open-consul/website/content/docs/connect/configuration.mdx

---
layout: docs
page_title: Connect - Configuration
description: >-
  A Connect-aware proxy enables unmodified applications to use Connect. A
  per-service proxy sidecar transparently handles inbound and outbound service
  connections, automatically wrapping and verifying TLS connections.
---

# Service Mesh Configuration

There are many configuration options exposed for Consul service mesh. The only option
that must be set is the `connect.enabled` option on Consul servers to enable Consul service mesh.
All other configurations are optional and have reasonable defaults.

Consul Connect is the component shipped with Consul that enables service mesh functionality. The terms _Consul Connect_ and _Consul service mesh_ are used interchangeably throughout this documentation. 

-> **Tip:** Service mesh is enabled by default when running Consul in
dev mode with `consul agent -dev`.

## Agent Configuration

Begin by enabling Connect for your Consul
cluster. By default, Connect is disabled. Enabling Connect requires changing
the configuration of only your Consul _servers_ (not client agents). To enable
Connect, add the following to a new or existing
[server configuration file](/docs/agent/config/config-files). In an existing cluster, this configuration change requires a Consul server restart, which you can perform one server at a time to maintain availability. In HCL:


<CodeTabs heading="Enable Consul service mesh" tabs={[ "HCL", "JSON" ]}>

```hcl
connect {
  enabled = true
}
```

```json
"connect": {
 "enabled": true
}
```
</CodeTabs>

This will enable Connect and configure your Consul cluster to use the
built-in certificate authority for creating and managing certificates.
You may also configure Consul to use an external
[certificate management system](/docs/connect/ca), such as
[Vault](https://vaultproject.io).

Services and proxies may always register with Connect settings, but they will
fail to retrieve or verify any TLS certificates. This causes all Connect-based
connection attempts to fail until Connect is enabled on the server agents.

Other optional Connect configurations that you can set in the server
configuration file include:

- [certificate authority settings](/docs/agent/config/config-files#connect)
- [token replication](/docs/agent/config/config-files#acl_tokens_replication)
- [dev mode](/docs/agent/config/cli-flags#_dev)
- [server host name verification](/docs/agent/config/config-files#tls_internal_rpc_verify_server_hostname)

If you would like to use Envoy as your Connect proxy you will need to [enable
gRPC](/docs/agent/config/config-files#grpc_port).

Additionally if you plan on using the observability features of Connect, it can
be convenient to configure your proxies and services using [configuration
entries](/docs/agent/config-entries) which you can interact with using the
CLI or API, or by creating configuration entry files. You will want to enable
[centralized service
configuration](/docs/agent/config/config-files#enable_central_service_config) on
clients, which allows each service's proxy configuration to be managed centrally
via API.

!> **Security note:** Enabling Connect is enough to try the feature but doesn't
automatically ensure complete security. Please read the [Connect production
tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-production-checklist) to understand the additional steps
needed for a secure deployment.

## Centralized Proxy and Service Configuration

To account for common Connect use cases where you have many instances of the
same service, and many colocated sidecar proxies, Consul allows you to customize
the settings for all of your proxies or all the instances of a given service at
once using [Configuration Entries](/docs/agent/config-entries).

You can override centralized configurations for individual proxy instances in
their
[sidecar service definitions](/docs/connect/registration/sidecar-service),
and the default protocols for service instances in their [service
registrations](/docs/discovery/services).

## Schedulers

Consul Connect is especially useful if you are using an orchestrator like Nomad
or Kubernetes, because these orchestrators can deploy thousands of service instances
which frequently move hosts. Sidecars for each service can be configured through
these schedulers, and in some cases they can automate Consul configuration,
sidecar deployment, and service registration.

### Nomad

Connect can be used with Nomad to provide secure service-to-service
communication between Nomad jobs and task groups. The ability to use the dynamic
port feature of Nomad makes Connect particularly easy to use. Learn about how to
configure Connect on Nomad by reading the
[integration documentation](/docs/connect/nomad)

### Kubernetes

The Consul Helm chart can automate much of Consul Connect's configuration, and
makes it easy to automatically inject Envoy sidecars into new pods when they are
deployed. Learn about the [Helm chart](/docs/platform/k8s/helm) in general,
or if you are already familiar with it, check out its
[connect specific configurations](/docs/platform/k8s/connect).