208 lines
11 KiB
Plaintext
208 lines
11 KiB
Plaintext
---
|
||
description: |-
|
||
Consul is a highly available and distributed service discovery and KV
|
||
store designed with support for the modern data center to make distributed
|
||
systems and configuration easy.
|
||
---
|
||
|
||
<div class='consul-connect'>
|
||
|
||
<section class='g-hero'>
|
||
<span>New Feature</span>
|
||
<h1>Service segmentation made easy</h1>
|
||
<p>Secure service-to-service communication with automatic TLS encryption and identity-based authorization</p>
|
||
<div>
|
||
<a href="/downloads.html" class="g-btn download">
|
||
<svg xmlns="http://www.w3.org/2000/svg" width="20" height="22" viewBox="0 0 20 22">
|
||
<path d="M9.292 15.706a1 1 0 0 0 1.416 0l3.999-3.999a1 1 0 1 0-1.414-1.414L11 12.586V1a1 1 0 1 0-2 0v11.586l-2.293-2.293a1 1 0 1 0-1.414 1.414l3.999 3.999zM20 16v3c0 1.654-1.346 3-3 3H3c-1.654 0-3-1.346-3-3v-3a1 1 0 1 1 2 0v3c0 .551.448 1 1 1h14c.552 0 1-.449 1-1v-3a1 1 0 1 1 2 0z"/>
|
||
</svg>
|
||
Download
|
||
</a>
|
||
<a href="/docs/connect/index.html" class="g-btn dark-outline">Explore Docs</a>
|
||
</div>
|
||
</section>
|
||
|
||
<section class='g-section'>
|
||
<div class='g-container'>
|
||
<div class='g-timeline no-intro'>
|
||
<div>
|
||
<span class='line'></span>
|
||
<span class='line'>
|
||
<svg xmlns="http://www.w3.org/2000/svg" width="11" height="15" viewBox="0 0 11 15">
|
||
<path fill="#CA2171" d="M0 0v15l5.499-3.751L11 7.5 5.499 3.749.002 0z"/>
|
||
</svg>
|
||
</span>
|
||
<span class='dot'></span>
|
||
<h3>The Challenge</h3>
|
||
<span class='sub-heading'>Securing service-to-service communication with firewalls doesn’t scale in dynamic settings.</span>
|
||
<div id='segmentation-challenge-animation' class='g-animation-block'>
|
||
<%= inline_svg 'consul-connect/svgs/segmentation-challenge.svg' %>
|
||
</div>
|
||
<p>East-west firewalls use IP-based rules to secure ingress and
|
||
egress traffic. But in a dynamic world where services move across
|
||
machines and machines are frequently created and destroyed, this
|
||
perimeter-based approach is difficult to scale as it results in
|
||
complex network topologies and a sprawl of short-lived
|
||
firewall rules.</p>
|
||
</div>
|
||
<div>
|
||
<span class='dot'></span>
|
||
<h3>The Solution</h3>
|
||
<span class='sub-heading'>Service segmentation for dynamic service authorization.</span>
|
||
<div id='segmentation-solution-animation' class='g-animation-block'>
|
||
<%= inline_svg 'consul-connect/svgs/segmentation-solution.svg' %>
|
||
</div>
|
||
<p>Service segmentation is a new approach to secure the service itself
|
||
rather than relying on the network. Consul uses service policies to
|
||
codify which services are allowed to communicate. These policies
|
||
scale across datacenters and large fleets without IP-based rules or
|
||
networking middleware.</p>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
</section>
|
||
|
||
<section class='g-section border-top'>
|
||
<div class='g-container'>
|
||
<div class='intro'>
|
||
<h2>Features</h2>
|
||
</div>
|
||
<div class='g-text-asset large'>
|
||
<div>
|
||
<div>
|
||
<h3>Service Access Graph </h3>
|
||
<p>Define and enforce service to service communication with a simple Intentions configuration. Service based rules, instead of IP-based rules, make it easy to manage dynamic infrastructure with frequently changing machines and service locations.</p>
|
||
<p>
|
||
<a class="learn-more" href='/docs/connect/intentions.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
|
||
</p>
|
||
</div>
|
||
</div>
|
||
<div>
|
||
<picture>
|
||
<source type="image/webp" srcset="
|
||
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_230.webp 230w,
|
||
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_844.webp 844w,
|
||
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_1290.webp 1290w" />
|
||
<source type="image/jpg" srcset="
|
||
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_230.jpg 230w,
|
||
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_844.jpg 844w,
|
||
/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_1290.jpg 1290w" />
|
||
<img src='/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_1290.jpg' alt='Service Access Graph'>
|
||
</picture>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
</section>
|
||
|
||
<section class='g-section border-top'>
|
||
<div class='g-container'>
|
||
<div class='g-text-asset reverse'>
|
||
<div>
|
||
<div>
|
||
<h3>Secure services across any runtime platform</h3>
|
||
<p>Secure communication between legacy and modern workloads. Sidecar proxies allow applications to be integrated without code changes and Layer 4 support provides nearly universal protocol compatibility.</p>
|
||
<p>
|
||
<a class="learn-more" href='/docs/connect/proxies.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
|
||
</p>
|
||
</div>
|
||
</div>
|
||
<div>
|
||
<picture>
|
||
<source type="image/webp" srcset="
|
||
/assets/images/consul-connect/grid_3/grid_3_300.webp 300w,
|
||
/assets/images/consul-connect/grid_3/grid_3_976.webp 976w,
|
||
/assets/images/consul-connect/grid_3/grid_3_1256.webp 1256w" />
|
||
<source type="image/png" srcset="
|
||
/assets/images/consul-connect/grid_3/grid_3_300.png 300w,
|
||
/assets/images/consul-connect/grid_3/grid_3_976.png 976w,
|
||
/assets/images/consul-connect/grid_3/grid_3_1256.png 1256w" />
|
||
<img src='/assets/images/consul-connect/grid_3/grid_3_1256.png' alt='Secure services across any runtime platform'>
|
||
</picture>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
</section>
|
||
|
||
<section class='g-section border-top'>
|
||
<div class='g-container'>
|
||
<div class='g-text-asset'>
|
||
<div>
|
||
<div>
|
||
<h3>Certificate-Based Service Identity</h3>
|
||
<p>TLS certificates are used to identify services and secure communications. Certificates use the SPIFFE format for interoperability with other platforms. Consul can be a certificate authority to simplify deployment, or integrate with external signing authorities like Vault.</p>
|
||
<p>
|
||
<a class="learn-more" href='/docs/connect/ca.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
|
||
</p>
|
||
</div>
|
||
</div>
|
||
<div class='logos'>
|
||
<div>
|
||
<img src='/assets/images/consul-connect/logos/vault.png' alt='Vault'>
|
||
<img src='/assets/images/consul-connect/logos/spiffe.png' alt='Spiffe'>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
</section>
|
||
|
||
<section class='g-section border-top'>
|
||
<div class='g-container'>
|
||
<div class='g-text-asset reverse'>
|
||
<div>
|
||
<div>
|
||
<h3>Encrypted communication</h3>
|
||
<p>All traffic between services is encrypted and authenticated with mutual TLS. Using TLS provides a strong guarantee of the identity of services communicating, and ensure all data in transit is encrypted.</p>
|
||
<p>
|
||
<a class="learn-more" href='/docs/connect/security.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
|
||
</p>
|
||
</div>
|
||
</div>
|
||
<div class='code-sample'>
|
||
<div>
|
||
<span></span>
|
||
<div class='code'><code>$ consul connect proxy -service web \
|
||
-service-addr 127.0.0.1:8000
|
||
-listen <code class="keyword">10.0.1.109:7200</code>
|
||
==> Consul Connect proxy starting...
|
||
Configuration mode: Flags
|
||
Service: web
|
||
Public listener: <code class="keyword">10.0.1.109:7200</code> => 127.0.0.1:8000
|
||
...
|
||
$ tshark -V \
|
||
-Y "ssl.handshake.certificate" \
|
||
-O "ssl" \
|
||
-f <code class="keyword">"dst port 7200"</code>
|
||
Frame 39: 899 bytes on wire (7192 bits), 899 bytes captured (7192 bits) on interface 0
|
||
Internet Protocol Version 4, Src: 10.0.1.110, Dst: <code class="keyword">10.0.1.109</code>
|
||
Transmission Control Protocol, Src Port: 61918, Dst Port: 7200, Seq: 136, Ack: 916, Len: 843
|
||
Secure Sockets Layer
|
||
TLSv1.2 Record Layer: Handshake Protocol: Certificate
|
||
Version: TLS 1.2 (0x0303)
|
||
Handshake Protocol: Certificate
|
||
RDNSequence item: 1 item (id-at-commonName=<code class="keyword">Consul CA 7</code>)
|
||
RelativeDistinguishedName item (id-at-commonName=<code class="keyword">Consul CA 7</code>)
|
||
Id: 2.5.4.3 (id-at-commonName)
|
||
DirectoryString: printableString (1)
|
||
printableString: <code class="keyword">Consul CA 7</code></code>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
</section>
|
||
|
||
<section class='g-section g-cta-section'>
|
||
<div>
|
||
<h2>Ready to get started?</h2>
|
||
<a href="/intro/getting-started/connect.html" class="g-btn white download">
|
||
<svg xmlns="http://www.w3.org/2000/svg" width="20" height="22" viewBox="0 0 20 22">
|
||
<path d="M9.292 15.706a1 1 0 0 0 1.416 0l3.999-3.999a1 1 0 1 0-1.414-1.414L11 12.586V1a1 1 0 1 0-2 0v11.586l-2.293-2.293a1 1 0 1 0-1.414 1.414l3.999 3.999zM20 16v3c0 1.654-1.346 3-3 3H3c-1.654 0-3-1.346-3-3v-3a1 1 0 1 1 2 0v3c0 .551.448 1 1 1h14c.552 0 1-.449 1-1v-3a1 1 0 1 1 2 0z"/>
|
||
</svg>
|
||
Download
|
||
</a>
|
||
<a href="/docs/connect/index.html" class="g-btn white-outline">Explore docs</a>
|
||
</div>
|
||
</section>
|
||
|
||
</div>
|