»Consul Intention

Command: consul intention

The intention command is used to interact with Connect intentions. It exposes commands for creating, updating, reading, deleting, checking, and managing intentions. This command is available in Consul 1.2 and later.

Intentions are managed primarily via service-intentions config entries after Consul 1.9. Intentions may also be managed via the HTTP API.


Usage: consul intention <subcommand>

For the exact documentation for your Consul version, run consul intention -h to view the complete list of subcommands.

Usage: consul intention <subcommand> [options] [args]


    check     Check whether a connection between two services is allowed.
    create    Create intentions for service connections.
    delete    Delete an intention.
    list      Lists all intentions.
    get       Show information about an intention.
    match     Show intentions that match a source or destination.

For more information, examples, and usage about a subcommand, click on the name of the subcommand in the sidebar.

»Basic Examples

Create an intention to allow "web" to talk to "db":

$ consul intention create web db

Create an intention to deny "db" from initiating connections to any service:

$ consul intention create -deny db '*'
Created: db => * (deny)

Test whether a "web" is allowed to connect to "db":

$ consul intention check web db

List all intentions:

$ consul intention list

Find all intentions for communicating to the "db" service:

$ consul intention match db

»Source and Destination Naming

Intention commands commonly take positional arguments referred to as SRC and DST in the command documentation. These can take several forms:

<service>the named service in the current namespace
*any service in the current namespace
the named service in a specific namespace
any service in the specified namespace
any service in any namespace