Introduction
HashiCorp Validated Designs (HVDs) give customers and partners recommendations to deliver a resilient, secure, and highly-performant deployment of HashiCorp solutions on various platforms. This solution guide contains HashiCorp's recommendations for deploying Consul Enterprise so your organization can leverage Consul to discover and securely connect services in any environment with identity-based networking. By following this guide, you will increase application resilience, bolster uptime, accelerate application deployment, and improve security across service-to-service communications.
Note
The current version of this guide contains recommendations for deploying Consul Enterprise on EKS or EC2 (Kubernetes or VMs) in AWS. Future versions will include deployment options for other cloud providers including Azure, GCP and on-premises deployments.Objective
The objective of this Consul solution design guide is to help you deploy Consul Enterprise. Consul enables users to register services under service discovery use-cases in a centralized registry to discover, monitor and track their health status.Also, enables service mesh use cases for secure service-to-service communication across multiple cloud environments, runtimes, and platforms.
This guide aims to solve the objectives with two architectural patterns:
- Consul on Virtual Machines (EC2 in AWS)
- Consul on Kubernetes (EKS in AWS).
Note
The recommendations in this solution guide are derived from different production Consul deployments. Before you implement these recommendations, carefully evaluate them and determine if it is acceptable for your specific environment.Audience
This document is intended for development, platform, networking, and application security teams who want to implement Consul Enterprise to register, discover and securely connect applications in environments across clouds and datacenters.
Document structure
| Document section | Purpose |
|---|---|
| Consul Overview | This section provides a logical view of the elements in a Consul Enterprise deployment. |
| Consul Architecture | This section provides an opinionated approach to deploy Consul Enterprise. These recommendations come from leveraging experience from production deployments on VMs and Kubernetes, for both service discovery and service mesh use cases. |
| Consul on AWS EC2 | This section provides the guidance on recommended deployment patterns for control plane and data plane components of Consul on AWS EC2 instances. |
| Consul on EKS | This section provides the guidance on recommended deployment patterns for control plane and data plane deployment of Consul on AWS Elastic Kubernetes Service (EKS). |
| Detailed Design | This section focuses on example Terraform configuration and design implementation decisions to deploy control plane and data plane on AWS EC2 and AWS EKS respectively. |
| Implementation | This section provides step-by-step instructions to install and verify the Consul Enterprise deployment. |
| Use Cases | This section provides a checklist of Consul Service Discovery and Service Mesh use-cases and their deployment patterns. |
Supported versions
This version of the guide has been validated with the following versions of Consul Enterprise:
Language and definitions
This documentation intentionally uses technology agnostic terminology, however there are some terms which do not translate perfectly between the cloud providers. The following are the definitions of terms this document uses.
| Cloud Provider Terms | Definition |
|---|---|
| Region | A physical location around the world with multiple clusters of data centers. |
| Availability zone (AZ) | One or more discrete data centers within a region. Each AZ has redundant power, networking, and connectivity. |
| Public subnet | A network accessible by application users. |
| Private subnet | A network used by applications, but not accessible by application users. |
| Secrets Manager (SM) | System that can store secrets for bootstrapping. |
| Virtual private cloud (VPC) | Software defined cloud networking |
| Consul Terms | Definition |
|---|---|
| Datacenter | A datacenter is the smallest unit of Consul infrastructure that can perform basic Consul operations. This may coincide with cloud regions' boundaries. |
| Partition or Admin Partition | A logical boundary within a single Consul datacenter that delineates unique network boundaries or teams. |
| Peering or Cluster Peering | A Consul datacenter or admin partition that has an established relationship with remote datacenter or partition. |
| Attribute | Definition |
|---|---|
| Availability | Represents design points that minimize the impact of subsystem failures on the solution uptime. |
| Operational Excellence | Represents the best practices to efficiently manage and operate the system. |
| Performance | Reflects how a decision impacts the overall performance of the solution. |
| Scalability | Design decisions allow the service usage and control plane to handle the workload. |
| Security | Indicates how a decision changes the security posture of the overall solution. |