Consul
Learning path - Consul Associate (003)
The Consul Associate certification is for cloud engineers who specialize in security, development, networking, or operations and know the basic concepts, skills, and use cases associated with HashiCorp Consul.
Candidates will be best prepared for this exam if they have professional experience using Consul in production, but performing the exam objectives in a personal demo environment may also be sufficient. This person understands what enterprise features exist and what can and cannot be done using the community edition offering.
Visit the HashiCorp Security Automation Certification page for information on the exam and to sign up.
Understand the pillars of service networking
Consul is a service networking solution that lets you automate network configurations, discover services, and enable secure connectivity across any cloud or runtime. Review the following resources to start learning about the benefits of service networking automation, and the advantages of Consul specifically.
- Introduction to Consul introduction video
- Introduction to Consul documentation
- Introduction to Service Discovery with Consul concept page
- Introduction to Service Mesh with Consul concept page
- Control access to services with Consul gateways documentation
- Network infrastructure automation with Consul documentation
These resources cover the pillars of service networking and the purpose of Consul (Objective #1).
Study tips
- Identify the benefits of service discovery
- Understand that Consul acts as a DNS server for services registered with it
- Identify the benefits of a service mesh
- Explain how Consul service mesh enables service to service security within the datacenter
- Understand the concept of an upstream in the service mesh
- Differentiate between the gateways that provide connectivity into, out of, and between Consul service meshes
- Understand how Consul provides network infrastructure automation with
consul-terraform-sync
Consul architecture
Consul is a distributed, highly available system. It is important to understand the architecture of Consul in regards to high availability, performance, and communication. It is also important to understand basic Consul operational tasks. Your awareness of Consul Enterprise operations is tested as well. Do the following tasks to ensure that you have a good understanding of Consul's operation in production.
- Read the Architecture section of the documentation
- Review the Consul reference architecture guide for VMs and Consul reference architecture guide for Kubernetes
- Review the recommended Consul reference architecture diagrams to understand cluster features such as the number of nodes in a cluster
- Familiarize yourself with the Consul Enterprise features such as Read Replica Nodes
- Be aware of Consul's main features and what they achieve
- Understand the components of the control plane and data plane by reading the Consul on Kubernetes architecture documentation
- Understand Consul’s multi-platform, multi-runtime capabilities by reviewing the multi-platform use case
These resources cover Consul architecture fundamentals (Objective #2).
Study tips
- Understand that the number of servers affects quorum, network speed, and high availability
- Explain the process of leader election among servers, including the communication protocol that supports the process
- Differentiate between Consul agent roles and the different responsibilities that come with them
- Differentiate between Consul control plane and Consul data plane components, including the differences between client agents for VMs and dataplanes for Kubernetes and ECS
- Understand that Consul can run on multiple platforms, including VMs, Kubernetes, and HCP
Consul datacenter deployment
Deploying a Consul datacenter requires an understanding of Consul's processes and user workflows. You will be tested on common options and configurations for deploying a Consul datacenter. Perform the following tasks to ensure that you have an understanding of how to deploy a Consul datacenter in production.
- Read the Deployment guide tutorial
- Complete the Deploy Consul on VMs tutorial to learn how to start and manage the Consul process on VMs
- Complete the Deploy Consul on Kubernetes tutorial to learn how to start and manage the Consul process on Kubernetes
- Review the agent configuration documentation to know how to interpret a basic Consul agent configuration
- Review the various cluster join methods including
consul join
and configuration options
These resources cover the elements of a Consul cluster deployment (Objective #3).
Study tips
- Understand the process to deploy Consul on VMs and Kubernetes
- Understand that the Consul service should run as a daemon
- Be aware of the different ways to configure Consul, such as configuration files, the CLI, and the HTTP API, including required parameters for the configuration methods
- Understand the benefits of each cluster joining method and their use cases
Service discovery and service registration
Service discovery is one of the core Consul use cases. You will need to know about service registration, interaction, health checks, and prepared queries. Perform the following tasks to ensure that you have a good understanding of the service discovery use case as well as its basic functionality.
- Read the Consul services documentation to learn about services
- Complete the service discovery tutorial to get hands-on experience registering and interacting with services
- Learn how to monitor the health of services with the health check tutorial
- Review the
/query
API endpoint documentation to learn how to interpret and use a prepared query
These resources cover the service discovery use-case for Consul (Objective #4).
Study tips
- Recognize basic service definition parameters
- Understand how services and health checks can be registered with Consul clients
- Be aware that service definitions in the configuration directory require reloading the Consul agent for new files and updates to take effect
- Summarize the function of the Consul catalog and how it enables service discovery using the DNS or HTTP interfaces
- Understand how Consul DNS load balances healthy services
- Know the different options for failover offered by prepared queries
Service mesh
Service mesh is one of the core Consul use cases. You will need to know about service-to-service networking, intentions, and zero trust security. Perform the following tasks to ensure that you have a good understanding of the service mesh use case as well as its basic functionality.
- Read about the service mesh in the Consul service mesh concept page
- Review the understand service mesh guide to learn about high level service mesh concepts
- Complete a getting started with service mesh tutorial for either Kubernetes or VMs to get hands on experience configuring and interacting with Consul service mesh
- Review the zero trust security solutions page to understand how Consul contributes to a zero trust security model
- Review the Envoy proxy configuration documentation
- Read the traffic management use case
These resources cover the service mesh use-case for Consul (Objective #5).
Study tips
- Be able to understand the different components of a Consul service mesh and how they interact with each other
- Understand the principles of intentions, how to use them to simplify traffic permissions, and ways to manage them
- Understand that Consul contributes to the zero trust security model by securing service-to-service communication
- Understand that each service will need a proxy registration to be part of the mesh and that the operator must start the proxy with the Consul CLI
- Be able to identify upstream and local services in an example proxy configuration
- Use the Consul CLI to start a built-in proxy
- Identify that Consul has L4 and L7 traffic management capabilities
Secure agent communication
Secure agent communication in Consul defends against eavesdropping, tampering, and spoofing. You will be tested on your knowledge of Consul's security model, encryption capabilities, and recommended practices. Perform the following tasks to ensure that you have a good understanding of secure agent communication protocols and practices.
- Review the elements of the Consul security model
- Read about the types of encryption that Consul uses
- Follow the encryption tutorial to learn about TLS encryption and certificates
- Read the gossip encryption documentation to get an overview of the gossip encryption concept
These resources cover secure network traffic communication with Consul (Objective #6).
Study tips
- Understand the communication channels between Consul nodes, the communication channels between Consul and external nodes, and associated risks as well as their countermeasures
- Recognize that the servers should all have unique certificates
- Identify that Consul has a built-in certificate authority and that all certificates need to be signed by the same CA
- Understand that all agents need to be configured to be secure
- Identify the key generation Consul CLI command
- Understand that gossip encryption is a network traffic security feature of Consul
- Know how to configure agents with gossip encryption and that all agents in the datacenter must share the same key
- Identify the data that can be accessed with the encryption key
- Understand that keys need to be rotated
Access Control Lists (ACLs) and service security
Consul's Access Control List (ACL) system is an important security feature which can be used to control access to data and APIs. You will be tested on policies, tokens, and ACL operations involving the CLI and HTTP API. Perform the following tasks to ensure that you have a good understanding of the ACL system and its operations.
- Read about the core concepts of Consul's ACL system
- Complete the manage permissions with ACLs tutorial to become familiar with ACL operations
- Review the various types of ACL rules
- Read the ACL token persistence configuration option documentation
- Review the Consul ACL token environment variables documentation
- Review the ACL token creation documentation for the Consul CLI, the Consul HTTP API, and the Consul UI
- Review the
manageSystemACLs
Helm chart documentation
These resources cover secure service communication with access control lists (ACLs) in Consul (Objective #7).
Study tips
- Know how to set up and configure a basic ACL system including rules, policies, and tokens
- Practice performing Consul operations using tokens with the CLI and API
- Know how to set
CONSUL_HTTP_TOKEN
as an environment variable so that the CLI has the correct permissions to perform Consul operations - Identify that all agents must use ACLs to ensure secure service-to-service communication
- Understand that agent ACL tokens are not persisted by default unless the Consul agent configuration option
acl.enable_token_persistence
is set totrue
- Be able to perform CLI and API requests using a token
- Understand how to create a token with multiple policies
- Understand that ACL token management for Consul components can be automated with Consul on Kubernetes
Secure and connect service mesh applications at scale
Consul enables scalable service networking solutions for dealing with networking challenges across multiple datacenters, services, and platforms while ensuring global visibility and control. Perform the following tasks to ensure that you have a good understanding of how Consul secures and connects service mesh applications at scale.
- Read the Control access to services with Consul gateways documentation
- Read service discovery vs load balancing
- Read the cluster peering documentation
- Review the Connect services between Consul datacenters with cluster peering tutorial
- Read the mesh gateways documentation
- Review the cluster peering and WAN federation comparison
- Review the multi-platform federation documentation
- Read the terminating gateways documentation
- Complete the Connect external services to Consul with terminating gateways (K8S) tutorial
- Read the API gateway documentation
- Complete the Consul API Gateway tutorial for Kubernetes or the equivalent VMs tutorial
These resources cover the basics of securing and connecting service mesh applications at scale with Consul (Objective #8).
Study tips
- Differentiate between the gateways that provide connectivity into, out of, and between Consul service meshes
- Understand the similarities and differences between WAN federation and cluster peering
- Understand that federation enables communication between multiple Consul datacenters
- Understand that federation is possible between Consul datacenters of any type (Kubernetes, VM, HCP)
- Understand that services can communicate between Kubernetes and VM Consul clusters by using mesh gateways
Monitor Consul
Consul observability features provide monitoring capabilities at the data plane level for your service mesh applications and at the control plane level for your Consul cluster. These features enhance your service mesh capabilities with enriched metrics and logs so you can improve performance and debug your distributed services with precision. Performs the following tasks to ensure that you have a good understanding of how Consul provides monitoring for your service mesh data plane and control plane.
- Read the Consul observability use case
- Review the Monitor application health and performance with Consul proxy metrics (K8S) tutorial
- Read the Access logs documentation
- Complete the Observe Consul service mesh traffic (VMs) tutorial
- Complete the Observe Consul service mesh traffic (K8S) tutorial
- Review the Monitor application health and performance with Consul proxy metrics (K8S) tutorial
- Review the Debug service mesh events and errors with Consul proxy access logs (K8S) tutorial
- Review the Monitor Consul server health and performance with metrics and logs (K8S) tutorial
- Read the Telemetry documentation
- Read the Audit Logging documentation
- Review the [Capture Consul events with audit logging](/consul/tutorials/datacenter-operations/audit-logging tutorial)
These resources cover Consul observability features (Objective #9).
Study tips
- Understand the scope of observability for the Consul data plane and Consul control plane
- Identify the source of metrics and logs for the Consul data plane and Consul control plane
- Understand how Consul contributes to observability capabilities by monitoring individual service health
- Recognize how Consul server metrics and logs provide insight into the health and performance of Consul clusters
- Understand the benefit of audit logs
- Understand that Consul can stream data for ingestion into existing monitoring systems such as Grafana
Operate and maintain Consul
Consul has several features that ensure the health, performance, and security of Consul clusters. These include server management, disaster recovery, network communication security, and troubleshooting practices. Do the following tasks to ensure that you have a good understanding of Consul's operational and maintenance capabilities.
- Read the Upgrade Consul documentation
- Read the CA root certificate documentation
- Complete the Secure Consul agent communication with TLS encryption tutorial
- Read the
consul snapshot
documentation to learn about Consul's disaster recovery features - Review the backup and restore tutorial to gain an understanding of
consul snapshot
operations - Be aware of the Consul Enterprise snapshot capabilities in the Consul Enterprise snapshot agent documentation
- Read the Automated backups (Enterprise) documentation
- Read the
consul monitor
documentation - Read the
consul debug
documentation - Read the
consul troubleshoot
documentation
These resources cover Consul operation, maintenance, backup, and restore capabilities (Objective #10).
Study tips
- Understand the process for adding new servers to an existing Consul cluster
- Understand the process for upgrading Consul
- Be familiar with the maintenance activities required to ensure Consul communication security
- Understand the components of Consul state and data stored inside the agents at a high level
- Be aware of the sensitive data stored in a backup
- Identify the best practices and operations involved with
consul snapshot
- Recall that Enterprise backups can be automated and scheduled
- Be aware of the various Consul troubleshooting options and the functionality that each provides
Next steps
For a reference of the specific study materials that cover a particular exam objective, refer to the content list. Check out the sample questions to review the exam question format.