4.5 KiB
| layout | page_title | sidebar_current | description |
|---|---|---|---|
| docs | Connect (Service Segmentation) | docs-connect-index | Consul Connect provides service-to-service connection authorization and encryption using mutual TLS. |
Connect
Consul Connect provides service-to-service connection authorization and encryption using mutual TLS. Applications can use sidecar proxies to automatically establish TLS connections for inbound and outbound connections without being aware of Connect at all. Applications may also natively integrate with Connect for optimal performance and security.
Connect enables deployment best-practices with service-to-service encryption everywhere and identity-based authorization. Rather than authorizing host-based access with IP address access rules, Connect uses the registered service identity to enforce access control with intentions. This makes it much easier to reason about access control and also enables services to freely move, such as in a scheduled environment with software such as Kubernetes or Nomad. Additionally, intention enforcement can be done regardless of the underlying network, so Connect works with physical networks, cloud networks, software-defined networks, cross-cloud, and more.
How it Works
The core of Connect is based on mutual TLS.
Connect provides each service with an identity encoded as a TLS certificate. This certificate is used to establish and accept connections to and from other services. The identity is encoded in the TLS certificate in compliance with the SPIFFE X.509 Identity Document. This enables Connect services to establish and accept connections with other SPIFFE-compliant systems.
The client service verifies the destination service certificate against the public CA bundle. This is very similar to a typical HTTPS web browser connection. In addition to this, the client provides its own client certificate to show its identity to the destination service. If the connection handshake succeeds, the connection is encrypted and authorized.
The destination service verifies the client certificate against the public CA bundle. After verifying the certificate, it must also call the authorization API to authorize the connection against the configured set of Consul intentions. If the authorization API responds successfully, the connection is established. Otherwise, the connection is rejected.
To generate and distribute certificates, Consul has a built-in CA that requires no other dependencies, and also ships with built-in support for Vault. The PKI system is pluggable and can be extended to support any system.
All APIs required for Connect typically respond in microseconds and impose minimal overhead to existing services. This is because the Connect-related APIs are all made to the local Consul agent over a loopback interface, and all agent Connect endpoints implement local caching, background updating, and support blocking queries. As a result, most API calls operate on purely local in-memory data and can respond in microseconds.
Eliminating East-West Firewalls
East-west firewalls are the typical tool for network security in a static world. East-west is the transfer of data from server to server within a datacenter, versus North-south traffic which describes end user to server communications.
These firewalls wrap services with ingress/egress policies. This perimeter-based approach is difficult to scale in a dynamic world with dozens or hundreds of services or where machines may be frequently created or destroyed. Firewalls create a sprawl of rules for each service instance that quickly becomes overly difficult to maintain.
Service security in a dynamic world is best solved through service-to-service authentication and authorization. Instead of IP-based network security, services can be deployed to low-trust networks and rely on service-identity based security over in-transit data encryption.
Connect enables service segmentation by securing service-to-service communications through mutual TLS and transparent proxying on zero-trust networks. This allows direct service communication without relying on firewalls for east-west traffic security.