7. PROVISION, SECURE AND RUN ANY INFRASTRUCTURE
Nomad Consul
Vault
Vagrant Packer Terraform
Consul Enterprise
Terraform Enterprise
Vault Enterprise
PRODUCT SUITEOSS TOOL SUITE
RUN
Applications
SECURE
Application Infrastructure
PROVISION
Infrastructure
FOR INDIVIDUALS FOR TEAMS
Nomad Enterprise
8. @anubhavmBlog Post Link: https://www.hashicorp.com/blog/smart-networking-with-consul-and-service-meshes
10. @anubhavm
Agenda
1. Introduction to “Smart Networking” and “Service Mesh”
2. Introduction to HashiCorp Consul
3. Architecture and overview of Consul
4. Exercises (Hands-On Lab)
• Exploring Service Discovery, K/V Store, and Consul Template
• NGINX and Consul (Smart Proxy)
• Fabio and Consul (Smart Networking in containers)
• Consul Connect (Service Mesh)
• Consul Connect for Service to Service Communication
• Consul Connect for Service to Database Communication
• Consul Connect for Serverless Applications
5. Conclusion
6. Discussion / Q&A
25. @anubhavm
Smart Networking - First Principles
Dumb Pipe or Smart Network
Protocol Awareness
Service
A
Service
B
Ribbon
26. @anubhavm
Dumb Pipe
Pros:
Simplicity for Networks
Smart Applications (“What you see is what you get”)
Easily Customizable
Cons:
Redundant Code
Every Application has to Implement the Code (Polyglot?)
28. @anubhavm
Smart Networking - First Principles
Dumb Pipe or Smart Network
Protocol Awareness
Service
A
Service
B
Proxy Proxy
29. @anubhavm
Smart Network
Pros:
Little to no Application Code changes are required
Features like Traffic Shaping, Service Discovery and Network Policy Control come
out of the Box
Cons:
Smart Network becomes an Implicit Dependency of the Application
Harder to Reason about the Whole System
35. @anubhavm
Separation of Control and Data Plane
Control Plane
Data Plane
• Traffic Routing / Shaping
• Configuring the Data Plane
• Policy Enforcement
• Provide Service Discovery Data to Data Plane
37. @anubhavm
Separation of Control and Data Plane
Control Plane
Data Plane
• Forward Request from the Applications
• Health Checking
• Load Balancing
• Circuit Breaking
• Timeouts
• Retries
• Authentication
• Authorization
38. @anubhavm
Separation of Control and Data Plane
Control Plane
Data Plane
…..
• Forward Request from the Applications
• Health Checking
• Load Balancing
• Circuit Breaking
• Timeouts
• Retries
• Authentication
• Authorization
42. @anubhavm
Protocol Awareness
Layer 4 vs Layer 7
TCP, UDP vs HTTP “Universally” Compatible
High Performance
Difficult to provide Sophisticated
request aware features
Layer 4
43. @anubhavm
Protocol Awareness
Layer 4 vs Layer 7
TCP, UDP vs HTTP Perform complex routing decisions
Header and Path based routing
Can yield lower performance
Layer 7
46. @anubhavm
Service Mesh for Microservices
Service Discovery. Connect services with a dynamic registry
Service Configuration. Configure services with runtime configs
Service Segmentation. Secure services based on identity
51. @anubhavm
Multi Data Center
CLIENT CLIENT CLIENT CLIENT CLIENT CLIENT
SERVER SERVER SERVER
REPLICATION REPLICATION
RPC
RPC
LAN GOSSIP
SERVERSERVER SERVER
REPLICATION REPLICATION
WAN GOSSIP
52. @anubhavm
Service Mesh for Microservices
Service Discovery. Connect services with a dynamic registry
Service Configuration. Configure services with runtime configs
Service Segmentation. Secure services based on identity
54. T E R M I N A L
$ dig llama.node.consul
; <<>> DiG 9.10.3-P4-Ubuntu <<>> testing-llama.node.consul
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64443
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;testing-llama.node.consul.IN A
;; ANSWER SECTION:
testing-llama.node.consul. 0 IN A 10.1.1.148
59. @anubhavm
Excercise: SSH into your workstations
SSH into your workstation using the provided credentials.
ssh servicemesh@<your.ip.address>
password: veloc1ty2018
Run consul members command to see what happens!
Your tutorial working directory will be /workstation/consul
60. T E R M I N A L
$ consul members
Node Address Status Type Build Protocol DC Segment
velocity-server-0 10.1.1.73:8301 alive server 1.2.3 2 dc1 <all>
velocity-server-1 10.1.2.16:8301 alive server 1.2.3 2 dc1 <all>
velocity-server-2 10.1.1.164:8301 alive server 1.2.3 2 dc1 <all>
velocity-ant 10.1.1.82:8301 alive client 1.2.3 2 dc1 <default>
velocity-badger 10.1.2.22:8301 alive client 1.2.3 2 dc1 <default>
61. WA R N I N G You are sharing a cluster
Let’s be nice to each other.
63. @anubhavm
Service Discovery - DNS Interface
Consul's DNS interface is zero touch
Randomized Round-Robin DNS
Filters on Health Checks
64. T E R M I N A L
$ dig llama.node.consul
; <<>> DiG 9.10.3-P4-Ubuntu <<>> testing-llama.node.consul
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64443
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;testing-llama.node.consul.IN A
;; ANSWER SECTION:
testing-llama.node.consul. 0 IN A 10.1.1.148
65. @anubhavm
Exercise: Query Service
Query for consul service information using dig and the DNS
interface.
HINT: Remember the DNS naming format is
{service_name}.service.consul
66. T E R M I N A L
$ dig consul.service.consul
; <<>> DiG 9.10.3-P4-Ubuntu <<>> consul.service.consul
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9334
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;consul.service.consul. IN A
;; ANSWER SECTION:
consul.service.consul. 0 IN A 10.1.1.164
consul.service.consul. 0 IN A 10.1.1.73
consul.service.consul. 0 IN A 10.1.2.16
;; ADDITIONAL SECTION:
consul.service.consul. 0 IN TXT "consul-network-segment="
consul.service.consul. 0 IN TXT "consul-network-segment="
consul.service.consul. 0 IN TXT "consul-network-segment="
67. T E R M I N A L
$ dig +short consul.service.consul
10.1.1.164
10.1.2.16
10.1.1.73
70. {
"service": {
"name": "my-service",
"tags": ["tag-1", "tag-2"],
"port": 1234
}
}
C O D E E D I T O R
Exposed via DNS and HTTP APIs
Referred to as the "logical service" name
dig my-service.service.consul
74. @anubhavm
Service Discovery - Consul CLI
Consul CLI provides basic interactions with service discovery
Do not use the CLI to build tooling (use API instead)
Allows easily querying services
Currently only supports the catalog
76. T E R M I N A L
$ consul catalog -h
Usage: consul catalog <subcommand> [options] [args]
This command has subcommands for interacting with Consul's catalog. The
catalog should not be confused with the agent, although the APIs and
responses may be similar.
Here are some simple examples, and more detailed examples are available
in the subcommands or the documentation.
List all datacenters:
$ consul catalog datacenters
List all nodes:
$ consul catalog nodes
List all services:
$ consul catalog services
.....
78. T E R M I N A L
$ consul catalog services -tags
consul
counting velocity
counting-proxy
dashboard velocity
dashboard-proxy
fabio
http
nomad http,rpc,serf
nomad-client http
80. @anubhavm
K/V Store
Highly-available, globally accessible key-value store
Folder-like architecture allows for easy organization
Optional ACLs can enforce policy and access
Accessible via HTTP API (no DNS interface)
Can be used via the CLI or via a tool like curl
K/V Store: Use Cases
81. @anubhavm
K/V Store: Use Cases
Runtime configuration data
Secrets or sensitive application data (eg. Vault’s encrypted data)
82. @anubhavm
K/V Store: Use Cases
Runtime configuration data
Secrets or sensitive application data (eg. Vault’s encrypted data)
83. T E R M I N A L
$ consul kv put <KEY> <DATA>
Success! Data written to: <KEY>
$ curl -X PUT -d <DATA> http://localhost:8500/v1/kv/<KEY>
true
84. T E R M I N A L
$ consul kv get <KEY>
<DATA>
$ curl http://localhost:8500/v1/kv/<KEY>
85. @anubhavm
Exercise: Create KV Data
Create two new key-value pairs in the store.
Keep in mind that everyone is using the same Consul servers, so
choose a unique name that won't conflict with another user.
Read those values back out.
86. T E R M I N A L
$ consul kv put anubhavmishra/velocity hello
Success! Data written to: anubhavmishra/velocity
$ consul kv get anubhavmishra/velocity
hello
88. @anubhavm
Consul Template: A Helper tool for Consul
Consul Template handles the HTTP API flow with Consul
Retrieves keys and services from Consul and renders them into a
template
Optionally integration with HashiCorp Vault as well
91. T E R M I N A L
$ consul-template -h
Usage: consul-template [options]
Watches a series of templates on the file system, writing new changes when
Consul is updated. It runs until an interrupt is received unless the -once
flag is specified.
Options:
-config=<path>
Sets the path to a configuration file or folder on disk. This can be
specified multiple times to load multiple files or folders. If multiple
values are given, they are merged left-to-right, and CLI arguments take
the top-most precedence.
-consul-addr=<address>
Sets the address of the Consul instance
92. @anubhavm
Exercise: Create Template
Create and execute a Consul Template template that iterates over
all the healthy services named "consul" and prints out the IP
address.
HINT: Consul Template's documentation is very verbose and
probably has examples that you can follow.
93. {{ range service “consul" }}
{{ .Address }}
{{ end }}
C O D E E D I T O R
94. T E R M I N A L
$ consul-template -dry —template=in.tpl
>
10.1.1.13
10.1.2.250
10.1.1.36
95. @anubhavm
“Smart Proxy” with NGINX and Consul
Similar to AirBnB’s “Smart Stack”
Configure NGINX dynamically using Consul’s service catalog
Make the simplest form of a “Smart Proxy”
Use Consul Template as the helper tool to achieve this
97. @anubhavm
“Smart NGINX”
server {
listen 5051;
server {
listen 5050;
.....
NGINX
SERVICE A
server {
listen 5051;
server {
listen 5050;
.....
NGINX
SERVICE B
:8080
10.0.0.1 10.0.0.2
98. @anubhavm
“Smart NGINX”
server {
listen 5051;
server {
listen 5050;
.....
NGINX
SERVICE A
server {
listen 5051;
server {
listen 5050;
.....
NGINX
SERVICE B
:8080
https://10.0.0.2:5051/service/service-b/hello
10.0.0.1 10.0.0.2
99. @anubhavm
“Smart NGINX”
server {
listen 5051;
server {
listen 5050;
.....
NGINX
SERVICE A
server {
listen 5051;
server {
listen 5050;
.....
NGINX
SERVICE B
:8080
https://10.0.0.2:5051/service/service-b/hello
10.0.0.1 10.0.0.2
103. @anubhavm
Counting Application
For the purpose of this tutorial we will be using a simple Golang
application called “counting-service”.
The application is already installed on your workstations can be
started by typing the following command in your shell:
sudo service counting start
104. T E R M I N A L
$ sudo service counting start
$ curl http://localhost:9001
{“count":8,"hostname":"velocity-ant.node.consul"}
$ curl http://localhost:9001/health
Hello, you've hit /health
105. @anubhavm
Exercise: Register Counting Service in Consul
Register a new service named “counting” with tags “velocity”,
running on port 9001.
Query that service using the DNS interface.
Note: Use consul reload command to reload Consul.
106. T E R M I N A L
$ vim /workstation/consul/counting.json
# INSERT PORT AND HEALTH CHECK ENDPOINT
$ sudo mv /workstation/consul/counting.json /etc/consul.d/counting.json
$ ls /etc/consul.d/
107. {
"service": {
"name": “counting",
"tags": [“velocity-ant"],
"port": 9001,
"check": {
"id": "counting-check",
"http": "http://localhost:9001/health",
"method": "GET",
"interval": "1s",
"timeout": "1s"
}
}
}
C O D E E D I T O R
108. T E R M I N A L
$ consul reload
Configuration reload triggered
$ dig $(identity).counting.service.consul
109. @anubhavm
Exercise: Create a NGINX Template
Create and execute a Consul Template template that iterates over
all services that are tagged as “velocity” and create NGINX
backends for them.
110. T E R M I N A L
$ cd /workstation/consul/nginx
$ vim nginx.conf.tpl
111. T E R M I N A L
$ consul-template -template=nginx.conf.tpl -dry
112. {
"service": {
"name": "counting",
"tags": ["velocity-ant", "velocity"],
"port": 9001,
"check": {
"id": "counting-check",
"http": "http://localhost:9001/health",
"method": "GET",
"interval": "1s",
"timeout": "1s"
}
}
}
C O D E E D I T O R
113. T E R M I N A L
$ consul-template -template=nginx.conf.tpl -dry
114. @anubhavm
Exercise: Create Consul Template Config file
Create a config file for Consul Template that can be used to supply
NGINX with the dynamic configuration and then reload it.
115. T E R M I N A L
$ sudo vim /etc/consul.d/templates/nginx-smart-router.json
116. log_level = "info"
wait {
min = "5s"
max = "600s"
}
max_stale = "1m"
template {
source = "/etc/consul.d/templates/template/nginx.conf.tpl"
destination ="/etc/nginx/sites-available/nginx-smart-router.conf"
command = "nginx -s reload"
}
C O D E E D I T O R
117. T E R M I N A L
# Move nginx.conf.tpl to /etc/consul.d/templates/template/nginx.conf.tpl
$ sudo mv nginx.conf.tpl /etc/consul.d/templates/template/nginx.conf.tpl
# Open consul-template systemd configuration and supply it the configuration
$ sudo vim /etc/systemd/system/consul-template.service
118. [Unit]
Description=Template rendering, notifier, and supervisor for HashiCorp Consul and
Vault data
Requires=network-online.target
After=network-online.target
[Service]
ExecStart=/usr/local/bin/consul-template -config /etc/consul.d/templates/nginx-
smart-router.json
ExecReload=/bin/kill -HUP
KillSignal=SIGINT
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
C O D E E D I T O R
119. [Unit]
Description=Template rendering, notifier, and supervisor for HashiCorp Consul and
Vault data
Requires=network-online.target
After=network-online.target
[Service]
ExecStart=/usr/local/bin/consul-template -config /etc/consul.d/templates/nginx-
smart-router.json
ExecReload=/bin/kill -HUP
KillSignal=SIGINT
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
C O D E E D I T O R
120. T E R M I N A L
$ sudo systemctl daemon-reload
$ sudo service consul-template start
121. T E R M I N A L
$ cd /etc/nginx/sites-enabled
$ sudo ln -s /etc/nginx/sites-available/nginx-smart-router.conf nginx-smart-router
$ sudo service nginx restart
122. @anubhavm
Exercise: Request Counting Service via “Smart NGINX”
Make a request to the counting service using the newly configured
NGINX router.
HINT: Use the local port 5050
123. T E R M I N A L
$ curl http://localhost:5050/service/counting/
{“count":1,"hostname":"velocity-badger.node.consul"}
124. T E R M I N A L
# Try the -i flag in curl to include the protocol headers
$ curl -i http://localhost:5050/service/counting/
125. @anubhavm
Exercise: Use the Dashboard Service to Connect to Counting Service
Explore the Dashboard service on your workstations. Start the
service and register it in Consul.
126. T E R M I N A L
$ vim /etc/systemd/system/dashboard.service
127. [Unit]
Description=An simple dashboard service
Requires=network-online.target
After=network-online.target
[Service]
Environment=PORT=9002
Environment=COUNTING_SERVICE_URL=http://localhost:5050/service/counting/
ExecStart=/usr/local/bin/dashboard-service
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGINT
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
C O D E E D I T O R
128. [Unit]
Description=An simple dashboard service
Requires=network-online.target
After=network-online.target
[Service]
Environment=PORT=9002
Environment=COUNTING_SERVICE_URL=http://localhost:5050/service/counting/
ExecStart=/usr/local/bin/dashboard-service
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGINT
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
C O D E E D I T O R
129. T E R M I N A L
$ cp /workstation/consul/dashboard.json /etc/consul.d/dashboard.json
$ vim /etc/consul.d/dashboard.json
130. {
"service": {
"name": "dashboard",
"tags": ["velocity-ant"],
"port": 9002,
"check": {
"id": "dashboard-check",
"http": "http://localhost:9002/health",
"method": "GET",
"interval": "1s",
"timeout": "1s"
}
}
}
C O D E E D I T O R
131. T E R M I N A L
$ sudo service dashboard start
$ consul reload
132. @anubhavm
Exercise: Verify Dashboard Application
Open the dashboard application and make sure it is able to
connect to the counting service via “Smart NGINX”.
Your dashboard application will be available at the following URL:
http://{workstation_ip}:9002
133. @anubhavm
Use Consul K/V as a Control Plane for NGINX
Consul K/V store can be used to store runtime configuration for
the proxy.
Consul Template will watch for these values to change, if they do
then it will immediately make them available for the proxy.
134. T E R M I N A L
$ while true;do curl -i http://localhost:5050/service/counting/;sleep 0.5;done
135. T E R M I N A L
$ consul kv put config/global/router/prefer-local-routing 1
136. @anubhavm
Runtime Configuration
Consul K/V store can be used to store runtime configuration for
the proxy.
These can extend to things like storing values for request retries,
rate limits, etc.
137. @anubhavm
“Smart Proxy” with X and Consul
This approach can be extended to other proxies like HAProxy,
Apache2, etc.
This approach will also work with containers.
139. @anubhavm
Fabio: A Consul Load Balancer
Fabio integrates with Consul and acts as a load balancer for all
healthy services in a given name.
HTTP(S) and TCP router
Developed at Ebay and used by Ebay, kijiji
Github Repository: https://github.com/fabiolb/fabio
Website: https://fabiolb.net/
140. @anubhavm
Exercise: Use Fabio as an Ingress into Nomad
Run the counting service using a cluster scheduler (in this case we
will use Nomad).
Use Fabio to get to the counting service using host headers.
141. T E R M I N A L
$ cd /workstation/nomad
$ vim counting-service.nomad
142. job "counting-service-velocity-badger" {
datacenters = ["dc1"]
group "counting-service" {
count = 1
task "web" {
driver = "docker"
config {
image = "anubhavmishra/counting-service"
port_map = {
http = 9001
}
}
.....
service {
name = "counting-service"
port = "http"
tags = [
"velocity-badger",
"velocity",
"urlprefix-counting-service.hashicorp.live/",
C O D E E D I T O R
143. job "counting-service-velocity-badger" {
.....
service {
name = "counting-service"
port = "http"
tags = [
"velocity-badger",
"velocity",
"urlprefix-counting-service.hashicorp.live/",
]
check {
type = "http"
path = "/health"
interval = "2s"
timeout = "2s"
}
}
}
}
}
C O D E E D I T O R
144. T E R M I N A L
$ nomad run counting-service.nomad
$ nomad status counting-service
145. T E R M I N A L
$ curl -i -H 'Host: counting-service.hashicorp.live' http://localhost:9999
HTTP/1.1 200 OK
Content-Length: 37
Content-Type: text/plain; charset=utf-8
Date: Fri, 28 Sep 2018 19:09:01 GMT
{“count":2,"hostname":"09cb1e97a2bf"}
# Access your application using the internet
$ curl -i -H 'Host: counting-service.hashicorp.live' http://fabio.hashicorp.live
146. @anubhavm
Fabio: A Consul Load Balancer
Fabio feels like a “global” load balancer since it spans both, VMs
and Containers!
147. @anubhavm
Service Mesh for Microservices
Service Discovery. Connect services with a dynamic registry
Service Configuration. Configure services with runtime configs
Service Segmentation. Secure services based on identity
148. @anubhavm
Service Mesh for Microservices
Service Discovery. Connect services with a dynamic registry
Service Configuration. Configure services with runtime configs
Service Segmentation. Secure services based on identity
149. @anubhavm
Service Mesh for Microservices
Service Discovery. Connect services with a dynamic registry
Service Configuration. Configure services with runtime configs
Service Segmentation. Secure services based on identity
Zero Trust Networks!
153. T E R M I N A L
$ consul intention create -deny web '*'
Created: web => * (deny)
$ consul intention create -allow web db
Created: web => db (allow)
164. T E R M I N A L
$ consul connect proxy
-service web
-upstream postgresql:8181
$ psql -h 127.0.0.1 -p 8181 -U mitchellh mydb
>
165. @anubhavm
Exercise: Connect Two Service via Consul Connect
Take two services, dashboard and counting service and connect
them over TLS using Consul’s Connect feature.
dashboard counting
mTLS
166. @anubhavm
Exercise: Connect Two Service via Consul Connect
Edit the dashboard and counting Consul service files to enable
connect.
167. T E R M I N A L
$ sudo vim /etc/consul.d/counting.json
168. {
"service": {
"name": "counting",
"tags": ["velocity"],
"port": 9001,
"connect": {
"proxy": {}
},
"check": {
"id": "counting-check",
"http": "http://localhost:9001/health",
"method": "GET",
"interval": "1s",
"timeout": "1s"
}
}
}
C O D E E D I T O R
169. T E R M I N A L
$ sudo vim /etc/consul.d/dashboard.json
170. {
"service": {
"name": "dashboard",
"port": 9002,
"tags": [“velocity-ant"],
"connect": {
"proxy": {
"config": {
"upstreams": [
{
"destination_name": "counting",
"local_bind_port": 9003
}
]
}
}
},
"check": {
"id": "dashboard-check",
"http": "http://localhost:9002/health",
"method": "GET",
"interval": "1s",
"timeout": "1s"
C O D E E D I T O R
171. @anubhavm
Exercise: Connect Two Service via Consul Connect
Edit the dashboard systemd config file to point to the
local_bind_port 9003.
172. T E R M I N A L
$ vim /etc/systemd/system/dashboard.service
173. [Unit]
Description=An simple dashboard service
Requires=network-online.target
After=network-online.target
[Service]
Environment=PORT=9002
Environment=COUNTING_SERVICE_URL=http://localhost:5050/service/counting/
ExecStart=/usr/local/bin/dashboard-service
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGINT
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
C O D E E D I T O R
174. [Unit]
Description=An simple dashboard service
Requires=network-online.target
After=network-online.target
[Service]
Environment=PORT=9002
Environment=COUNTING_SERVICE_URL=http://localhost:9003
ExecStart=/usr/local/bin/dashboard-service
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGINT
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
C O D E E D I T O R
176. T E R M I N A L
$ consul reload
Configuration reload triggered
$ sudo systemctl daemon-reload
$ sudo service dashboard restart
177. @anubhavm
Exercise: Verify Dashboard and Counting Services
Use the Consul UI to verify that both, dashboard and counting
services are healthy and running.
Consul UI is located at http://consul.hashicorp.live
HINT: Navigate the “services” tab in the Consul UI and filter for
your node.
178. T E R M I N A L
$ open http://consul.hashicorp.live
179. @anubhavm
Exercise: Verify Dashboard Application
Open the dashboard application and make sure it is able to
connect to the counting service via Consul Connect.
Your dashboard application will be available at the following URL:
http://{workstation_ip}:9002
181. @anubhavm
Exercise: Connect to a Database Using Consul Connect
Use Consul Connect to open a encrypted connection to a database
running on a VM.
Client will use Consul Connect to spin up a proxy masquerading as
the “web” service, connecting to the “redis-db” service, binding on
local port 8081
182. T E R M I N A L
$ sudo apt-get install -y redis-tools
$ redis-cli -h
183. T E R M I N A L
# Instructor will run this command.
$ sudo apt-get install redis-server
# Register redis service in Consul
# Show traffic without Consul Connect.
# Enable Consul Connect.
184. T E R M I N A L
$ consul connect proxy
-service web
-upstream redis-db:6379 &
$ redis-cli
187. // Create a Consul API client
client, _ := api.NewClient(api.DefaultConfig())
// Create an instance representing this service.
svc, _ := connect.NewService("my-service", client)
defer svc.Close()
// Creating an HTTP server that serves via Connect
server := &http.Server{
Addr: ":8080",
TLSConfig: svc.ServerTLSConfig(),
// ... other standard fields
}
// Serve!
server.ListenAndServeTLS("", "")
C O D E E D I T O R
188. @anubhavm
Consul Connect Lambda Integration
Consul’s Connect feature can be used to connect AWS Lambda
functions to services running inside a datacenter (EC2 instances,
RDS databases etc).
DISCLAIMER: THIS IS NOT PRODUCTION READY!
Github Repository: https://github.com/anubhavmishra/consul-connect-lambda
189. @anubhavm
Consul Connect Lambda Integration
SERVER
Internal Loadbalancer
SERVER
SERVER
LB
App
App
App
App
VPC
Lambda
Function
SDK
API
GATEWAY
Internet
190. @anubhavm
Consul Connect Lambda Integration
SERVER
Internal Loadbalancer
SERVER
SERVER
LB
App
App
App
App
VPC
Lambda
Function
SDK
API
GATEWAY
Internet Mutual TLS
192. @anubhavm
Consul Connect
Service Access Graph. Intentions allow or deny communication of
logical services.
Certificate Distribution. Standard TLS certificates with SPIFFE
compatibility.
Application Integration. Native integrations or side car proxies.
194. @anubhavm
Consul for Service Mesh Control Plane
Service Discovery. Connect services with a dynamic registry
Service Configuration. Configure services with runtime configs
Service Segmentation. Secure services based on identity
Pluggable Control Plane and Data Plane.
195. @anubhavm
Useful Links
• Envoy Consul Service Discovery Service: https://github.com/
anubhavmishra/envoy-consul-sds
• Consul Connect Lambda Integration: https://github.com/
anubhavmishra/consul-connect-lambda
196. Thanks! I have stickers!
Consul: https://consul.io
@anubhavm