--- description: |- Consul is a highly available and distributed service discovery and KV store designed with support for the modern data center to make distributed systems and configuration easy. ---
New Feature

Service segmentation made easy

Secure service-to-service communication with automatic TLS encryption and identity-based authorization

Download Explore Docs

The Challenge

Securing service-to-service communication with firewalls doesn’t scale in dynamic settings.
<%= inline_svg 'consul-connect/svgs/segmentation-challenge.svg' %>

East-west firewalls use IP-based rules to secure ingress and egress traffic. But in a dynamic world where services move across machines and machines are frequently created and destroyed, this perimeter-based approach is difficult to scale as it results in complex network topologies and a sprawl of short-lived firewall rules.

The Solution

Service segmentation for dynamic service authorization.
<%= inline_svg 'consul-connect/svgs/segmentation-solution.svg' %>

Service segmentation is a new approach to secure the service itself rather than relying on the network. Consul uses service policies to codify which services are allowed to communicate. These policies scale across datacenters and large fleets without IP-based rules or networking middleware.

Features

Service Access Graph

Define and enforce service to service communication with a simple Intentions configuration. Service based rules, instead of IP-based rules, make it easy to manage dynamic infrastructure with frequently changing machines and service locations.

Learn more

Service Access Graph

Secure services across any runtime platform

Secure communication between legacy and modern workloads. Sidecar proxies allow applications to be integrated without code changes and Layer 4 support provides nearly universal protocol compatibility.

Learn more

Secure services across any runtime platform

Certificate-Based Service Identity

TLS certificates are used to identify services and secure communications. Certificates use the SPIFFE format for interoperability with other platforms. Consul can be a certificate authority to simplify deployment, or integrate with external signing authorities like Vault.

Learn more

Vault Spiffe

Encrypted communication

All traffic between services is encrypted and authenticated with mutual TLS. Using TLS provides a strong guarantee of the identity of services communicating, and ensures all data in transit is encrypted.

Learn more

$ consul connect proxy -service web \ -service-addr 127.0.0.1:8000 -listen 10.0.1.109:7200 ==> Consul Connect proxy starting... Configuration mode: Flags Service: web Public listener: 10.0.1.109:7200 => 127.0.0.1:8000 ... $ tshark -V \ -Y "ssl.handshake.certificate" \ -O "ssl" \ -f "dst port 7200" Frame 39: 899 bytes on wire (7192 bits), 899 bytes captured (7192 bits) on interface 0 Internet Protocol Version 4, Src: 10.0.1.110, Dst: 10.0.1.109 Transmission Control Protocol, Src Port: 61918, Dst Port: 7200, Seq: 136, Ack: 916, Len: 843 Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Certificate Version: TLS 1.2 (0x0303) Handshake Protocol: Certificate RDNSequence item: 1 item (id-at-commonName=Consul CA 7) RelativeDistinguishedName item (id-at-commonName=Consul CA 7) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: Consul CA 7

Ready to get started?

Download Explore docs