HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Consul
Consul Home

You are viewing documentation for version v1.21.x. View latest version.

API gateways on VMs overview

This topic provides overview information about API gateways for Consul on virtual machines.

Introduction

API gateways enable external network clients to access applications and services running in a Consul datacenter. Consul API gateways can also forward requests from clients to specific destinations based on path or request protocol. Systems that access services in the mesh may be internal or external to your organizational network. North-south traffic is a common term to describe this type of network traffic.

Workflow

To fully enable Consul API gateway on VMs, complete the following steps:

  1. Configure gateway traffic encryption so that the API gateway verifies the request before forwarding it to the service. All users can require TLS certificates. Consul Enterprise users also have the option to verify with JSON web tokens (JWT).
  2. Configure API gateway listeners, including the port to listen on and the encrypted certificate or token the listener requires.
  3. Define the routes from the API gateway listener to the services in the mesh.
  4. Add service intentions that allow the API gateway to send traffic to services in the mesh. For an example configuration, refer to the service intention configuration reference.

Guidance

Refer to the following resources for help setting up and using API gateways:

Tutorials

Usage documentation

Reference documentation

To use Consul API gateway, you must configure the following configuration entries.

ConfigurationDescription
api-gatewayDefines the main infrastructure resource for declaring an API gateway and listeners on the gateway.
http-routeEnables HTTP traffic to reach services in the mesh from a listener on the gateway.
tcp-routeEnables TCP traffic to reach services in the mesh from a listener on the gateway.
file-system-certificateProvides gateway with a CA certificate at a local file path so that requests between the user and the gateway endpoint are encrypted.
inline-certificateProvides gateway with a CA certificate directly in the configuration so that requests between the user and the gateway endpoint are encrypted.
service-intentionsSpecifies traffic communication rules between services in the mesh. Intentions also enforce rules for service-to-service traffic routed through a Consul API gateway.
Edit this page on GitHub