Configure Networking and Ports

In this guide, you’ll learn how to set up Consul’s network addresses and ports so that both internal agents and external clients can communicate reliably. Whether you have a single network interface or a complex NAT topology, these settings ensure that your Consul cluster remains accessible and secure.

Default Consul Ports

Consul exposes several ports by default. Ensure that clients and applications can reach these ports on every node:

DNS Port Considerations

By default, Consul listens on port 8600 for DNS queries. In environments where DNS is restricted to UDP/TCP port 53, it’s better to redirect traffic rather than run Consul as root.

Redirecting DNS Traffic with iptables

# Redirect UDP port 53 to Consul’s 8600
sudo iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 8600

# Redirect TCP port 53 to Consul’s 8600
sudo iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 8600

bind_addr vs. advertise_addr

Consul uses two key settings for network configuration:

• bind_addr: The local network interface on which Consul listens for cluster communications (gossip, RPC).
• advertise_addr: The address other agents and external clients use to reach this node.

On a system with a single NIC, both can point to the same IP. In a multi-interface or NAT setup, bind to the private interface and advertise the public-facing IP.

Example: NAT Scenario

Imagine a Consul server behind NAT:

• Private interface (LAN gossip/RPC): 10.0.4.56
• Public (NAT) address: 10.0.9.32

Use a config.hcl like this:

bind_addr      = "10.0.4.56"
advertise_addr = "10.0.9.32"

With these settings:

• The agent listens on 10.0.4.56 for internal cluster traffic.
• Other agents and clients connect to 10.0.9.32.

Additional Resources

• Consul Networking
• Consul Service Discovery
• iptables Documentation