Consul
API gateways overview
This topic provides overview information about API gateways in Consul.
Introduction
API gateways enable external network clients to access applications and services running in a Consul datacenter. Consul API gateways can also forward requests from clients to specific destinations based on path or request protocol. Systems that access services in the mesh may be internal or external to your organizational network. North-south traffic is a common term to describe this type of network traffic.
API gateway use cases
API gateways solve the following primary use cases:
- Control access at the point of entry: Set the protocols of external connection requests and secure inbound connections with TLS certificates from trusted providers, such as Verisign and Let's Encrypt.
- Simplify traffic management: Load balance requests across services and route traffic to the appropriate service by matching one or more criteria, such as hostname, path, header presence or value, and HTTP method.
Workflows
You can deploy API gateways to networks that implement a variety of computing environments:
- Services hosted on VMs
- Kubernetes-orchestrated service containers
- Kubernetes-orchestrated service containers in OpenShift
The following steps describe the general workflow for deploying a Consul API gateways:
- For Kubernetes-orchestrated services, install Consul on your cluster. For Kubernetes-orchestrated services on OpenShift, you must also enable the
openShift.enabledparameter. Refer to Install Consul on Kubernetes for additional information. - Define and deploy the API gateway configurations to create the API gateway artifacts. For VM-hosted services, create configuration entries for the gateway service, listeners configurations, and references to TLS certificates. For Kubernetes-orchestrated, configurations also include
GatewayClassConfigs andparametersRefs. - Define and deploy routes between the gateway listeners and services in the mesh.
Gateway configurations are modular, so you can define and attach routes and inline certificates to multiple gateways.
Configurations for virtual machines
Apply the following configuration items if your network runs on virtual machines nodes:
| Configuration | Description | Usage |
|---|---|---|
api-gateway | Defines the main infrastructure resource for declaring an API gateway and listeners on the gateway. | Deploy API gateway listeners on virtual machines |
http-route | Enables HTTP traffic to reach services in the mesh from a listener on the gateway. | |
tcp-route | Enables TCP traffic to reach services in the mesh from a listener on the gateway. | Define routes on virtual machines |
file-system-certificate | Provides gateway with a CA certificate so that requests between the user and the gateway endpoint are encrypted. | Encrypt API gateway traffic on virtual machines |
inline-certificate | Provides gateway with a CA certificate so that requests between the user and the gateway endpoint are encrypted. | Encrypt API gateway traffic on virtual machines |
service-intentions | Specifies traffic communication rules between services in the mesh. Intentions also enforce rules for service-to-service traffic routed through a Consul API gateway. | General configuration for securing a service mesh |
Configurations for Kubernetes
Apply the following configuration items if your network runs on Kubernetes:
| Configuration | Description | Usage |
|---|---|---|
Gateway | Defines the main infrastructure resource for declaring an API gateway and listeners on the gateway. It also specifies the name of the GatewayClass. | Deploy listeners on Kubernetes |
GatewayClass | Defines a class of gateway resources used as a template for creating gateways. The default gateway class is consul and is suitable for most API gateway implementations. | Deploy listeners on Kubernetes |
GatewayClassConfig | Describes additional gateway-related configuration parameters for the GatewayClass resource. | Deploy listeners on Kubernetes |
Routes | Specifies paths from the gateway listener to backend services. | |
MeshServices | Enables routes to reference services in Consul. | Route traffic to peered services in Kubernetes |
ServiceIntentions | Specifies traffic communication rules between services in the mesh. Intentions also enforce rules for service-to-service traffic routed through a Consul API gateway. | General configuration for securing a service mesh |
Technical specifications
Refer to Technical specifications for API gateways on Kubernetes for additional details and considerations about using API gateways in Kubernetes-orchestrated networks.
Guidance
Refer to the following resources for help setting up and using API gateways:
Tutorials
Usage documentation
- Deploy API gateway listeners to VMs
- Deploy API gateway listeners to Kubernetes
- Deploy API gateway routes to VMs
- Deploy API gateway routes to Kubernetes
- Reroute HTTP requests in Kubernetes
- Route traffic to peered services in Kubernetes
- Encrypt API gateway traffic on VMs
- Use JWTs to verify requests to API gateways on VMs
- Use JWTs to verify requests to API gateways on Kubernetes