open-consul/website/source/docs/connect/index.html.md

---
layout: "docs"
page_title: "Connect (Service Segmentation)"
sidebar_current: "docs-connect-index"
description: |-
  Consul Connect provides service-to-service connection authorization and encryption using mutual TLS.
---

# Connect

Consul Connect provides service-to-service connection authorization
and encryption using mutual TLS. Applications can use
[sidecar proxies](/docs/connect/proxies.html)
to automatically establish TLS connections for inbound and outbound connections
without being aware of Connect at all. Applications may also
[natively integrate with Connect](/docs/connect/native.html)
for optimal performance and security.

Connect enables deployment best-practices with service-to-service encryption
everywhere and identity-based authorization. Rather than authorizing host-based
access with IP address access rules, Connect uses the registered service
identity to enforce access control with [intentions](/docs/connect/intentions.html).
This makes it much easier to reason about access control and also enables
services to freely move, such as in a scheduled environment with software
such as Kubernetes or Nomad. Additionally, intention enforcement can be done
regardless of the underlying network, so Connect works with physical networks,
cloud networks, software-defined networks, cross-cloud, and more.

## How it Works

The core of Connect is based on [mutual TLS](https://en.wikipedia.org/wiki/Mutual_authentication).

Connect provides each service with an identity encoded as a TLS certificate.
This certificate is used to establish and accept connections to and from other
services. The identity is encoded in the TLS certificate in compliance with
the [SPIFFE X.509 Identity Document](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md).
This enables Connect services to establish and accept connections with
other SPIFFE-compliant systems.

The client service verifies the destination service certificate
against the [public CA bundle](/api/connect/ca.html#list-ca-root-certificates).
This is very similar to a typical HTTPS web browser connection. In addition
to this, the client provides its own client certificate to show its
identity to the destination service. If the connection handshake succeeds,
the connection is encrypted and authorized.

The destination service verifies the client certificate
against the [public CA bundle](/api/connect/ca.html#list-ca-root-certificates).
After verifying the certificate, it must also call the
[authorization API](/api/agent/connect.html#authorize) to authorize
the connection against the configured set of Consul intentions.
If the authorization API responds successfully, the connection is established.
Otherwise, the connection is rejected.

To generate and distribute certificates, Consul has a built-in CA that
requires no other dependencies, and
also ships with built-in support for [Vault](/docs/connect/ca/vault.html). The PKI system is designed to be pluggable
and can be extended to support any system by adding additional CA providers.

All APIs required for Connect typically respond in microseconds and impose
minimal overhead to existing services. This is because the Connect-related
APIs are all made to the local Consul agent over a loopback interface, and all
[agent Connect endpoints](/api/agent/connect.html) implement
local caching, background updating, and support blocking queries. As a result,
most API calls operate on purely local in-memory data and can respond
in microseconds.

## Getting Started With Connect

There are several ways to try Connect in different environments.

 * The [Connect introduction](https://learn.hashicorp.com/consul/getting-started/connect) in the
   Getting Started guide provides a simple walk through of getting two services
   to communicate via Connect using only Consul directly on your local machine.

 * The [Envoy guide](/docs/guides/connect-envoy.html) walks through getting
   started with Envoy as a proxy, and uses Docker to run components locally
   without installing anything else.

 * The [Kubernetes documentation](/docs/platform/k8s/run.html) shows how to get
   from an empty Kubernetes cluster to having Consul installed and Envoy
   configured to proxy application traffic automatically using the official helm
   chart.

## Agent Caching and Performance

To enable microsecond-speed responses on
[agent Connect API endpoints](/api/agent/connect.html), the Consul agent
locally caches most Connect-related data and sets up background
[blocking queries](/api/index.html#blocking-queries) against the server
to update the cache in the background. This allows most API calls such
as retrieving certificates or authorizing connections to use in-memory
data and respond very quickly.

All data cached locally by the agent is populated on demand. Therefore,
if Connect is not used at all, the cache does not store any data. On first
request, the data is loaded from the server and cached. The set of data cached
is: public CA root certificates, leaf certificates, and intentions. For
leaf certificates and intentions, only data related to the service requested
is cached, not the full set of data.

Further, the cache is partitioned by ACL token and datacenters. This is done
to minimize the complexity of the cache and prevent bugs where an ACL token
may see data it shouldn't from the cache. This results in higher memory usage
for cached data since it is duplicated per ACL token, but with the benefit
of simplicity and security.

With Connect enabled, you'll likely see increased memory usage by the
local Consul agent. The total memory is dependent on the number of intentions
related to the services registered with the agent accepting Connect-based
connections. The other data (leaf certificates and public CA certificates)
is a relatively fixed size per service. In most cases, the overhead per
service should be relatively small: single digit kilobytes at most.

The cache does not evict entries due to memory pressure. If memory capacity
is reached, the process will attempt to swap. If swap is disabled, the Consul
agent may begin failing and eventually crash. Cache entries do have TTLs
associated with them and will evict their entries if they're not used. Given
a long period of inactivity (3 days by default), the cache will empty itself.

## Multi-Datacenter

Using Connect for service-to-service communications across multiple datacenters 
requires Consul Enterprise. 

With Open Source Consul, Connect may be enabled on multiple Consul datacenters, 
but only services within the same datacenter can establish Connect-based, 
Authenticated and Authorized connections. In this version, Certificate Authority
configurations and intentions are both local to their respective datacenters; 
they are not replicated across datacenters.

Full multi-datacenter support for Connect is available in
[Consul Enterprise](/docs/enterprise/connect-multi-datacenter/index.html).
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`---`
			`layout: "docs"`
			`page_title: "Connect (Service Segmentation)"`
			`sidebar_current: "docs-connect-index"`
			`description: \|-`
			`Consul Connect provides service-to-service connection authorization and encryption using mutual TLS.`
			`---`

			`# Connect`

			`Consul Connect provides service-to-service connection authorization`
			`and encryption using mutual TLS. Applications can use`
			`[sidecar proxies](/docs/connect/proxies.html)`
			`to automatically establish TLS connections for inbound and outbound connections`
			`without being aware of Connect at all. Applications may also`
			`[natively integrate with Connect](/docs/connect/native.html)`
			`for optimal performance and security.`

website: how it works 2018-05-31 03:57:42 +00:00			`Connect enables deployment best-practices with service-to-service encryption`
			`everywhere and identity-based authorization. Rather than authorizing host-based`
			`access with IP address access rules, Connect uses the registered service`
			`identity to enforce access control with [intentions](/docs/connect/intentions.html).`
			`This makes it much easier to reason about access control and also enables`
			`services to freely move, such as in a scheduled environment with software`
			`such as Kubernetes or Nomad. Additionally, intention enforcement can be done`
			`regardless of the underlying network, so Connect works with physical networks,`
			`cloud networks, software-defined networks, cross-cloud, and more.`

Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`## How it Works`

website: how it works 2018-05-31 03:57:42 +00:00			`The core of Connect is based on [mutual TLS](https://en.wikipedia.org/wiki/Mutual_authentication).`

			`Connect provides each service with an identity encoded as a TLS certificate.`
			`This certificate is used to establish and accept connections to and from other`
			`services. The identity is encoded in the TLS certificate in compliance with`
			`the [SPIFFE X.509 Identity Document](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md).`
			`This enables Connect services to establish and accept connections with`
			`other SPIFFE-compliant systems.`

			`The client service verifies the destination service certificate`
			`against the [public CA bundle](/api/connect/ca.html#list-ca-root-certificates).`
			`This is very similar to a typical HTTPS web browser connection. In addition`
			`to this, the client provides its own client certificate to show its`
			`identity to the destination service. If the connection handshake succeeds,`
			`the connection is encrypted and authorized.`

			`The destination service verifies the client certificate`
			`against the [public CA bundle](/api/connect/ca.html#list-ca-root-certificates).`
			`After verifying the certificate, it must also call the`
			`[authorization API](/api/agent/connect.html#authorize) to authorize`
			`the connection against the configured set of Consul intentions.`
			`If the authorization API responds successfully, the connection is established.`
			`Otherwise, the connection is rejected.`

			`To generate and distribute certificates, Consul has a built-in CA that`
			`requires no other dependencies, and`
website: fixed ca provider references (#5185) Fixes https://github.com/hashicorp/consul/issues/5182. 2019-01-08 02:47:02 +00:00			`also ships with built-in support for [Vault](/docs/connect/ca/vault.html). The PKI system is designed to be pluggable`
			`and can be extended to support any system by adding additional CA providers.`
website: how it works 2018-05-31 03:57:42 +00:00
			`All APIs required for Connect typically respond in microseconds and impose`
			`minimal overhead to existing services. This is because the Connect-related`
			`APIs are all made to the local Consul agent over a loopback interface, and all`
			`[agent Connect endpoints](/api/agent/connect.html) implement`
			`local caching, background updating, and support blocking queries. As a result,`
			`most API calls operate on purely local in-memory data and can respond`
			`in microseconds.`
website: document multi-DC, caching, clarify prepared queries and multi-DC 2018-06-06 22:10:52 +00:00
[WIP] Initial draft of Sidecar Service and Managed Proxy deprecation docs (#4752) * Initial draft of Sidecar Service and Managed Proxy deprecation docs * Service definition deprecation notices and sidecar service * gRPC and sidecar service config options; Deprecate managed proxy options * Envoy Docs: Basic envoy command; envoy getting started/intro * Remove change that snuck in * Envoy custom config example * Add agent/service API docs; deprecate proxy config endpoint * Misc grep cleanup for managed proxies; capitalize Envoy * Updates to getting started guide * Add missing link * Refactor Envoy guide into a separate guide and add bootstrap reference notes. * Add limitations to Envoy docs; Highlight no fixes for known managed proxy issues on deprecation page; clarify snake cae stuff; Sidecar Service lifecycle 2018-10-11 09:44:42 +00:00			`## Getting Started With Connect`

			`There are several ways to try Connect in different environments.`

Fixes URL paths to learn.hashicorp.com Removes `.html` when not needed in order to clean up analytics. 2018-11-28 23:39:28 +00:00			`* The [Connect introduction](https://learn.hashicorp.com/consul/getting-started/connect) in the`
[WIP] Initial draft of Sidecar Service and Managed Proxy deprecation docs (#4752) * Initial draft of Sidecar Service and Managed Proxy deprecation docs * Service definition deprecation notices and sidecar service * gRPC and sidecar service config options; Deprecate managed proxy options * Envoy Docs: Basic envoy command; envoy getting started/intro * Remove change that snuck in * Envoy custom config example * Add agent/service API docs; deprecate proxy config endpoint * Misc grep cleanup for managed proxies; capitalize Envoy * Updates to getting started guide * Add missing link * Refactor Envoy guide into a separate guide and add bootstrap reference notes. * Add limitations to Envoy docs; Highlight no fixes for known managed proxy issues on deprecation page; clarify snake cae stuff; Sidecar Service lifecycle 2018-10-11 09:44:42 +00:00			`Getting Started guide provides a simple walk through of getting two services`
			`to communicate via Connect using only Consul directly on your local machine.`

			`* The [Envoy guide](/docs/guides/connect-envoy.html) walks through getting`
			`started with Envoy as a proxy, and uses Docker to run components locally`
			`without installing anything else.`

			`* The [Kubernetes documentation](/docs/platform/k8s/run.html) shows how to get`
			`from an empty Kubernetes cluster to having Consul installed and Envoy`
			`configured to proxy application traffic automatically using the official helm`
			`chart.`

website: document multi-DC, caching, clarify prepared queries and multi-DC 2018-06-06 22:10:52 +00:00			`## Agent Caching and Performance`

			`To enable microsecond-speed responses on`
			`[agent Connect API endpoints](/api/agent/connect.html), the Consul agent`
			`locally caches most Connect-related data and sets up background`
			`[blocking queries](/api/index.html#blocking-queries) against the server`
			`to update the cache in the background. This allows most API calls such`
			`as retrieving certificates or authorizing connections to use in-memory`
			`data and respond very quickly.`

			`All data cached locally by the agent is populated on demand. Therefore,`
			`if Connect is not used at all, the cache does not store any data. On first`
			`request, the data is loaded from the server and cached. The set of data cached`
			`is: public CA root certificates, leaf certificates, and intentions. For`
			`leaf certificates and intentions, only data related to the service requested`
			`is cached, not the full set of data.`

			`Further, the cache is partitioned by ACL token and datacenters. This is done`
			`to minimize the complexity of the cache and prevent bugs where an ACL token`
			`may see data it shouldn't from the cache. This results in higher memory usage`
			`for cached data since it is duplicated per ACL token, but with the benefit`
			`of simplicity and security.`

			`With Connect enabled, you'll likely see increased memory usage by the`
			`local Consul agent. The total memory is dependent on the number of intentions`
			`related to the services registered with the agent accepting Connect-based`
			`connections. The other data (leaf certificates and public CA certificates)`
			`is a relatively fixed size per service. In most cases, the overhead per`
			`service should be relatively small: single digit kilobytes at most.`

			`The cache does not evict entries due to memory pressure. If memory capacity`
			`is reached, the process will attempt to swap. If swap is disabled, the Consul`
			`agent may begin failing and eventually crash. Cache entries do have TTLs`
			`associated with them and will evict their entries if they're not used. Given`
			`a long period of inactivity (3 days by default), the cache will empty itself.`

			`## Multi-Datacenter`

Doc changes for 1.4 Final (#4870) * website: add multi-dc enterprise landing page * website: switch all 1.4.0 alerts/RC warnings * website: connect product wording Co-Authored-By: pearkes <jackpearkes@gmail.com> * website: remove RC notification * commmand/acl: fix usage docs for ACL tokens * agent: remove comment, OperatorRead * website: improve multi-dc docs Still not happy with this but tried to make it slightly more informative. * website: put back acl guide warning for 1.4.0 * website: simplify multi-dc page and respond to feedback * Fix Multi-DC typos on connect index page. * Improve Multi-DC overview. A full guide is a WIP and will be added post-release. * Fixes typo avaiable > available 2018-11-13 13:43:53 +00:00			`Using Connect for service-to-service communications across multiple datacenters`
			`requires Consul Enterprise.`

			`With Open Source Consul, Connect may be enabled on multiple Consul datacenters,`
			`but only services within the same datacenter can establish Connect-based,`
			`Authenticated and Authorized connections. In this version, Certificate Authority`
			`configurations and intentions are both local to their respective datacenters;`
website: document multi-DC, caching, clarify prepared queries and multi-DC 2018-06-06 22:10:52 +00:00			`they are not replicated across datacenters.`

Doc changes for 1.4 Final (#4870) * website: add multi-dc enterprise landing page * website: switch all 1.4.0 alerts/RC warnings * website: connect product wording Co-Authored-By: pearkes <jackpearkes@gmail.com> * website: remove RC notification * commmand/acl: fix usage docs for ACL tokens * agent: remove comment, OperatorRead * website: improve multi-dc docs Still not happy with this but tried to make it slightly more informative. * website: put back acl guide warning for 1.4.0 * website: simplify multi-dc page and respond to feedback * Fix Multi-DC typos on connect index page. * Improve Multi-DC overview. A full guide is a WIP and will be added post-release. * Fixes typo avaiable > available 2018-11-13 13:43:53 +00:00			`Full multi-datacenter support for Connect is available in`
			`[Consul Enterprise](/docs/enterprise/connect-multi-datacenter/index.html).`