HashiCorp Certified: Consul Associate Certification
Explain Consul Architecture
Network Traffic and Ports
Consul relies on HTTP/HTTPS for all cluster communications, secured by TLS certificates or a gossip encryption key. This guide covers default ports, DNS workaround strategies, and best practices for securing Consul network traffic.
Default Ports
| Port (TCP/UDP) | Purpose | Protocol | Notes |
|---|---|---|---|
| 8500 (TCP) | API requests & UI access | HTTP/HTTPS | TLS enforced |
| 8301 (TCP/UDP) | LAN gossip between servers & clients | Gossip | Must be open on every node |
| 8302 (TCP/UDP) | WAN gossip between data-center servers | Gossip | Server-to-server across data centers |
| 8300 (TCP) | Internal RPC forwarding | RPC | |
| 8600 (TCP/UDP) | DNS interface for service discovery queries | DNS | Non-standard DNS port (not 53) |
| 21000–21255 (TCP) | Sidecar proxy (Envoy) ports for Connect & mesh | HTTP | Configurable range for service proxies |
DNS Considerations
Queries to Consul’s DNS interface use port 8600 by default. To integrate with standard DNS port 53:
- BIND or dnsmasq: Run locally on each node to forward 53 → 8600.
- Elevated privileges: Binding to ports < 1024 (e.g., 53) on Linux requires root access.
- AWS Route 53 Resolver: Define forwarding rules that include port 8600.
- Central DNS infrastructure: Handle port translation upstream in your DNS servers.
Warning
Binding Consul to port 53 on Linux requires root privileges, increasing security risk. Use DNS proxies like BIND or dnsmasq instead.
Network Diagram
Below is a high-level topology for a three-node Consul server cluster, client connections, and a federated data center:
- LAN Gossip (TCP/UDP 8301) between all clients and servers
- RPC (TCP 8300) for internal procedure calls
- API/UI (TCP 8500) for client queries and UI access
- DNS (TCP/UDP 8600) for service discovery lookups
- WAN Gossip (TCP/UDP 8302) between data-center server nodes
Accessing Consul Interfaces
Consul offers three primary interfaces:
| Interface | Use Case | Port | Notes |
|---|---|---|---|
| API | Programmatic service & configuration access | 8500 | TLS secured |
| CLI | Local consul commands | N/A | Non-leader nodes forward RPC to the leader |
| UI | Web-based cluster monitoring | 8500 | Enable via ui = true in configuration |
Note
Ensure API and UI endpoints are restricted via firewall rules. Avoid exposing these directly to the Internet unless through secured mesh gateways.
Links and References
- Consul HTTP API
- Consul Service Discovery
- Envoy Proxy for Consul Connect
- BIND DNS Documentation
- Terraform Consul Provider
Watch Video
Watch video content