Blog HCP Consul on Azure goes GA, plus more Consul news from HashiConf EU Read more
  • Overview
    • Consul on Kubernetes
    • Control access with Consul API Gateway
    • Discover Services with Consul
    • Enforce Zero Trust Networking with Consul
    • Load Balancing with Consul
    • Manage Traffic with Consul
    • Multi-Platform Service Mesh with Consul
    • Network Infrastructure Automation with Consul
    • Observability with Consul
  • Enterprise
  • Tutorials
  • Docs
  • API
  • CLI
  • Community
GitHub
Download
Try HCP Consul
    • v1.12.x (latest)
    • v1.11.x
    • v1.10.x
    • v1.9.x
    • v1.8.x
    • Overview
      • Overview
      • What is a Service Mesh?
      • Overview
      • Chef, Puppet, etc.
      • Nagios
      • SkyDNS
      • SmartStack
      • Serf
      • Eureka
      • Istio
      • Envoy and Other Proxies
      • Custom Solutions
    • Overview
    • Manual Bootstrap
    • Consul Agent
    • Glossary
    • Required Ports
    • Bootstrapping a Datacenter
    • Cloud Auto-join
    • Server Performance
    • Kubernetes
  • API
  • Commands (CLI)
    • Register Services - Service Definitions
    • Find Services - DNS Interface
    • Monitor Services - Check Definitions
    • Overview
    • How Service Mesh Works
    • Configuration
      • Overview
      • Ingress Gateway
      • Mesh
      • Exported Services
      • Proxy Defaults
      • Service Defaults
      • Service Intentions
      • Service Resolver
      • Service Router
      • Service Splitter
      • Terminating Gateway
      • Overview
      • Envoy
      • Built-in Proxy
      • Proxy Integration
      • Managed (Deprecated)
      • Overview
      • Proxy Service Registration
      • Sidecar Service Registration
    • Service-to-service permissions - Intentions
    • Service-to-service permissions - Intentions (Legacy Mode)
    • Transparent Proxy
      • Overview
      • UI Visualization
      • Overview
      • Discovery Chain
    • Connectivity Tasks
    • Distributed Tracing
      • Overview
        • WAN Federation
        • Enabling Service-to-service Traffic Across Datacenters
        • Enabling Service-to-service Traffic Across Admin Partitions
      • Ingress Gateways
      • Terminating Gateways
      • What is Cluster Peering
      • Create and Manage Peering Connections
      • Cluster Peering on Kubernetes
    • Nomad
    • Kubernetes
      • Overview
      • Go Integration
      • Overview
      • Built-In CA
      • Vault
      • ACM Private CA
    • Develop and Debug
    • Security
    • Overview
    • Installation
    • Technical Specifications
    • Common Errors
    • Upgrades
    • Overview
    • Architecture
      • Installing Consul on Kubernetes
      • Installing Consul K8s CLI
        • Minikube
        • Kind
        • AKS (Azure)
        • EKS (AWS)
        • GKE (Google Cloud)
        • Red Hat OpenShift
        • Self Hosted Kubernetes
        • Consul Clients Outside Kubernetes
        • Consul Servers Outside Kubernetes
        • Single Consul Datacenter in Multiple Kubernetes Clusters
        • Consul Enterprise
        • Overview
        • Federation Between Kubernetes Clusters
        • Federation Between VMs and Kubernetes
        • Overview
        • Systems Integration
          • Overview
          • Bootstrap Token
          • Enterprise License
          • Gossip Encryption Key
          • Partition Token
          • Replication Token
          • Server TLS
          • Service Mesh Certificates
          • Snapshot Agent Config
          • Webhook Certificates
        • WAN Federation
      • Overview
      • Transparent Proxy
      • Ingress Gateways
      • Terminating Gateways
      • Ingress Controllers
      • Configuring a Connect CA Provider
      • Health Checks
        • Metrics
    • Service Sync
      • Overview
      • Upgrade An Existing Cluster to CRDs
    • Annotations and Labels
    • Consul DNS
      • Upgrading Consul on Kubernetes
      • Upgrading Consul K8s CLI
      • Uninstall
      • Certificate Rotation
      • Gossip Encryption Key Rotation
      • Configure TLS on an Existing Cluster
      • Common Error Messages
      • FAQ
    • Compatibility Matrix
    • Helm Chart Configuration
    • Consul K8s CLI Reference
    • Overview
    • Requirements
    • Task Resource Usage
      • Installation
      • Secure Configuration
      • Migrate Existing Tasks
      • Installation
      • Secure Configuration
      • ACL Controller
    • Architecture
    • Consul Enterprise
    • Configuration Reference
    • Overview
    • Register Lambda Functions
    • Invoke Lambda Functions
    • Overview
      • Installation
      • Requirements
      • Configure
      • Run Consul-Terraform-Sync
    • Architecture
      • Overview
      • Status
      • Tasks
      • Health
      • Overview
      • task
      • start
    • Configuration
    • Tasks
    • Terraform Modules
      • Overview
      • License
      • Terraform Cloud Driver
      • Overview
      • Terraform
      • Terraform Cloud
    • Compatibility
    • Consul KV
    • Sessions
    • Watches
    • Overview
      • General
      • CLI Reference
      • Configuration Reference
    • Configuration Entries
    • Telemetry
    • Sentinel
    • RPC
    • Overview
      • ACL System Overview
      • Tokens
      • Policies
      • Roles
      • Rules Reference
      • Legacy Mode
      • Token Migration
      • ACLs in Federated Datacenters
        • Overview
        • Kubernetes
        • JWT
        • OIDC
        • AWS IAM
    • Encryption
      • Overview
      • Core
      • Network Infrastructure Automation
    • Overview
    • Admin Partitions
    • Audit Logging
    • Automated Backups
    • Automated Upgrades
    • Enhanced Read Scalability
    • Single sign-on - OIDC
    • Redundancy Zones
    • Advanced Federation
    • Network Segments
    • Namespaces
    • NIA with TFE
    • Sentinel
      • Overview
      • FAQ
    • Overview
    • Improving Consul Resilience
    • Anti-Entropy
    • Consensus Protocol
    • Gossip Protocol
    • Jepsen Testing
    • Network Coordinates
    • Consul Integration Program
    • NIA Integration Program
    • Vault Integration
    • Proxy Integration
  • Consul Tools
    • Overview
    • Compatibility Promise
    • Specific Version Details
      • Overview
      • General Process
      • Upgrading to 1.2.4
      • Upgrading to 1.6.9
      • Upgrading to 1.8.13
      • Upgrading to 1.10.0
    • Common Error Messages
    • FAQ
    • Overview
      • v1.11.x
      • v1.10.x
      • v1.9.x
      • v0.3.x
      • v0.2.x
      • v0.1.x
      • v0.4.x
      • v0.3.x
      • v0.2.x
      • v0.6.x
      • v0.5.x
    • Overview
    • ACL
  • Guides
Type '/' to Search

»Mesh

v1.10.0+: This configuration entry is supported in Consul versions 1.10.0+.

The mesh configuration entry allows you to define a global default configuration that applies to all service mesh proxies. Settings in this config entry apply across all namespaces and federated datacenters.

»Sample Configuration Entries

»Mesh-wide TLS Min Version

Enforce that service mesh mTLS traffic uses TLS v1.2 or newer.

HCL
  • HCL
  • Kubernetes YAML
  • JSON
Kind = "mesh"
TLS {
  Incoming {
    TLSMinVersion = "TLSv1_2"
  }
}
Kind = "mesh"
TLS {
  Incoming {
    TLSMinVersion = "TLSv1_2"
  }
}
apiVersion: consul.hashicorp.com/v1alpha1
kind: Mesh
metadata:
  name: mesh
spec:
  tls:
    incoming:
      tlsMinVersion: TLSv1_2
apiVersion: consul.hashicorp.com/v1alpha1
kind: Mesh
metadata:
  name: mesh
spec:
  tls:
    incoming:
      tlsMinVersion: TLSv1_2
{
  "Kind": "mesh",
  "TLS": {
    "Incoming": {
      "TLSMinVersion": "TLSv1_2"
    }
  }
}
{
  "Kind": "mesh",
  "TLS": {
    "Incoming": {
      "TLSMinVersion": "TLSv1_2"
    }
  }
}

Note that the Kubernetes example does not include a partition field. Configuration entries are applied on Kubernetes using custom resource definitions (CRD), which can only be scoped to their own partition.

»Mesh Destinations Only

Only allow transparent proxies to dial addresses in the mesh.

HCL
  • HCL
  • Kubernetes YAML
  • JSON
Kind = "mesh"
TransparentProxy {
  MeshDestinationsOnly = true
}
Kind = "mesh"
TransparentProxy {
  MeshDestinationsOnly = true
}
apiVersion: consul.hashicorp.com/v1alpha1
kind: Mesh
metadata:
  name: mesh
spec:
  transparentProxy:
    meshDestinationsOnly: true
apiVersion: consul.hashicorp.com/v1alpha1
kind: Mesh
metadata:
  name: mesh
spec:
  transparentProxy:
    meshDestinationsOnly: true
{
  "Kind": "mesh",
  "TransparentProxy": {
    "MeshDestinationsOnly": true
  }
}
{
  "Kind": "mesh",
  "TransparentProxy": {
    "MeshDestinationsOnly": true
  }
}

Note that the Kubernetes example does not include a partition field. Configuration entries are applied on Kubernetes using custom resource definitions (CRD), which can only be scoped to their own partition.

»Available Fields

  • Kind - Must be set to mesh

  • Namespace (string: "default")

    Enterprise
    - Must be set to default. The configuration will apply to all namespaces.

  • Partition (string: "default")

    Enterprise
    - Specifies the name of the admin partition in which the configuration entry applies. Refer to the Admin Partitions documentation for additional information.

  • Meta (map<string|string>: nil) - Specifies arbitrary KV metadata pairs. Added in Consul 1.8.4.

  • TransparentProxy (TransparentProxyConfig: <optional>) - Controls configuration specific to proxies in transparent mode. Added in v1.10.0.

    • MeshDestinationsOnly (bool: false) - Determines whether sidecar proxies operating in transparent mode can proxy traffic to IP addresses not registered in Consul's mesh. If enabled, traffic will only be proxied to upstream proxies or Connect-native services. If disabled, requests will be proxied as-is to the original destination IP address. Consul will not encrypt the connection.

  • TLS (TLSConfig: <optional>) - TLS configuration for the service mesh.

    • Incoming (TLSDirectionConfig: <optional>) - TLS configuration for inbound mTLS connections targeting the public listener on connect-proxy and terminating-gateway proxy kinds.

      • TLSMinVersion (string: "") - Set the default minimum TLS version supported. One of TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, or TLSv1_3. If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version, while older releases of Envoy default to TLS 1.0.

      • TLSMaxVersion (string: "") - Set the default maximum TLS version supported. Must be greater than or equal to TLSMinVersion. One of TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, or TLSv1_3. If unspecified, Envoy will default to TLS 1.3 as a max version for incoming connections.

      • CipherSuites (array<string>: <optional>) - Set the default list of TLS cipher suites to support when negotiating connections using TLS 1.2 or earlier. If unspecified, Envoy will use a default server cipher list. The list of supported cipher suites can seen in consul/types/tls.go and is dependent on underlying support in Envoy. Future releases of Envoy may remove currently-supported but insecure cipher suites, and future releases of Consul may add new supported cipher suites if any are added to Envoy.

    • Outgoing (TLSDirectionConfig: <optional>) - TLS configuration for outbound mTLS connections dialing upstreams from connect-proxy and ingress-gateway proxy kinds.

      • TLSMinVersion (string: "") - Set the default minimum TLS version supported. One of TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, or TLSv1_3. If unspecified, Envoy v1.22.0 and newer will default to TLS 1.2 as a min version, while older releases of Envoy default to TLS 1.0.

      • TLSMaxVersion (string: "") - Set the default maximum TLS version supported. Must be greater than or equal to TLSMinVersion. One of TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2, or TLSv1_3. If unspecified, Envoy will default to TLS 1.2 as a max version for outgoing connections, but future Envoy releases may change this to TLS 1.3.

      • CipherSuites (array<string>: <optional>) - Set the default list of TLS cipher suites to support when negotiating connections using TLS 1.2 or earlier. If unspecified, Envoy will use a default server cipher list. The list of supported cipher suites can seen in consul/types/tls.go and is dependent on underlying support in Envoy. Future releases of Envoy may remove currently-supported but insecure cipher suites, and future releases of Consul may add new supported cipher suites if any are added to Envoy.

  • HTTP (HTTPConfig: <optional>) - HTTP configuration for the service mesh.

    • SanitizeXForwardedClientCert (bool: <optional>) - If configured to true, the forward_client_cert_details option will be set to SANITIZE for all Envoy proxies. As a result, Consul will not include the x-forwarded-client-cert header in the next hop. If set to false (default), the XFCC header is propagated to upstream applications.

»ACLs

Configuration entries may be protected by ACLs.

Reading a mesh config entry requires no specific privileges.

Creating, updating, or deleting a mesh config entry requires operator:write.

github logoEdit this page
IntroGuidesDocsCommunityPrivacySecurityBrandConsent Manager