open-consul/website/content/docs/connect/gateways/index.mdx

72 lines
4.8 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: docs
page_title: Gateways
description: >-
Gateways provide connectivity into, out of, and between Consul service meshes.
---
# Gateways
This topic provides an overview of the gateway features shipped with Consul. Gateways provide connectivity into, out of, and between Consul service meshes. You can configure the following types of gateways:
- [Mesh gateways](#mesh-gateways) enable service-to-service traffic between Consul datacenters or between Consul admin partitions. They also enable datacenters to be federated across wide area networks.
- [Ingress gateways](#ingress-gateways) enable services to accept traffic from outside the Consul service mesh.
- [Terminating gateways](#terminating-gateways) enable you to route traffic from services in the Consul service mesh to external services.
## Mesh Gateways
-> **1.6.0+:** This feature is available in Consul versions 1.6.0 and newer.
Mesh gateways enable service mesh traffic to be routed between different Consul datacenters and admin partitions. The datacenters or partitions can reside
in different clouds or runtime environments where general interconnectivity between all services in all datacenters
isn't feasible.
They operate by sniffing and extracting the server name indication (SNI) header from the service mesh session and routing the connection to the appropriate destination based on the server name requested. The gateway does not decrypt the data within the mTLS session.
Mesh gateways enable the following scenarios:
* **Federate multiple datacenters across a WAN**. Since Consul 1.8.0, mesh gateways can forward gossip and RPC traffic between Consul servers. See [WAN federation via mesh gateways](/docs/connect/gateways/wan-federation-via-mesh-gateways) for additional information.
* **Service-to-service communication across datacenters**. Refer to [Enabling Service-to-service Traffic Accross Datacenters](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-datacenters) for additional information.
* **Service-to-service communication across admin partitions**. Since Consul 1.11.0, you can create administrative boundaries for single Consul deployements called "admin partitions". You can use mesh gateways to facilitate cross-partition communication. Refer to [Enabling Service-to-service Traffic Accross Admin Partitions](/docs/connect/gateways/mesh-gateway/service-to-service-traffic-partitions) for additional information.
-> **Mesh gateway tutorial**: Follow the [mesh gateway tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-gateways) to learn concepts associated with mesh gateways.
## Ingress Gateways
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer.
Ingress gateways are an entrypoint for outside traffic. They enable potentially unauthenticated ingress traffic from
services outside the Consul service mesh to services inside the service mesh.
These gateways allow you to define what services should be exposed, on what port, and by what hostname. You configure
an ingress gateway by defining a set of listeners that can map to different sets of backing services.
Ingress gateways are tightly integrated with Consuls L7 configuration and enable dynamic routing of HTTP requests by
attributes like the request path.
For more information about ingress gateways, review the [complete documentation](/docs/connect/gateways/ingress-gateway)
and the [ingress gateway tutorial](https://learn.hashicorp.com/tutorials/consul/service-mesh-ingress-gateways).
![Ingress Gateway Architecture](/img/ingress-gateways.png)
## Terminating Gateways
-> **1.8.0+:** This feature is available in Consul versions 1.8.0 and newer.
Terminating gateways enable connectivity from services in the Consul service mesh to services outside the mesh.
Services outside the mesh do not have sidecar proxies or are not [integrated natively](/docs/connect/native).
These may be services running on legacy infrastructure or managed cloud services running on
infrastructure you do not control.
Terminating gateways effectively act as egress proxies that can represent one or more services. They terminate Connect
mTLS connections, enforce Consul intentions, and forward requests to the appropriate destination.
These gateways also simplify authorization from dynamic service addresses. Consuls intentions determine whether
connections through the gateway are authorized. Then traditional tools like firewalls or IAM roles can authorize the
connections from the known gateway nodes to the destination services.
For more information about terminating gateways, review the [complete documentation](/docs/connect/gateways/terminating-gateway)
and the [terminating gateway tutorial](https://learn.hashicorp.com/tutorials/consul/teminating-gateways-connect-external-services).
![Terminating Gateway Architecture](/img/terminating-gateways.png)