Consul
Production readiness checklist
Below is a checklist that can help you deploy your first datacenter. This checklist is not an exhaustive list and you may need to add additional tasks depending on your environment.
Infrastructure Planning
- Review the reference diagram and requirements.
Ports
Refer to the API documentation for specific port numbers or alternate configuration options.
dns
, DNS server porthttp
, HTTP API porthttps
, HTTPS API portgrpc
, gRPC API portserf_lan
, Serf LAN portserf_wan
, Serf WAN portserver
, server RPC address portsidecar_min_port
, inclusive minimum port number to use for automatically assigned sidecar service registrationssidecar_max_port
, inclusive maximum port number to use for automatically assigned sidecar service registrationsexpose_min_port
, inclusive minimum port number to use for automatically assigned exposed check listenersexpose_max_port
, inclusive maximum port number to use for automatically assigned exposed check listeners
Deployment
Consul Servers
- Read the release notes for the Consul version.
- Consul binary has been distributed to all servers.
- Customize the server configuration file or files.
- Autopilot is configured or disabled.
- TLS encryption is enabled for RPC and consensus communication.
- Gossip encryption configured.
- ACLs bootstrapped.
- Telemetry configured.
Consul Clients
- Consul binary has been distributed to all clients.
- The configuration file has been customized.
- TLS enabled for RPC communication
- Gossip encryption configured
- External Service Monitor has been deployed to nodes that cannot run a Consul client.
Networking
Configure DNS Caching
Refer to the DNS caching tutorial for step by step instructions and considerations around DNS performance.
- Stale reads have been configured in the agent configuration file.
- Negative response caching have been configured in the agent configuration file.
- TTL values have been configured in the agent configuration file.
Setup DNS Forwarding
Refer to the DNS forwarding tutorial for instructions on integrating Consul with system DNS.
- BIND, dnsmasq, Unbound, systemd-resolved, or iptables has been configured.
Security
Encryption of Communication
- TLS: RPC encryption for both incoming and outgoing communication.
- Gossip Encryption. Both incoming and outgoing communication.
Enable ACLs
Refer to the Secure Consul with Access Control Lists (ACLs) tutorial for instructions on setting up access control lists.
- Tokens have been created for all agents and services.
Setup a Certificate Authority
Refer to the Secure Consul Agent Communication with TLS Encryption tutorial for instructions on setting up a certificate authority.
- Agent certificates have been created and distributed to all agents.
Monitoring
- Telemetry has been enabled.
- API has been configured. New user and token have been created.
Official Grafana dashboard: If your are using Grafana to monitor your Consul datacenter health, we suggest you to use the Consul Server Monitoring Dashboard maintained by the Consul team at HashiCorp.
Failure Recovery
- Backups are being periodically captured.
- Outage recovery plan has been outlined.