HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Consul
Consul Home

You are viewing documentation for version v1.18.x. View latest version.

Create Network Segments

This topic describes how to create Consul network segments so that services can connect to other services in the LAN gossip pool that have been placed into separate communication boundaries. Refer to Network Segments Overview for additional information.

Requirements

  • Consul Enterprise 0.9.3+

Define segments in the server configuration

  1. Add the segments block to your server configuration. Refer to the segments documentation for details about how to define the configuration.

    In the following example, an alpha segment is configured to listen for traffic on port 8303 and a beta segment is configured to listen to traffic on port 8304:

    Example network segments configuration for server agents

    segments = [
{
   name = "alpha"
   bind = "10.0.0.1"
   advertise = "10.0.0.1"
   port = 8303
},
{
   name = "beta"
   bind = "10.0.0.1"
   advertise = "10.0.0.1"
   port = 8304
}
]

  2. Start the server using the consul agent command. Copy the address for each segment listener so that you can direct clients to join the segment when you start them:

    $ consul agent -config-file server.hcl
[INFO] serf: EventMemberJoin: server1.dc1 10.20.10.11
[INFO] serf: EventMemberJoin: server1 10.20.10.11
[INFO] consul: Started listener for LAN segment "alpha" on 10.20.10.11:8303
[INFO] serf: EventMemberJoin: server1 10.20.10.11
[INFO] consul: Started listener for LAN segment "beta" on 10.20.10.11:8304
[INFO] serf: EventMemberJoin: server1 10.20.10.11

  3. Verify that the server is a member of all segments:

    $ consul members
Node          Address           Status  Type    Build      Protocol  DC   Segment
server1       10.20.10.11:8301  alive   server  1.14+ent  2         dc1  <all>

Configure clients to join segments

Client agents can only be members of one segment at a time. You can direct clients to join a segment by specifying the address and name of the segment with the -join and -segment command line flags when starting the agent.

$ consul agent -config-file client.hcl -join 10.20.10.11:8303 -segment alpha

Alternatively, you can add the retry_join and segment parameters to your client agent configuration file:

node_name  = "consul-client"
server     = false
datacenter = "dc1"
data_dir   = "consul/client-data"
log_level  = "INFO"
retry_join = ["10.20.10.11:8303"]
segment = "alpha"

Verify segments

You can use the CLI, API, or GUI to verify which segments your agents have joined.

Run the consul members command to verify that the client agents are joined to the correct segments:

$ consul members
Node             Address        Status  Type     Build       Protocol  DC   Partition  Segment
server    192.168.4.159:8301    alive   server   1.14+ent  2         dc1  default    <all>
client1   192.168.4.159:8447    alive   client   1.14+ent  2         dc1  default    alpha

You can also pass the name of a segment in the -segment flag to view agents in a specific segment. Note that server agents display their LAN listener port for the specified segment the segment filter applied. In the following example, the command returns port 8303 for alpha, rather than for the <default> segment port:

$ consul members -segment alpha
Node          Address           Status  Type    Build      Protocol  DC   Segment
server1      10.20.10.11:8301   alive   server  1.14+ent  2         dc1  alpha
client1      10.20.10.21:8303   alive   client  1.14+ent  2         dc1  alpha

Refer to the members documentation for additional information.

Related resources

You can also create and run a prepared query to query for additional information about the services registered to client nodes. Prepared queries are HTTP API endpoint features that enable you to run complex queries of Consul nodes. Refer Prepared Query HTTP Endpoint for usage.