Demo Creating a Consul Agent Configuration

Consul Server Agent Configuration (JSON)
Key Settings Overview
Minimal Consul Client Agent Configuration (JSON)
Links and References

In this guide, you’ll learn how to configure a HashiCorp Consul agent—both server and client modes—using example files hosted on GitHub. Follow along by visiting the Consul folder in the repository: https://github.com/btkrausen/hashicorp/tree/main/Consul

Consul Server Agent Configuration (JSON)

Below is a complete JSON example for a Consul server agent. This configuration enables Raft consensus, TLS encryption, and ACL enforcement.

{
  "log_level": "INFO",
  "server": true,
  "key_file": "/etc/consul.d/cert.key",
  "cert_file": "/etc/consul.d/client.pem",
  "ca_file": "/etc/consul.d/chain.pem",
  "verify_incoming": true,
  "verify_outgoing": true,
  "verify_server_hostname": true,
  "ui": true,
  "encrypt": "xxxxxxxxxxxxxx",
  "leave_on_terminate": true,
  "data_dir": "/opt/consul/data",
  "datacenter": "us-east-1",
  "client_addr": "0.0.0.0",
  "bind_addr": "10.11.11.11",
  "advertise_addr": "10.11.11.11",
  "bootstrap_expect": 5,
  "retry_join": [
    "provider=aws tag_key=Environment-Name tag_value=consul-cluster region=us-east-1"
  ],
  "enable_syslog": true,
  "acl": {
    "enabled": true,
    "default_policy": "deny",
    "down_policy": "extend-cache",
    "tokens": {
      "agent": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    }
  },
  "performance": {
    "raft_multiplier": 1
  }
}

Key Settings Overview

Setting	Description	Example
log_level	Controls log verbosity (e.g., `INFO`, `DEBUG`).	`"INFO"`
server	Enables server mode; participates in Raft elections and stores cluster state.	`true`
key_file / cert_file / ca_file	Paths to TLS key, certificate, and CA used for mutual TLS on RPC and HTTP APIs.	`/etc/consul.d/cert.key`
verify_incoming / outgoing	Enforces mutual TLS for all RPC/API calls.	`true`
verify_server_hostname	Validates server hostname in TLS certificates.	`true`
ui	Enables the built-in Consul Web UI.	`true`
encrypt	Gossip encryption key for securing cluster communication.	`"xxxxxxxxxxxxxx"`
leave_on_terminate	Ensures the agent cleanly leaves the gossip pool when stopped.	`true`
data_dir	Directory for storing Consul state and snapshots.	`/opt/consul/data`
datacenter	Logical datacenter identifier (default: `dc1`).	`"us-east-1"`
client_addr / bind_addr	Network addresses for HTTP/RPC bindings and gossip interface.	`"0.0.0.0"`, `"10.11.11.11"`
advertise_addr	Address announced to peers for incoming connections.	`"10.11.11.11"`
bootstrap_expect	Number of server nodes to wait for before bootstrapping the cluster.	`5`
retry_join	Auto-join peers using AWS tags.	`["provider=aws tag_key=Environment-Name ..."]`
enable_syslog	Sends agent logs to the local syslog.	`true`
acl.enabled / default_policy	Enables ACLs with restrictive defaults—requires a token for all operations.	see JSON block
down_policy	Defines behavior when ACL system is down (e.g., `extend-cache`).	`"extend-cache"`
performance.raft_multiplier	Multiplier for Raft timeouts; setting to `1` improves failure detection speed in production environments.	`1`

For production clusters, configure at least 3–5 server agents and set bootstrap_expect accordingly to ensure high availability.

Minimal Consul Client Agent Configuration (JSON)

Use the following JSON snippet for a lightweight Consul client that joins an existing cluster. It includes essential TLS settings, gossip encryption, and ACL tokens.

{
  "log_level": "INFO",
  "server": false,
  "node_name": "node-a.example.com",
  "key_file": "/etc/consul.d/cert.key",
  "cert_file": "/etc/consul.d/client.pem",
  "ca_file": "/etc/consul.d/chain.pem",
  "verify_incoming": true,
  "verify_outgoing": true,
  "encrypt": "xxxxxxxxxxxxxxxxxxxx",
  "data_dir": "/opt/consul/data",
  "datacenter": "us-east-1",
  "bind_addr": "10.10.10.10",
  "client_addr": "0.0.0.0",
  "retry_join": [
    "provider=aws tag_key=Environment-Name tag_value=consul-cluster region=us-east-1"
  ],
  "enable_syslog": true,
  "acl": {
    "tokens": {
      "agent": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    }
  }
}

Ensure your client node has network connectivity to the server agents and valid ACL tokens to authenticate API calls.

The image shows a GitHub repository page for "hashicorp" with a list of configuration files, including JSON and HCL files, and a recent commit message about removing Consul items from the Vault folder.

Links and References

Watch Video

Consul Agent Configuration

Configure Networking and Ports

⌘I

Introduction

Explain Consul Architecture

Deploy a Single Datacenter

Register Services and Use Service Discovery

Back up and Restore

Register a Service Proxy

Secure Agent Communication

Use Gossip Encryption

Access the Consul Key Value KV

Hashi Corp Cloud Platform Consul

Secure Services with Basic AC Ls

Demo Creating a Consul Agent Configuration

Consul Server Agent Configuration (JSON)

Key Settings Overview

Minimal Consul Client Agent Configuration (JSON)

Links and References

Watch Video

Introduction

Explain Consul Architecture

Deploy a Single Datacenter

Register Services and Use Service Discovery

Back up and Restore

Register a Service Proxy

Secure Agent Communication

Use Gossip Encryption

Access the Consul Key Value KV

Hashi Corp Cloud Platform Consul

Secure Services with Basic AC Ls

​Consul Server Agent Configuration (JSON)

​Key Settings Overview

​Minimal Consul Client Agent Configuration (JSON)

​Links and References

Watch Video

Consul Server Agent Configuration (JSON)

Key Settings Overview

Minimal Consul Client Agent Configuration (JSON)

Links and References