginx --namespace default 8080:80

Check out the HashiCups UI at http://localhost:8080. Notice that the application is now fully functional.

HashiCups UI

Next steps

In this tutorial, you deployed the demo application HashiCups into your Consul service mesh. After deploying HashiCups, you used intentions to control communication between services in your service mesh.

In the next tutorial, you will deploy a Consul API Gateway to control ingress into your service mesh applications.

For more information about the topics covered in this tutorial, refer to the following resources:

Deploy Consul on Kubernetes

Enable external traffic ingress