HashiCorp Certified: Consul Associate Certification

Explain Consul Architecture

Network Traffic and Ports

Consul relies on HTTP/HTTPS for all cluster communications, secured by TLS certificates or a gossip encryption key. This guide covers default ports, DNS workaround strategies, and best practices for securing Consul network traffic.

Default Ports

Port (TCP/UDP)PurposeProtocolNotes
8500 (TCP)API requests & UI accessHTTP/HTTPSTLS enforced
8301 (TCP/UDP)LAN gossip between servers & clientsGossipMust be open on every node
8302 (TCP/UDP)WAN gossip between data-center serversGossipServer-to-server across data centers
8300 (TCP)Internal RPC forwardingRPC
8600 (TCP/UDP)DNS interface for service discovery queriesDNSNon-standard DNS port (not 53)
21000–21255 (TCP)Sidecar proxy (Envoy) ports for Connect & meshHTTPConfigurable range for service proxies

DNS Considerations

Queries to Consul’s DNS interface use port 8600 by default. To integrate with standard DNS port 53:

  • BIND or dnsmasq: Run locally on each node to forward 53 → 8600.
  • Elevated privileges: Binding to ports < 1024 (e.g., 53) on Linux requires root access.
  • AWS Route 53 Resolver: Define forwarding rules that include port 8600.
  • Central DNS infrastructure: Handle port translation upstream in your DNS servers.

Warning

Binding Consul to port 53 on Linux requires root privileges, increasing security risk. Use DNS proxies like BIND or dnsmasq instead.

Network Diagram

Below is a high-level topology for a three-node Consul server cluster, client connections, and a federated data center:

The image is a diagram illustrating network traffic and ports for a Consul setup, showing client traffic, cross datacenter traffic, and various ports used for Consul API, DNS, and gossip protocols.

  1. LAN Gossip (TCP/UDP 8301) between all clients and servers
  2. RPC (TCP 8300) for internal procedure calls
  3. API/UI (TCP 8500) for client queries and UI access
  4. DNS (TCP/UDP 8600) for service discovery lookups
  5. WAN Gossip (TCP/UDP 8302) between data-center server nodes

Accessing Consul Interfaces

Consul offers three primary interfaces:

InterfaceUse CasePortNotes
APIProgrammatic service & configuration access8500TLS secured
CLILocal consul commandsN/ANon-leader nodes forward RPC to the leader
UIWeb-based cluster monitoring8500Enable via ui = true in configuration

Note

Ensure API and UI endpoints are restricted via firewall rules. Avoid exposing these directly to the Internet unless through secured mesh gateways.

Watch Video

Watch video content

Previous
Gossip Protocol Serf