Connect workloads to Consul service mesh

This page provides an overview of Consul's service mesh features and their configuration. Service mesh is enabled by default on Consul server agents.

Introduction

In addition to the service discovery operations available to the Consul instance that runs on the same node as your workload, you can use Consul to deploy Envoy sidecar proxies to control traffic between each service and the rest of the network. Consul includes a built-in certificate authority that can enforce mTLS encryption between sidecar proxies. Use Consul configuration entries to further secure and monitor service-to-service communication.

Service mesh configuration

The connect block of a Consul server agent contains the configurations for the CA provider and locality information for the node. Refer to Service mesh parameters for more information.

To learn how to turn the service mesh off or back on again, refer to enable service mesh.

Envoy proxies

Consul includes built-in support for Envoy proxies to manage service mesh operations. Configure behavior for individual proxies, or configure default behavior for proxies according to service identity. For more information about proxies and their specialized operations in the service mesh, refer to Service mesh proxy overview.

Guidance

Runtime-specific guidance is also available:

• Connect workloads to service mesh on VMs
• Connect workloads to service mesh on Kubernetes
• Connect workloads to service mesh on ECS
• Connect Consul service mesh to AWS Lambda
• Connect workloads to service mesh on Nomad

Debug and troubleshoot

If you experience errors when connecting Consul's service mesh to your workloads, refer to the following resources:

• Consul service mesh troubleshooting overview
• Debug Consul service mesh
• Troubleshoot service-to-service communication