Ingress Gateways
1.8.0+: This feature is available in Consul versions 1.8.0 and newer.
Ingress gateways enable ingress traffic from services outside the Consul service mesh to services inside the Consul service mesh. An ingress gateway is a type of proxy and must be registered as a service in Consul, with the kind set to “ingress-gateway”. They are an entrypoint for outside traffic and allow you to define what services should be exposed and on what port. You configure an ingress gateway by defining a set of listeners that each map to a set of backing services.
To enable easier service discovery, a new Consul DNS subdomain is provided, on <service>.ingress.<domain>
.
For listeners with a protocol other than tcp
, multiple services can be specified for a single listener. In this case, the ingress gateway relies on host/authority headers to decide the service that should receive the traffic. The host used to match traffic defaults to the Consul DNS ingress subdomain, but can be changed using the hosts field.
Prerequisites
Ingress gateways also require that your Consul datacenters are configured correctly:
- You’ll need to use Consul version 1.8.0 or newer.
- Consul Connect must be enabled on the datacenter’s Consul servers.
- gRPC must be enabled on all client agents.
Currently, Envoy is the only proxy with ingress gateway capabilities in Consul.
Running and Using an Ingress Gateway
For a complete example of how to allow external traffic inside your Consul service mesh, review the ingress gateway tutorial.
Ingress Gateway Configuration
Ingress gateways are configured in service definitions and registered with Consul like other services, with two exceptions. The first is that the kind must be “ingress-gateway”. Second, the ingress gateway service definition may contain a Proxy.Config
entry just like a Connect proxy service, to define opaque configuration parameters useful for the actual proxy software. For Envoy there are some supported gateway options as well as escape-hatch overrides.
Note: If ACLs are enabled, ingress gateways must be registered with a token granting service:write
for the ingress gateway’s service name, service:read
for all services in the ingress gateway’s configuration entry, and node:read
for all nodes of the services in the ingress gateway’s configuration entry. These privileges authorize the token to route communications to other Connect services. If the Consul client agent on the gateway’s node is not configured to use the default gRPC port, 8502, then the gateway’s token must also provide agent:read
for its node’s name in order to discover the agent’s gRPC port. gRPC is used to expose Envoy’s xDS API to Envoy proxies.
Configuration entries are global in scope. A configuration entry for a gateway name applies across all federated Consul datacenters. If ingress gateways in different Consul datacenters need to route to different sets of services within their datacenter then the ingress gateways must be registered with different names.