The following diagram shows the main components of the Consul architecture when deployed to an ECS cluster:
- Consul servers: Production-ready Consul server cluster
- Application tasks: Runs user application containers along with two helper containers:
- Consul client: The Consul client container runs Consul. The Consul client communicates with the Consul server and configures the Envoy proxy sidecar. This communication is called control plane communication.
- Sidecar proxy: The sidecar proxy container runs Envoy. All requests to and from the application container(s) run through the sidecar proxy. This communication is called data plane communication.
- ACL Controller: Automatically provisions Consul ACL tokens for Consul clients and service mesh services in an ECS Cluster.
For more information about how Consul works in general, see Consul's Architecture Overview.
In addition to the long-running Consul client and sidecar proxy containers, the
mesh-init container runs
at startup and sets up initial configuration for Consul and Envoy.
This diagram shows the timeline of a task starting up and all its containers:
- T0: ECS starts the task. The
retry-joinoption to join the Consul cluster
mesh-initregisters the service for this task and its sidecar proxy into Consul. It runs
consul connect envoy -bootstrapto generate Envoy’s bootstrap JSON file and write it to a shared volume. After registration and bootstrapping,
- T1: The
sidecar-proxycontainer starts. It runs Envoy by executing
envoy -c <path-to-bootstrap-json>.
- T2: The
sidecar-proxycontainer is marked as healthy by ECS. It uses a health check that detects if its public listener port is open. At this time, your application containers are started since all Consul machinery is ready to service requests. The only running containers are
sidecar-proxy, and your application container(s).
»Automatic ACL Token Provisioning
Consul ACL tokens secure communication between agents and services. The following containers in a task require an ACL token:
consul-client: The Consul client uses a token to authorize itself with Consul servers. All
consul-clientcontainers share the same token.
mesh-initcontainer uses a token to register the service with Consul. This token is unique for the Consul service, and is shared by instances of the service.
The ACL controller automatically creates ACL tokens for mesh-enabled tasks in an ECS cluster.
acl-controller Terraform module creates the ACL controller task. The controller creates the
ACL token used by
consul-client containers at startup and then watches for tasks in the cluster. It checks tags
to determine if the task is mesh-enabled. If so, it creates the service ACL token for the task, if the
token does not yet exist.
The ACL controller stores all ACL tokens in AWS Secrets Manager, and tasks are configured to pull these tokens from AWS Secrets Manager when they start.