»Ingress Gateways Beta

Ingress gateways enable ingress traffic from services outside the Consul service mesh to services inside the Consul service mesh. An ingress gateway is a type of proxy and must be registered as a service in Consul, with the kind set to "ingress-gateway". They are an entrypoint for outside traffic and allow you to define what services should be exposed and on what port. You configure an ingress gateway by defining a set of listeners that each map to a set of backing services.

Depending on the protocol defined for a listener, multiple services can be specified for a single listener. In this case, the ingress gateway relies on host/authority headers to decide the service that should receive the traffic.

To enable easier service discovery, a new Consul DNS subdomain is provided, on <service>.ingress.<domain>.

Ingress Gateway Architecture


Ingress gateways also require that your Consul datacenters are configured correctly:

  • You'll need to use Consul version 1.8.0.
  • Consul Connect must be enabled on the datacenter's Consul servers.
  • gRPC must be enabled on all client agents.

Currently, Envoy is the only proxy with ingress gateway capabilities in Consul.

»Running and Using an Ingress Gateway

You must complete the following steps to configure an ingress gateway to proxy traffic to services in the Consul service mesh:

  1. On a host with a Consul client agent, start an Envoy proxy using the envoy subcommand, specifying the ingress gateway type:

    $ consul connect envoy -gateway=ingress -register -service ingress-service \
      -address '{{ GetInterfaceIP "eth0" }}:8888'
  2. Create and apply an ingress-gateway configuration entry that defines a set of listeners that expose the desired backing services. The config entry can be applied via the CLI or API.

  3. Ensure that Consul intentions are setup to allow connections from the ingress gateway to the backing services.

  4. Optionally use the <service>.ingress.<domain> DNS subdomain to discover the ingress gateways for a service.

»Ingress Gateway Configuration

Ingress gateways are configured in service definitions and registered with Consul like other services, with two exceptions. The first is that the kind must be "ingress-gateway". Second, the ingress gateway service definition may contain a Proxy.Config entry just like a Connect proxy service, to define opaque configuration parameters useful for the actual proxy software. For Envoy there are some supported gateway options as well as escape-hatch overrides.