open-consul/website/source/docs/connect/index.html.md
Mitchell Hashimoto 8dbe0017bb Starting Docs (#46)
* website: first stab at Connect docs

* website: lots more various stuff (bad commit messages)

* website: getting started page for Connect

* website: intentions

* website: intention APIs

* website: agent API docs

* website: document agent/catalog proxy kind service values

* website: /v1/catalog/connect/:service

* website: intention CLI docs

* website: custom proxy docs

* website: remove dedicated getting started guide

* website: add docs for CA API endpoints

* website: add docs for connect ca commands

* website: add proxy CLI docs

* website: clean up proxy command, add dev docs

* website: todo pages

* website: connect security
2018-06-25 12:24:05 -07:00

1.8 KiB

layout page_title sidebar_current description
docs Connect (Service Segmentation) docs-connect-index Consul Connect provides service-to-service connection authorization and encryption using mutual TLS.

Connect

Consul Connect provides service-to-service connection authorization and encryption using mutual TLS. Applications can use sidecar proxies to automatically establish TLS connections for inbound and outbound connections without being aware of Connect at all. Applications may also natively integrate with Connect for optimal performance and security.

How it Works

TODO

Eliminating East-West Firewalls

East-west firewalls are the typical tool for network security in a static world. East-west is the transfer of data from server to server within a datacenter, versus North-south traffic which describes end user to server communications.

These firewalls wrap services with ingress/egress policies. This perimeter-based approach is difficult to scale in a dynamic world with dozens or hundreds of services or where machines may be frequently created or destroyed. Firewalls create a sprawl of rules for each service instance that quickly becomes overly difficult to maintain.

Service security in a dynamic world is best solved through service-to-service authentication and authorization. Instead of IP-based network security, services can be deployed to low-trust networks and rely on service-identity based security over in-transit data encryption.

Connect enables service segmentation by securing service-to-service communications through mutual TLS and transparent proxying on zero-trust networks. This allows direct service communication without relying on firewalls for east-west traffic security.