open-consul/website/source/mesh.html.erb
2019-08-21 16:35:11 -05:00

262 lines
13 KiB
Plaintext

---
description: |-
Consul is a service networking solution to connect and secure services across
any runtime platform and public or private cloud
---
<div class='consul-connect'>
<section class='g-hero'>
<h1>Service Mesh made easy</h1>
<p>Service discovery, identity-based authorization, and L7 traffic management abstracted from application code with proxies in the service mesh pattern</p>
<div>
<a href="/downloads.html" class="g-btn download">
<svg xmlns="http://www.w3.org/2000/svg" width="20" height="22" viewBox="0 0 20 22">
<path d="M9.292 15.706a1 1 0 0 0 1.416 0l3.999-3.999a1 1 0 1 0-1.414-1.414L11 12.586V1a1 1 0 1 0-2 0v11.586l-2.293-2.293a1 1 0 1 0-1.414 1.414l3.999 3.999zM20 16v3c0 1.654-1.346 3-3 3H3c-1.654 0-3-1.346-3-3v-3a1 1 0 1 1 2 0v3c0 .551.448 1 1 1h14c.552 0 1-.449 1-1v-3a1 1 0 1 1 2 0z"/>
</svg>
Download
</a>
<a href="/docs/connect/index.html" class="g-btn dark-outline">Explore Docs</a>
</div>
</section>
<section class='g-section'>
<div class='g-container'>
<div class='g-timeline no-intro'>
<div>
<span class='line'></span>
<span class='line'>
<svg xmlns="http://www.w3.org/2000/svg" width="11" height="15" viewBox="0 0 11 15">
<path fill="#CA2171" d="M0 0v15l5.499-3.751L11 7.5 5.499 3.749.002 0z"/>
</svg>
</span>
<span class='dot'></span>
<h3>The Challenge</h3>
<span class='sub-heading'>Network appliances, like load balancers or firewalls with manual processes, don't scale in dynamic settings to support modern applications.</span>
<div id='segmentation-challenge-animation' class='g-animation-block'>
<%= inline_svg 'consul-connect/svgs/segmentation-challenge.svg' %>
</div>
<p>East-west firewalls use IP-based rules to secure ingress and
egress traffic. But in a dynamic world where services move across
machines and machines are frequently created and destroyed, this
perimeter-based approach is difficult to scale as it results in
complex network topologies and a sprawl of short-lived
firewall rules and proxy configuration.</p>
</div>
<div>
<span class='dot'></span>
<h3>The Solution</h3>
<span class='sub-heading'>Service mesh as an automated and distributed approach to networking and security that can operate across platforms and private and public cloud</span>
<div id='segmentation-solution-animation' class='g-animation-block'>
<%= inline_svg 'consul-connect/svgs/segmentation-solution.svg' %>
</div>
<p>Service mesh is a new approach to secure the service itself
rather than relying on the network. Consul uses centrally
managed service policies and configuration to enable
dynamic routing and security based on service identity.
These policies scale across datacenters and large fleets
without IP-based rules or networking middleware.</p>
</div>
</div>
</div>
</section>
<section class='g-section border-top'>
<div class='g-container'>
<div class='intro'>
<h2>Features</h2>
</div>
<div class='g-text-asset reverse'>
<div>
<div>
<h3>Layer 7 Traffic Management</h3>
<p>Service-to-service communication policy at Layer 7 can be managed centrally, enabling advanced traffic management patterns such as service failover, path-based routing, and traffic shifting that can be applied across public and private clouds, platforms, and networks.</p>
<p>
<a class="learn-more" href='/docs/connect/l7-traffic-management.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
</p>
</div>
</div>
<div class='code-sample'>
<div>
<span></span>
<div class='code'><code>
Kind = <code class="keyword">"service-splitter"</code>
Name = <code class="keyword">"billing-api"</code>
Splits = [
{
Weight = 10
ServiceSubset = <code class="keyword">"v2"</code>
},
{
Weight = 90
ServiceSubset = <code class="keyword">"v1"</code>
},
]</code>
</div>
</div>
</div>
</div>
</div>
</section>
<section class='g-section border-top'>
<div class='g-container'>
<div class='g-text-asset large'>
<div>
<div>
<h3>Layer 7 Observability</h3>
<p>Centrally managed service observability at Layer 7 including detailed metrics on all service-to-service communication such as connections, bytes transferred, retries, timeouts, open circuits, and request rates, response codes.</p>
<p>
<a class="learn-more" href='/docs/connect/observability.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
</p>
</div>
</div>
<div>
<picture>
<source type="image/png" srcset="
/assets/images/consul-connect/mesh-observability/metrics_300.png 300w,
/assets/images/consul-connect/mesh-observability/metrics_976.png 976w,
/assets/images/consul-connect/mesh-observability/metrics_1200.png 1200w" />
<img src='/assets/images/consul-connect/mesh-observability/metrics_1200.png' alt='Metrics dashboard'>
</source>
</picture>
</div>
</div>
</div>
</section>
<section class='g-section border-top'>
<div class='g-container'>
<div class='g-text-asset reverse'>
<div>
<div>
<h3>Secure services across any runtime platform</h3>
<p>Secure communication between legacy and modern workloads. Sidecar proxies allow applications to be integrated without code changes and Layer 4 support provides nearly universal protocol compatibility.</p>
<p>
<a class="learn-more" href='/docs/connect/proxies.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
</p>
</div>
</div>
<div>
<picture>
<source type="image/webp" srcset="
/assets/images/consul-connect/grid_3/grid_3_300.webp 300w,
/assets/images/consul-connect/grid_3/grid_3_976.webp 976w,
/assets/images/consul-connect/grid_3/grid_3_1256.webp 1256w" />
<source type="image/png" srcset="
/assets/images/consul-connect/grid_3/grid_3_300.png 300w,
/assets/images/consul-connect/grid_3/grid_3_976.png 976w,
/assets/images/consul-connect/grid_3/grid_3_1256.png 1256w" />
<img src='/assets/images/consul-connect/grid_3/grid_3_1256.png' alt='Secure services across any runtime platform'>
</picture>
</div>
</div>
</div>
</section>
<section class='g-section border-top'>
<div class='g-container'>
<div class='g-text-asset'>
<div>
<div>
<h3>Certificate-Based Service Identity</h3>
<p>TLS certificates are used to identify services and secure communications. Certificates use the SPIFFE format for interoperability with other platforms. Consul can be a certificate authority to simplify deployment, or integrate with external signing authorities like Vault.</p>
<p>
<a class="learn-more" href='/docs/connect/ca.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
</p>
</div>
</div>
<div class='logos'>
<div>
<img src='/assets/images/consul-connect/logos/vault.png' alt='Vault'>
<img src='/assets/images/consul-connect/logos/spiffe.png' alt='Spiffe'>
</div>
</div>
</div>
</div>
</section>
<section class='g-section border-top'>
<div class='g-container'>
<div class='g-text-asset reverse'>
<div>
<div>
<h3>Encrypted communication</h3>
<p>All traffic between services is encrypted and authenticated with mutual TLS. Using TLS provides a strong guarantee of the identity of services communicating, and ensures all data in transit is encrypted.</p>
<p>
<a class="learn-more" href='/docs/connect/security.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
</p>
</div>
</div>
<div class='code-sample'>
<div>
<span></span>
<div class='code'><code>$ consul connect proxy -service web \
-service-addr 127.0.0.1:8000
-listen <code class="keyword">10.0.1.109:7200</code>
==> Consul Connect proxy starting...
Configuration mode: Flags
Service: web
Public listener: <code class="keyword">10.0.1.109:7200</code> => 127.0.0.1:8000
...
$ tshark -V \
-Y "ssl.handshake.certificate" \
-O "ssl" \
-f <code class="keyword">"dst port 7200"</code>
Frame 39: 899 bytes on wire (7192 bits), 899 bytes captured (7192 bits) on interface 0
Internet Protocol Version 4, Src: 10.0.1.110, Dst: <code class="keyword">10.0.1.109</code>
Transmission Control Protocol, Src Port: 61918, Dst Port: 7200, Seq: 136, Ack: 916, Len: 843
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Version: TLS 1.2 (0x0303)
Handshake Protocol: Certificate
RDNSequence item: 1 item (id-at-commonName=<code class="keyword">Consul CA 7</code>)
RelativeDistinguishedName item (id-at-commonName=<code class="keyword">Consul CA 7</code>)
Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: <code class="keyword">Consul CA 7</code></code>
</div>
</div>
</div>
</div>
</div>
</section>
<section class='g-section border-top'>
<div class='g-container'>
<div class='g-text-asset'>
<div>
<div>
<h3>Mesh Gateway</h3>
<p>Connect between different cloud regions, VPCs and between overlay and underlay networks without complex network tunnels and NAT. Mesh Gateways solve routing at TLS layer while preserving end-to-end encryption and limiting attack surface area at the edge of each network.</p>
<p>
<a class="learn-more" href='/docs/connect/mesh_gateway.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a>
</p>
</div>
</div>
<div>
<picture>
<img src='/assets/images/consul-connect/mesh-gateway/gateway_1200.png' style='width:600px' alt='Mesh gateway diagram'>
</picture>
</div>
</div>
</div>
</section>
<section class='g-section g-cta-section'>
<div>
<h2>Ready to get started?</h2>
<a href="/downloads.html" class="g-btn white download">
<svg xmlns="http://www.w3.org/2000/svg" width="20" height="22" viewBox="0 0 20 22">
<path d="M9.292 15.706a1 1 0 0 0 1.416 0l3.999-3.999a1 1 0 1 0-1.414-1.414L11 12.586V1a1 1 0 1 0-2 0v11.586l-2.293-2.293a1 1 0 1 0-1.414 1.414l3.999 3.999zM20 16v3c0 1.654-1.346 3-3 3H3c-1.654 0-3-1.346-3-3v-3a1 1 0 1 1 2 0v3c0 .551.448 1 1 1h14c.552 0 1-.449 1-1v-3a1 1 0 1 1 2 0z"/>
</svg>
Download
</a>
<a href="https://learn.hashicorp.com/consul/getting-started/connect" class="g-btn white-outline">Try it out</a>
</div>
</section>
</div>