Service mesh proxy overview
This topic provides an overview of how Consul uses proxies in your service mesh. A proxy is a type of service that enables unmodified applications to connect to other services in the service mesh. Consul ships with a built-in L4 proxy and has first class support for Envoy. You can plug other proxies into your environment, as well, and apply configurations in Consul to define proxy behavior.
Proxy use cases
Proxies are services that you can configure to perform several different types of functions in Consul.
Sidecars
You can configure proxies to operate as sidecar services transparently handles inbound and outbound service connections. Sidecars also automatically wrap and verify TLS connections. Each service in your mesh should have its own sidecar proxy.
Refer to Register service mesh proxies as sidecars for additional information.
Gateways
You can configure proxies to operate as gateway services, which allow service-to-service traffic across different network areas, including peered clusters, WAN-federated datacenters, and nodes outside the mesh. Consul ships with several types of gateway capabilities, but gateways deliver the underlying functionality.
Refer to Gateways overview for additional information.
Supported proxies
Consul has first-class support for Envoy proxies, which is a highly configurable open source edge service. Consul configures Envoy by optionally exposing a gRPC service on the local agent that serves Envoy's xDS configuration API. Refer to the following documentation for additional information:
You can use Consul's built-in proxy service that supports L4 network traffic, which is suitable for testing and development but not recommended for production environments. Refer to the built-in proxy reference for additional information.
Workflow
The following procedure describes how to implement proxies:
- Configure global proxy settings. You can configure global passthrough settings for all proxies deployed to your service mesh in the proxy defaults configuration entry. This step is not required, but it enables you to define common behaviors in a central configuration.
- Deploy your service mesh proxy. Configure proxy behavior in a service definition and register the proxy with Consul.
- Start the proxy service.
Dynamic upstreams require native integration
Service mesh proxies do not support dynamic upstreams. If an application requires dynamic dependencies that are only available at runtime, you must natively integrate the application with Consul service mesh. After integration, the application can use the HTTP API or DNS interface to connect to other services in the mesh.
Proxies in Kubernetes-orchestrated networks
For Kubernetes-orchestrated environments, Consul deploys dataplanes by default to manage proxies. Consul dataplanes are light-weight processes that leverage existing Kubernetes sidecar orchestration capabilities. Refer to the dataplanes documentation for additional information.
Guidance
Refer to the following resources for help using service mesh proxies: