open-nomad/website/content/docs/job-specification/upstreams.mdx

---
layout: docs
page_title: upstreams Stanza - Job Specification
description: |-
  The "upstreams" stanza allows specifying options for configuring
  upstream services
---

# `upstreams` Stanza

<Placement
  groups={[
    'job',
    'group',
    'service',
    'connect',
    'sidecar_service',
    'proxy',
    'upstreams',
  ]}
/>

The `upstreams` stanza allows configuring various options for managing upstream
services that a [Consul
Connect](/docs/integrations/consul-connect) proxy routes to. It
is valid only within the context of a `proxy` stanza.

For Consul-specific details see the [Consul Connect
Guide](https://learn.hashicorp.com/consul/getting-started/connect#register-a-dependent-service-and-proxy).

```hcl
job "countdash" {
  datacenters = ["dc1"]

  group "dashboard" {
    network {
      mode = "bridge"

      port "http" {
        static = 9002
        to     = 9002
      }
    }

    service {
      name = "count-dashboard"
      port = "9002"

      connect {
        sidecar_service {
          proxy {
            upstreams {
              destination_name = "count-api"
              local_bind_port  = 8080
              datacenter = "dc2"
              local_bind_address = "127.0.0.1"
              mesh_gateway {
                mode = "local"
              }
            }
          }
        }
      }
    }

    task "dashboard" {
      driver = "docker"

      env {
        COUNTING_SERVICE_URL = "http://${NOMAD_UPSTREAM_ADDR_count_api}"
      }

      config {
        image = "hashicorpnomad/counter-dashboard:v3"
      }
    }
  }
}

```

## `upstreams` Parameters

- `destination_name` `(string: <required>)` - Name of the upstream service.
- `local_bind_port` - `(int: <required>)` - The port the proxy will receive
  connections for the upstream on.
- `datacenter` `(string: "")` - The Consul datacenter in which to issue the
  discovery query. Defaults to the empty string, which Consul interprets as the
  local Consul datacenter.
- `local_bind_address` - `(string: "")` - The address the proxy will receive
  connections for the upstream on.
- `mesh_gateway` <code>([mesh_gateway][mesh_gateway_param]: nil)</code> - Configures the mesh gateway
  behavior for connecting to this upstream.

### `mesh_gateway` Parameters

- `mode` `(string: "")` - The mode of operation in which to use [Connect Mesh Gateways][mesh_gateways].
  If left unset, the mode will default to the mode as determined by the Consul [service-defaults][service_defaults_mode]
  configuration for the service. Can be configured with the following modes:
  - `local` - In this mode the Connect proxy makes its outbound connection to a
  gateway running in the same datacenter. That gateway is then responsible for
  ensuring the data gets forwarded along to gateways in the destination datacenter.
  - `remote` - In this mode the Connect proxy makes its outbound connection to a
  gateway running in the destination datacenter. That gateway will then forward
  the data to the final destination service.
  - `none` - In this mode, no gateway is used and a Connect proxy makes its
  outbound connections directly to the destination services.

The `NOMAD_UPSTREAM_ADDR_<destination_name>` environment variables may be used
to interpolate the upstream's `host:port` address.

Applications are encouraged to connect to `127.0.0.1` and a well defined port
(eg 6379 for Redis) by default. Then when using Consul Connect the application
can be deployed with the Redis upstream's `local_bind_port = 6379` and require
no explicit configuration.

## `upstreams` Examples

The following example is an upstream config with the name of the destination service
and a local bind port.

```hcl
    upstreams {
      destination_name = "count-api"
      local_bind_port = 8080
    }
```

[job]: /docs/job-specification/job 'Nomad job Job Specification'
[group]: /docs/job-specification/group 'Nomad group Job Specification'
[task]: /docs/job-specification/task 'Nomad task Job Specification'
[interpolation]: /docs/runtime/interpolation 'Nomad interpolation'
[sidecar_service]: /docs/job-specification/sidecar_service 'Nomad sidecar service Specification'
[upstreams]: /docs/job-specification/upstreams 'Nomad upstream config Specification'
[service_defaults_mode]: https://www.consul.io/docs/connect/config-entries/service-defaults#meshgateway
[mesh_gateway_param]: /docs/job-specification/upstreams#mesh_gateway-parameters
[mesh_gateways]: https://www.consul.io/docs/connect/gateways/mesh-gateway#mesh-gateways
Initial placeholder connect docs 2019-09-05 18:08:31 +00:00			`---`
new website :sparkles: 2020-02-06 23:45:31 +00:00			`layout: docs`
			`page_title: upstreams Stanza - Job Specification`
Initial placeholder connect docs 2019-09-05 18:08:31 +00:00			`description: \|-`
			`The "upstreams" stanza allows specifying options for configuring`
			`upstream services`
			`---`

			# `upstreams` Stanza

new website :sparkles: 2020-02-06 23:45:31 +00:00			`<Placement`
			`groups={[`
			`'job',`
			`'group',`
			`'service',`
			`'connect',`
			`'sidecar_service',`
			`'proxy',`
Format docs website code and mdx 2020-09-30 13:48:40 +00:00			`'upstreams',`
new website :sparkles: 2020-02-06 23:45:31 +00:00			`]}`
			`/>`
Initial placeholder connect docs 2019-09-05 18:08:31 +00:00
docs: add more detail to connect stanzas 2019-09-06 05:52:11 +00:00			The `upstreams` stanza allows configuring various options for managing upstream
			`services that a [Consul`
link-fixup; move navigation 2020-03-20 21:00:59 +00:00			`Connect](/docs/integrations/consul-connect) proxy routes to. It`
docs: add more detail to connect stanzas 2019-09-06 05:52:11 +00:00			is valid only within the context of a `proxy` stanza.

			`For Consul-specific details see the [Consul Connect`
			`Guide](https://learn.hashicorp.com/consul/getting-started/connect#register-a-dependent-service-and-proxy).`
Initial placeholder connect docs 2019-09-05 18:08:31 +00:00
			```hcl
			`job "countdash" {`
			`datacenters = ["dc1"]`

			`group "dashboard" {`
			`network {`
			`mode = "bridge"`

			`port "http" {`
			`static = 9002`
			`to = 9002`
			`}`
			`}`

			`service {`
			`name = "count-dashboard"`
			`port = "9002"`

			`connect {`
			`sidecar_service {`
			`proxy {`
			`upstreams {`
			`destination_name = "count-api"`
			`local_bind_port = 8080`
consul/connect: add support for connect mesh gateways This PR implements first-class support for Nomad running Consul Connect Mesh Gateways. Mesh gateways enable services in the Connect mesh to make cross-DC connections via gateways, where each datacenter may not have full node interconnectivity. Consul docs with more information: https://www.consul.io/docs/connect/gateways/mesh-gateway The following group level service block can be used to establish a Connect mesh gateway. service { connect { gateway { mesh { // no configuration } } } } Services can make use of a mesh gateway by configuring so in their upstream blocks, e.g. service { connect { sidecar_service { proxy { upstreams { destination_name = "<service>" local_bind_port = <port> datacenter = "<datacenter>" mesh_gateway { mode = "<mode>" } } } } } } Typical use of a mesh gateway is to create a bridge between datacenters. A mesh gateway should then be configured with a service port that is mapped from a host_network configured on a WAN interface in Nomad agent config, e.g. client { host_network "public" { interface = "eth1" } } Create a port mapping in the group.network block for use by the mesh gateway service from the public host_network, e.g. network { mode = "bridge" port "mesh_wan" { host_network = "public" } } Use this port label for the service.port of the mesh gateway, e.g. service { name = "mesh-gateway" port = "mesh_wan" connect { gateway { mesh {} } } } Currently Envoy is the only supported gateway implementation in Consul. By default Nomad client will run the latest official Envoy docker image supported by the local Consul agent. The Envoy task can be customized by setting `meta.connect.gateway_image` in agent config or by setting the `connect.sidecar_task` block. Gateways require Consul 1.8.0+, enforced by the Nomad scheduler. Closes #9446 2021-04-12 19:10:10 +00:00			`datacenter = "dc2"`
consul/connect: enable setting local_bind_address in upstream 2021-02-23 15:49:18 +00:00			`local_bind_address = "127.0.0.1"`
consul/connect: add support for connect mesh gateways This PR implements first-class support for Nomad running Consul Connect Mesh Gateways. Mesh gateways enable services in the Connect mesh to make cross-DC connections via gateways, where each datacenter may not have full node interconnectivity. Consul docs with more information: https://www.consul.io/docs/connect/gateways/mesh-gateway The following group level service block can be used to establish a Connect mesh gateway. service { connect { gateway { mesh { // no configuration } } } } Services can make use of a mesh gateway by configuring so in their upstream blocks, e.g. service { connect { sidecar_service { proxy { upstreams { destination_name = "<service>" local_bind_port = <port> datacenter = "<datacenter>" mesh_gateway { mode = "<mode>" } } } } } } Typical use of a mesh gateway is to create a bridge between datacenters. A mesh gateway should then be configured with a service port that is mapped from a host_network configured on a WAN interface in Nomad agent config, e.g. client { host_network "public" { interface = "eth1" } } Create a port mapping in the group.network block for use by the mesh gateway service from the public host_network, e.g. network { mode = "bridge" port "mesh_wan" { host_network = "public" } } Use this port label for the service.port of the mesh gateway, e.g. service { name = "mesh-gateway" port = "mesh_wan" connect { gateway { mesh {} } } } Currently Envoy is the only supported gateway implementation in Consul. By default Nomad client will run the latest official Envoy docker image supported by the local Consul agent. The Envoy task can be customized by setting `meta.connect.gateway_image` in agent config or by setting the `connect.sidecar_task` block. Gateways require Consul 1.8.0+, enforced by the Nomad scheduler. Closes #9446 2021-04-12 19:10:10 +00:00			`mesh_gateway {`
			`mode = "local"`
			`}`
Initial placeholder connect docs 2019-09-05 18:08:31 +00:00			`}`
			`}`
			`}`
			`}`
			`}`

			`task "dashboard" {`
			`driver = "docker"`

			`env {`
			`COUNTING_SERVICE_URL = "http://${NOMAD_UPSTREAM_ADDR_count_api}"`
			`}`

			`config {`
docs: update countdash examples to v3 2021-01-10 23:19:39 +00:00			`image = "hashicorpnomad/counter-dashboard:v3"`
Initial placeholder connect docs 2019-09-05 18:08:31 +00:00			`}`
			`}`
			`}`
			`}`

			```

			## `upstreams` Parameters

docs: add more detail to connect stanzas 2019-09-06 05:52:11 +00:00			- `destination_name` `(string: <required>)` - Name of the upstream service.
			- `local_bind_port` - `(int: <required>)` - The port the proxy will receive
Initial placeholder connect docs 2019-09-05 18:08:31 +00:00			`connections for the upstream on.`
docs: better clarify connect upstream datacenter 2020-11-30 18:28:08 +00:00			- `datacenter` `(string: "")` - The Consul datacenter in which to issue the
			`discovery query. Defaults to the empty string, which Consul interprets as the`
			`local Consul datacenter.`
consul/connect: enable setting local_bind_address in upstream 2021-02-23 15:49:18 +00:00			- `local_bind_address` - `(string: "")` - The address the proxy will receive
			`connections for the upstream on.`
consul/connect: add support for connect mesh gateways This PR implements first-class support for Nomad running Consul Connect Mesh Gateways. Mesh gateways enable services in the Connect mesh to make cross-DC connections via gateways, where each datacenter may not have full node interconnectivity. Consul docs with more information: https://www.consul.io/docs/connect/gateways/mesh-gateway The following group level service block can be used to establish a Connect mesh gateway. service { connect { gateway { mesh { // no configuration } } } } Services can make use of a mesh gateway by configuring so in their upstream blocks, e.g. service { connect { sidecar_service { proxy { upstreams { destination_name = "<service>" local_bind_port = <port> datacenter = "<datacenter>" mesh_gateway { mode = "<mode>" } } } } } } Typical use of a mesh gateway is to create a bridge between datacenters. A mesh gateway should then be configured with a service port that is mapped from a host_network configured on a WAN interface in Nomad agent config, e.g. client { host_network "public" { interface = "eth1" } } Create a port mapping in the group.network block for use by the mesh gateway service from the public host_network, e.g. network { mode = "bridge" port "mesh_wan" { host_network = "public" } } Use this port label for the service.port of the mesh gateway, e.g. service { name = "mesh-gateway" port = "mesh_wan" connect { gateway { mesh {} } } } Currently Envoy is the only supported gateway implementation in Consul. By default Nomad client will run the latest official Envoy docker image supported by the local Consul agent. The Envoy task can be customized by setting `meta.connect.gateway_image` in agent config or by setting the `connect.sidecar_task` block. Gateways require Consul 1.8.0+, enforced by the Nomad scheduler. Closes #9446 2021-04-12 19:10:10 +00:00			- `mesh_gateway` <code>([mesh_gateway][mesh_gateway_param]: nil)</code> - Configures the mesh gateway
			`behavior for connecting to this upstream.`

			### `mesh_gateway` Parameters

consul/connect: fix upstream mesh gateway default mode setting This PR fixes the API to _not_ set the default mesh gateway mode. Before, the mode would be set to "none" in Canonicalize, which is incorrect. We should pass through the empty string so that folks can make use of Consul service-defaults Config entries to configure the default mode. 2021-06-04 13:50:14 +00:00			- `mode` `(string: "")` - The mode of operation in which to use [Connect Mesh Gateways][mesh_gateways].
			`If left unset, the mode will default to the mode as determined by the Consul [service-defaults][service_defaults_mode]`
consul/connect: add support for connect mesh gateways This PR implements first-class support for Nomad running Consul Connect Mesh Gateways. Mesh gateways enable services in the Connect mesh to make cross-DC connections via gateways, where each datacenter may not have full node interconnectivity. Consul docs with more information: https://www.consul.io/docs/connect/gateways/mesh-gateway The following group level service block can be used to establish a Connect mesh gateway. service { connect { gateway { mesh { // no configuration } } } } Services can make use of a mesh gateway by configuring so in their upstream blocks, e.g. service { connect { sidecar_service { proxy { upstreams { destination_name = "<service>" local_bind_port = <port> datacenter = "<datacenter>" mesh_gateway { mode = "<mode>" } } } } } } Typical use of a mesh gateway is to create a bridge between datacenters. A mesh gateway should then be configured with a service port that is mapped from a host_network configured on a WAN interface in Nomad agent config, e.g. client { host_network "public" { interface = "eth1" } } Create a port mapping in the group.network block for use by the mesh gateway service from the public host_network, e.g. network { mode = "bridge" port "mesh_wan" { host_network = "public" } } Use this port label for the service.port of the mesh gateway, e.g. service { name = "mesh-gateway" port = "mesh_wan" connect { gateway { mesh {} } } } Currently Envoy is the only supported gateway implementation in Consul. By default Nomad client will run the latest official Envoy docker image supported by the local Consul agent. The Envoy task can be customized by setting `meta.connect.gateway_image` in agent config or by setting the `connect.sidecar_task` block. Gateways require Consul 1.8.0+, enforced by the Nomad scheduler. Closes #9446 2021-04-12 19:10:10 +00:00			`configuration for the service. Can be configured with the following modes:`
			- `local` - In this mode the Connect proxy makes its outbound connection to a
			`gateway running in the same datacenter. That gateway is then responsible for`
			`ensuring the data gets forwarded along to gateways in the destination datacenter.`
			- `remote` - In this mode the Connect proxy makes its outbound connection to a
			`gateway running in the destination datacenter. That gateway will then forward`
			`the data to the final destination service.`
			- `none` - In this mode, no gateway is used and a Connect proxy makes its
			`outbound connections directly to the destination services.`
Initial placeholder connect docs 2019-09-05 18:08:31 +00:00
docs: add more detail to connect stanzas 2019-09-06 05:52:11 +00:00			The `NOMAD_UPSTREAM_ADDR_<destination_name>` environment variables may be used
			to interpolate the upstream's `host:port` address.

			Applications are encouraged to connect to `127.0.0.1` and a well defined port
			`(eg 6379 for Redis) by default. Then when using Consul Connect the application`
			can be deployed with the Redis upstream's `local_bind_port = 6379` and require
			`no explicit configuration.`
Initial placeholder connect docs 2019-09-05 18:08:31 +00:00
			## `upstreams` Examples

			`The following example is an upstream config with the name of the destination service`
			`and a local bind port.`

			```hcl
			`upstreams {`
			`destination_name = "count-api"`
			`local_bind_port = 8080`
			`}`
new website :sparkles: 2020-02-06 23:45:31 +00:00			```

			`[job]: /docs/job-specification/job 'Nomad job Job Specification'`
			`[group]: /docs/job-specification/group 'Nomad group Job Specification'`
			`[task]: /docs/job-specification/task 'Nomad task Job Specification'`
			`[interpolation]: /docs/runtime/interpolation 'Nomad interpolation'`
			`[sidecar_service]: /docs/job-specification/sidecar_service 'Nomad sidecar service Specification'`
			`[upstreams]: /docs/job-specification/upstreams 'Nomad upstream config Specification'`
consul/connect: add support for connect mesh gateways This PR implements first-class support for Nomad running Consul Connect Mesh Gateways. Mesh gateways enable services in the Connect mesh to make cross-DC connections via gateways, where each datacenter may not have full node interconnectivity. Consul docs with more information: https://www.consul.io/docs/connect/gateways/mesh-gateway The following group level service block can be used to establish a Connect mesh gateway. service { connect { gateway { mesh { // no configuration } } } } Services can make use of a mesh gateway by configuring so in their upstream blocks, e.g. service { connect { sidecar_service { proxy { upstreams { destination_name = "<service>" local_bind_port = <port> datacenter = "<datacenter>" mesh_gateway { mode = "<mode>" } } } } } } Typical use of a mesh gateway is to create a bridge between datacenters. A mesh gateway should then be configured with a service port that is mapped from a host_network configured on a WAN interface in Nomad agent config, e.g. client { host_network "public" { interface = "eth1" } } Create a port mapping in the group.network block for use by the mesh gateway service from the public host_network, e.g. network { mode = "bridge" port "mesh_wan" { host_network = "public" } } Use this port label for the service.port of the mesh gateway, e.g. service { name = "mesh-gateway" port = "mesh_wan" connect { gateway { mesh {} } } } Currently Envoy is the only supported gateway implementation in Consul. By default Nomad client will run the latest official Envoy docker image supported by the local Consul agent. The Envoy task can be customized by setting `meta.connect.gateway_image` in agent config or by setting the `connect.sidecar_task` block. Gateways require Consul 1.8.0+, enforced by the Nomad scheduler. Closes #9446 2021-04-12 19:10:10 +00:00			`[service_defaults_mode]: https://www.consul.io/docs/connect/config-entries/service-defaults#meshgateway`
			`[mesh_gateway_param]: /docs/job-specification/upstreams#mesh_gateway-parameters`
			`[mesh_gateways]: https://www.consul.io/docs/connect/gateways/mesh-gateway#mesh-gateways`