Consul
Encrypted communication between Consul agents
This topic provides an overview of the two distinct encryption systems available in Consul. Gossip encryption and Mutual TLS encryption are the foundations of a secure Consul datacenter.
The guidelines in the Consul security model for operating a secure Consul deployment recommends using both encryption systems.
Gossip Encryption
Consul uses a gossip protocol to perform the following cluster operations:
- Identify datacenter members.
- Quickly detect failed members and notify the rest of the cluster.
- Broadcast events and queries that can trigger custom workflows.
The gossip protocol, as well as its membership management and message broadcasting features, use the Serf library.
In a default Consul configuration, the gossip protocol uses port 8301
for LAN communications and port 8302
for WAN communications between federated datacenters. Enabling gossip encryption on a Consul datacenter is required to secure traffic on these two ports.
Gossip encryption is symmetric and based on a single key that is shared across all members of the datacenter. You can configure gossip encryption in Consul using the following parameters:
encrypt
.encrypt_verify_incoming
. Only used when upshifting from unencrypted to encrypted gossip on a running cluster.encrypt_verify_outgoing
. Only used when upshifting from unencrypted to encrypted gossip on a running cluster.
To learn more about enabling gossip encryption on your Consul datacenter and rotating gossip keys, refer to manage gossip encryption.
Mutual TLS (mTLS) Encryption
Consul uses several communication protocols over different ports that you can secure using mTLS:
- A consensus protocol provides data consistency between Consul servers. It typically uses port
8300
. - Remote Procedure Calls (RPC) forward requests from client agents to server agents. They use the same port the consensus protocol uses.
- An HTTP or HTTPS interface permits client communication with the Consul API, CLI, and UI. It typically uses port
8500
and port8501
. - A gRPC interface receives incoming traffic from the gateways and Envoy proxies registered to the agent node. It typically uses port
8502
and port8503
.
Consul uses mTLS to verify the authenticity of server and client agents. It requires that all clients and servers have key pairs that are generated by a single Certification Authority (CA). We recommend using a private CA that is not shared with other applications.
You can configure mTLS in Consul using the tls
stanza in agent configuration files.
You can configure mTLS encryption for each protocol separately using the following parameters in the agent configuration file:
tls.defaults
provides default settings that Consul applies to every interface unless explicitly overridden by protocol-specific configurations.tls.internal_rpc
provides settings for the internal server RPC interface.tls.https
provides settings for the HTTP/HTTPS interface.tls.grpc
provides settings for the gRPC/xDS interface.
To learn more about enabling mTLS on your Consul datacenter, refer to Manage mTLS encryption.