Blog Post

Azure Infrastructure Blog
3 MIN READ

Configuring Consul Service Mesh for Kubernetes Deployments

RavinderGupta's avatar
RavinderGupta
Icon for Microsoft rankMicrosoft
Jan 27, 2025

Modern microservices architectures require solutions to handle service communication, security, and observability. Consul Service Mesh by HashiCorp, addresses these challenges by providing service discovery, secure communication via mutual TLS (mTLS), traffic management, and observability.

 

What is Consul Service Mesh?
Consul Service Mesh enables secure service-to-service communication by deploying sidecar proxies (Envoy) alongside services. Its key features are listed below: 

  • Service Discovery: Automatically detect services. 
  • Secure Communication: Enforce mTLS encryption.  
  • Traffic Control: Manage traffic with routing rules and splits.  
  • Observability: Monitor services via metrics and logs.
     

Prerequisites
1. A Kubernetes cluster 
2. `kubectl` and `helm` CLI tools installed.  
3. Basic understanding of Kubernetes concepts (Pods, Deployments, Services).  

 

Step 1: Install Consul on Kubernetes
Install Consul via Helm.  

1. Add the HashiCorp Helm repository:  

helm repo add hashicorp https://helm.releases.hashicorp.com  
helm repo update

2. Install Consul with Service Mesh features enabled with the parameter values as shown below:  

helm install consul hashicorp/consul --set global.name=consul --set connectInject.enabled=true --set server.replicas=1


   - connectInject.enabled=true: Enables automatic sidecar injection.  
   - server.replicas=1: Runs a single Consul server (suitable for testing).  

3. Verify the installation:  

kubectl get pods -l app=consul

 

Step 2: Enable mTLS and Default Deny Intentions  
Secure communication by enabling mTLS and also setting a default deny-all intention.  

1. Enable mTLS:  
   Create a values.yaml to configure TLS as shown below:  

global:  
  tls:  
    enabled: true  
    enableAutoEncrypt: true  
connectInject:  
  enabled: true


   Upgrade Consul:  

helm upgrade consul hashicorp/consul -f values.yaml

 

2. Set Default Deny Intentions:  
   Intentions define access control configuration. Start with a deny-all policy:  

kubectl apply -f - <<EOF  
apiVersion: consul.hashicorp.com/v1alpha1  
kind: ServiceIntentions  
metadata:  
  name: deny-all  
spec:  
  destination:  
    name: '*'  
  sources:  
    - action: deny  
      name: '*'  
EOF

 

Step 3: Deploy Sample Services 
Deploy two services (web and backend) for testing purpose.  

1. Deploy the Services:  
   Create web.yaml:  

apiVersion: apps/v1  
kind: Deployment  
metadata:  
  name: web  
spec:  
  replicas: 1  
  selector:  
    matchLabels:  
      app: web  
  template:  
    metadata:  
      labels:  
        app: web  
      annotations:  
        consul.hashicorp.com/connect-inject: "true"  
    spec:  
      containers:  
        - name: web  
          image: hashicorp/webapp-nodejs:latest  
          ports:  
            - containerPort: 3000

   Similarly deploy the backend, using app: backend labels.  

 

2. Configure Service Defaults:  
   Define service-specific settings using ServiceDefaults CRD (Custom Resource Definition):  

kubectl apply -f - <<EOF  
apiVersion: consul.hashicorp.com/v1alpha1  
kind: ServiceDefaults  
metadata:  
  name: backend  
spec:  
  protocol: "http"  
EOF

 

Step 4: Allow Traffic via Intentions
Permit the web service to communicate with backend:  

kubectl apply -f - <<EOF  
apiVersion: consul.hashicorp.com/v1alpha1  
kind: ServiceIntentions  
metadata:  
  name: web-to-backend  
spec:  
  destination:  
    name: backend  
  sources:  
    - action: allow  
      name: web  
EOF

 

Step 5: Verify the Configuration 
1. Check Intentions:  

kubectl exec consul-server-0 -- consul intention list

 

2. Test Connectivity:  
   Exec into the web pod and test access to backend:  

kubectl exec deploy/web -- curl http://backend.default.svc.cluster.local:3000

   A successful response confirms that the mesh is working.  

 

Advanced Configurations 
1. Traffic Splitting:  
   You can split traffic between two versions of backend with the config as shown below:  

apiVersion: consul.hashicorp.com/v1alpha1  
kind: ServiceSplitter  
metadata:  
  name: backend  
spec:  
  splits:  
    - weight: 80  
      service: backend-v1  
    - weight: 20  
      service: backend-v2

 

2. Circuit Breakers:  
   You can also add resilience by limiting connections:  

apiVersion: consul.hashicorp.com/v1alpha1  
kind: ServiceDefaults  
metadata:  
  name: backend  
spec:  
  envoyCircuitBreakers:  
    thresholds:  
      maxConnections: 100

 

3. Observability:  
   Access Envoy metrics via:  

kubectl port-forward deploy/web 19000


   Visit http://localhost:19000/stats to view metrics.  

 

Conclusion
Consul Service Mesh simplifies securing and managing microservices with minimal configuration. By following these steps, you’ve enabled mTLS, defined access policies, and deployed services in a controlled mesh. You can also take advantage of advanced features like traffic splitting and observability to further optimize your solution.  

You can start integrating Consul into your Kubernetes environment and make use of powerful service networking capabilities...

Updated Jan 28, 2025
Version 2.0
No CommentsBe the first to comment