open-consul/website/source/docs/connect/native.html.md

---
layout: "docs"
page_title: "Connect - Native Application Integration"
sidebar_current: "docs-connect-native"
description: |-
  Applications can natively integrate with the Connect API to support accepting and establishing connections to other Connect services without the overhead of a proxy sidecar.
---

# Connect-Native App Integration

Applications can natively integrate with the Connect API to support
accepting and establishing connections to other Connect services without
the overhead of a [proxy sidecar](/docs/connect/proxies.html). This option 
is especially useful for applications that may be experiencing performance issues 
with the proxy sidecar deployment. This page will cover the high-level overview 
of integration, registering the service, etc. For language-specific examples, 
see the sidebar navigation to the left.

Connect is just basic mutual TLS. This means that almost any application
can easily integrate with Connect. There is no custom protocol in use;
any language that supports TLS can accept and establish Connect-based
connections.

We currently provide an easy-to-use [Go integration](/docs/connect/native/go.html)
to assist with the getting the proper certificates, verifying connections,
etc. We plan to add helper libraries for other languages in the future.
However, without library support, it is still possible for any major language
to integrate with Connect.

## Overview

The primary work involved in natively integrating with Connect is
[acquiring the proper TLS certificate](/api/agent/connect.html#service-leaf-certificate),
[verifying TLS certificates](/api/agent/connect.html#certificate-authority-ca-roots),
and [authorizing inbound connections](/api/agent/connect.html#authorize).
All of this is done using the Consul HTTP APIs linked above.

An overview of the sequence is shown below. The diagram and the following
details may seem complex, but this is a _regular mutual TLS connection_ with
an API call to verify the incoming client certificate.

<div class="center">
![Native Integration Overview](connect-native-overview.png)
</div>

Details on the steps are below:

  * **Service discovery** - This is normal service discovery using Consul,
    a static IP, or any other mechanism. If you're using Consul DNS, the
    [`<service>.connect`](/docs/agent/dns.html#connect-capable-service-lookups)
    syntax to find Connect-capable endpoints for a service. After service
    discovery, choose one address from the list of **service addresses**.

  * **Mutual TLS** - As a client, connect to the discovered service address
    over normal TLS. As part of the TLS connection, provide the
    [service certificate](/api/agent/connect.html#service-leaf-certificate)
    as the client certificate. Verify the remote certificate against the
    [public CA roots](/api/agent/connect.html#certificate-authority-ca-roots).
    As a client, if the connection is established then you've established
    a Connect-based connection and there are no further steps!

  * **Authorization** - As a server accepting connections, verify the client
    certificate against the
    [public CA roots](/api/agent/connect.html#certificate-authority-ca-roots).
    After verifying the certificate, parse some basic fields from it and call
    the [authorizing API](/api/agent/connect.html#authorize) against the local
    agent. If this returns successfully, complete the TLS handshake and establish
    the connection. If authorization fails, close the connection.

-> **A note on performance:** The only API call in the connection path is
the [authorization API](/api/agent/connect.html#authorize). The other API
calls to acquire the leaf certificate and CA roots are expected to be done
out of band and reused. The authorize API call should be called against the
local Consul agent. The agent uses locally cached
data to authorize the connection and typically responds in microseconds.
Therefore, the impact to the TLS handshake is typically microseconds.

## Updating Certificates and Certificate Roots

The leaf certificate and CA roots can be updated at any time and the
natively integrated application must react to this relatively quickly
so that new connections are not disrupted. This can be done through
Consul blocking queries (HTTP long polling) or through periodic polling.

The API calls for
[acquiring a leaf TLS certificate](/api/agent/connect.html#service-leaf-certificate)
and [reading CA roots](/api/agent/connect.html#certificate-authority-ca-roots)
both support
[blocking queries](/api/features/blocking.html). By using blocking
queries, an application can efficiently wait for an updated value. For example,
the leaf certificate API will block until the certificate is near expiration
or the signing certificates have changed and will issue and return a new
certificate.

In some languages, using blocking queries may not be simple. In that case,
we still recommend using the blocking query parameters but with a very short
`timeout` value set. Doing this is documented with
[blocking queries](/api/features/blocking.html). The low timeout will
ensure the API responds quickly. We recommend that applications poll the
certificate endpoints frequently, such as multiple times per minute.

The overhead for the blocking queries (long or periodic polling) is minimal.
The API calls are to the local agent and the local agent uses locally
cached data multiplexed over a single TCP connection to the Consul leader.
Even if a single machine has 1,000 Connect-enabled services all blocking
on certificate updates, this translates to only one TCP connection to the
Consul server.

Some language libraries such as the
[Go library](/docs/connect/native/go.html) automatically handle updating
and locally caching the certificates.

## Service Registration

Connect-native applications must tell Consul that they support Connect
natively. This enables the service to be returned as part of service
discovery for Connect-capable services, used by other Connect-native applications
and client [proxies](/docs/connect/proxies.html).

This can be specified directly in the [service definition](/docs/agent/services.html):

```json
{
  "service": {
    "name": "redis",
    "port": 8000,
    "connect": {
      "native": true
    }
  }
}
```

Services that support Connect natively are still returned through the standard
service discovery mechanisms in addition to the Connect-only service discovery
mechanisms.
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`---`
			`layout: "docs"`
			`page_title: "Connect - Native Application Integration"`
			`sidebar_current: "docs-connect-native"`
			`description: \|-`
website: Go native integration with Connect 2018-06-06 06:40:44 +00:00			`Applications can natively integrate with the Connect API to support accepting and establishing connections to other Connect services without the overhead of a proxy sidecar.`
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`---`

			`# Connect-Native App Integration`

website: connect native overview 2018-06-06 05:42:59 +00:00			`Applications can natively integrate with the Connect API to support`
			`accepting and establishing connections to other Connect services without`
website: make performance impact explicit for connect-native I was going to the public feedback on Connect-Native app integration and came across [this](https://twitter.com/relistan/status/1012263110403555329) thread. Added a few statements in the Connect-Native app integration page. 2018-06-30 00:35:58 +00:00			`the overhead of a [proxy sidecar](/docs/connect/proxies.html). This option`
			`is especially useful for applications that may be experiencing performance issues`
			`with the proxy sidecar deployment. This page will cover the high-level overview`
			`of integration, registering the service, etc. For language-specific examples,`
			`see the sidebar navigation to the left.`
website: connect native overview 2018-06-06 05:42:59 +00:00
			`Connect is just basic mutual TLS. This means that almost any application`
			`can easily integrate with Connect. There is no custom protocol in use;`
			`any language that supports TLS can accept and establish Connect-based`
			`connections.`

website: address feedback 2018-06-06 18:44:10 +00:00			`We currently provide an easy-to-use [Go integration](/docs/connect/native/go.html)`
			`to assist with the getting the proper certificates, verifying connections,`
			`etc. We plan to add helper libraries for other languages in the future.`
			`However, without library support, it is still possible for any major language`
			`to integrate with Connect.`

website: connect native overview 2018-06-06 05:42:59 +00:00			`## Overview`

			`The primary work involved in natively integrating with Connect is`
			`[acquiring the proper TLS certificate](/api/agent/connect.html#service-leaf-certificate),`
			`[verifying TLS certificates](/api/agent/connect.html#certificate-authority-ca-roots),`
			`and [authorizing inbound connections](/api/agent/connect.html#authorize).`
website: address feedback 2018-06-06 18:44:10 +00:00			`All of this is done using the Consul HTTP APIs linked above.`
website: connect native overview 2018-06-06 05:42:59 +00:00
			`An overview of the sequence is shown below. The diagram and the following`
			`details may seem complex, but this is a _regular mutual TLS connection_ with`
			`an API call to verify the incoming client certificate.`

			`<div class="center">`
			`![Native Integration Overview](connect-native-overview.png)`
			`</div>`

			`Details on the steps are below:`

			`* Service discovery - This is normal service discovery using Consul,`
			`a static IP, or any other mechanism. If you're using Consul DNS, the`
			[`<service>.connect`](/docs/agent/dns.html#connect-capable-service-lookups)
			`syntax to find Connect-capable endpoints for a service. After service`
			`discovery, choose one address from the list of service addresses.`

			`* Mutual TLS - As a client, connect to the discovered service address`
			`over normal TLS. As part of the TLS connection, provide the`
			`[service certificate](/api/agent/connect.html#service-leaf-certificate)`
			`as the client certificate. Verify the remote certificate against the`
			`[public CA roots](/api/agent/connect.html#certificate-authority-ca-roots).`
			`As a client, if the connection is established then you've established`
			`a Connect-based connection and there are no further steps!`

			`* Authorization - As a server accepting connections, verify the client`
			`certificate against the`
			`[public CA roots](/api/agent/connect.html#certificate-authority-ca-roots).`
			`After verifying the certificate, parse some basic fields from it and call`
			`the [authorizing API](/api/agent/connect.html#authorize) against the local`
			`agent. If this returns successfully, complete the TLS handshake and establish`
			`the connection. If authorization fails, close the connection.`

			`-> A note on performance: The only API call in the connection path is`
			`the [authorization API](/api/agent/connect.html#authorize). The other API`
			`calls to acquire the leaf certificate and CA roots are expected to be done`
			`out of band and reused. The authorize API call should be called against the`
			`local Consul agent. The agent uses locally cached`
			`data to authorize the connection and typically responds in microseconds.`
			`Therefore, the impact to the TLS handshake is typically microseconds.`

			`## Updating Certificates and Certificate Roots`

			`The leaf certificate and CA roots can be updated at any time and the`
			`natively integrated application must react to this relatively quickly`
			`so that new connections are not disrupted. This can be done through`
			`Consul blocking queries (HTTP long polling) or through periodic polling.`

			`The API calls for`
			`[acquiring a leaf TLS certificate](/api/agent/connect.html#service-leaf-certificate)`
			`and [reading CA roots](/api/agent/connect.html#certificate-authority-ca-roots)`
			`both support`
[docs] Fixing API broken links (#5732) * starting broken link fixes * Updating the other links for ACLs * Updating the rest of the links * fixing acl required links. * update a bunch of other links * updated a couple more broken links based on Alvins checker * removed the extra s 2019-04-30 17:20:51 +00:00			`[blocking queries](/api/features/blocking.html). By using blocking`
website: connect native overview 2018-06-06 05:42:59 +00:00			`queries, an application can efficiently wait for an updated value. For example,`
			`the leaf certificate API will block until the certificate is near expiration`
			`or the signing certificates have changed and will issue and return a new`
			`certificate.`

			`In some languages, using blocking queries may not be simple. In that case,`
			`we still recommend using the blocking query parameters but with a very short`
			`timeout` value set. Doing this is documented with
[docs] Fixing API broken links (#5732) * starting broken link fixes * Updating the other links for ACLs * Updating the rest of the links * fixing acl required links. * update a bunch of other links * updated a couple more broken links based on Alvins checker * removed the extra s 2019-04-30 17:20:51 +00:00			`[blocking queries](/api/features/blocking.html). The low timeout will`
website: connect native overview 2018-06-06 05:42:59 +00:00			`ensure the API responds quickly. We recommend that applications poll the`
			`certificate endpoints frequently, such as multiple times per minute.`

			`The overhead for the blocking queries (long or periodic polling) is minimal.`
			`The API calls are to the local agent and the local agent uses locally`
			`cached data multiplexed over a single TCP connection to the Consul leader.`
			`Even if a single machine has 1,000 Connect-enabled services all blocking`
			`on certificate updates, this translates to only one TCP connection to the`
			`Consul server.`

			`Some language libraries such as the`
			`[Go library](/docs/connect/native/go.html) automatically handle updating`
			`and locally caching the certificates.`

			`## Service Registration`

			`Connect-native applications must tell Consul that they support Connect`
			`natively. This enables the service to be returned as part of service`
			`discovery for Connect-capable services, used by other Connect-native applications`
			`and client [proxies](/docs/connect/proxies.html).`

			`This can be specified directly in the [service definition](/docs/agent/services.html):`

			```json
			`{`
			`"service": {`
			`"name": "redis",`
			`"port": 8000,`
			`"connect": {`
			`"native": true`
			`}`
			`}`
			`}`
			```

			`Services that support Connect natively are still returned through the standard`
			`service discovery mechanisms in addition to the Connect-only service discovery`
			`mechanisms.`