4 votes

Consul Connect announcement: simple authorization + encryption mesh

1 comment

  1. biox
    Link
    Importantly: Copy pasting the feature-full bulletpoint list here for those of you who are interested: Encrypted Traffic: All traffic is established with Connect via mutual TLS. This ensures that...

    Importantly:

    The Connect feature announced today is fully free and open source.

    Copy pasting the feature-full bulletpoint list here for those of you who are interested:

    While easy to use, Connect exposes a lot of new functionality for Consul. We'll go into detail about some of these features later in this post, but first we'll enumerate all of the major new functionality of Consul with Connect:

    • Encrypted Traffic: All traffic is established with Connect via mutual TLS. This ensures that all traffic is encrypted in transit. This allows services to be safely deployed in low-trust environments.

    • Connection Authorization: Allow or deny service communication by creating a service access graph with intentions. Unlike a firewall which uses IP addresses, Connect uses the logical name of the service. This means rules are scale independent; it doesn’t matter if there is one web server or 100. Intentions can be configured using the UI, CLI, API, or HashiCorp Terraform.

    • Proxy Sidecars: Applications can use a lightweight proxy sidecar process to automatically establish inbound and outbound TLS connections. This enables existing applications to work with Connect without modification. Consul ships with a built-in proxy that doesn't require external dependencies, along with third-party proxies such as Envoy.

    • Native Integration: Performance sensitive applications can natively integrate with the Consul Connect APIs to establish and accept connections without a proxy for optimal performance and security.

    • Layer 4 vs. Layer 7: Identity is enforced at layer 4. Consul delegates layer 7 features and configuration to a pluggable data layer. You can integrate with third-party proxies, such as Envoy, for features such as path-based routing, tracing, and more, while leaning on Consul for service discovery, identity, and authorization.

    • Certificate Management: Consul generates and distributes certificates using a certificate authority (CA) provider. Consul ships with a built-in CA system that requires no external dependencies, integrates with HashiCorp Vault, and can also be extended to support any other PKI system.

    • Certificate Rotation: Connect can automatically rotate both root and leaf certificates. Root rotation uses certificate cross-signing to ensure that old and new certificates can co-exist during the rotation period so there are no service interruptions. This system also enables a new CA provider to be configured seamlessly.

    • SPIFFE-based Identities: Consul uses the SPIFFE specification for service identity. This enables Connect services to establish and accept connections with other SPIFFE-compliant systems.

    • Network and Cloud Independent: Connect uses standard TLS over TCP/IP. This allows Connect to work on any network configuration as long as the IP advertised by the destination service is reachable by the underlying operating system. Further, services can communicate cross-cloud without complex overlays.