»Consul Intention

Command: consul intention

The intention command is used to interact with Connect intentions. It exposes commands for creating, updating, reading, deleting, checking, and managing intentions. This command is available in Consul 1.2 and later.

Intentions may also be managed via the HTTP API.

»Usage

Usage: consul intention <subcommand>

For the exact documentation for your Consul version, run consul intention -h to view the complete list of subcommands.

Usage: consul intention <subcommand> [options] [args]

  ...

Subcommands:
    check     Check whether a connection between two services is allowed.
    create    Create intentions for service connections.
    delete    Delete an intention.
    get       Show information about an intention.
    match     Show intentions that match a source or destination.

For more information, examples, and usage about a subcommand, click on the name of the subcommand in the sidebar.

»Basic Examples

Create an intention to allow "web" to talk to "db":

$ consul intention create web db

Create an intention to deny "db" from initiating connections to any service:

$ consul intention create -deny db '*'
Created: db => * (deny)

Test whether a "web" is allowed to connect to "db":

$ consul intention check web db

Find all intentions for communicating to the "db" service:

$ consul intention match db

»Source and Destination Naming

Intention commands commonly take positional arguments referred to as SRC and DST in the command documentation. These can take several forms:

FormatMeaning
<service>the named service in the current namespace
*any service in the current namespace
<namespace>/<service>
Enterprise
the named service in a specific namespace
<namespace>/*
Enterprise
any service in the specified namespace
*/*
Enterprise
any service in any namespace