HashiCorp Certified: Consul Associate Certification
Secure Agent Communication
Consul SecurityThreat Model
In its default state, Consul transmits all RPC, API, Raft, and Gossip traffic in clear text. To harden your Consul deployment, enable and configure each of the following security components:
| Component | Purpose | Configuration Example |
|---|---|---|
| Gossip Protocol Encryption | Encrypt Serf membership and failure-detection traffic | encrypt = "BASE64_KEY" |
| Built-in ACL System | Enforce fine-grained access control on KV store and APIs | "acl": { "enabled": true, ... } |
| Consul Agent TLS | Secure agent-to-agent RPC and HTTP API | "tls_cert_file": "/path/to/agent.crt", ... |
| Mutual TLS (mTLS) | Encrypt and authenticate service-to-service communication | Each service presents and verifies certificates |
| Certificate Authority (CA) | Issue and rotate certificates via Consul or external CA (Vault) | consul tls cert create -server |
1. Gossip Protocol Encryption & ACL System
Consul uses Serf’s Gossip protocol for intra-cluster membership and failure detection. Without encryption, Serf messages are vulnerable to eavesdropping or injection.
Warning
If you skip Gossip encryption, all Serf traffic (including cluster health checks) is sent in clear text.
Enable Gossip Encryption
Add a shared symmetric key to every server and client configuration:
# consul.hcl
encrypt = "BASE64_ENCRYPTION_KEY"
Enable the ACL System
By default, ACLs are disabled. Turning them on enforces policies for KV operations and API endpoints:
{
"acl": {
"enabled": true,
"default_policy": "deny",
"down_policy": "extend-cache"
}
}
2. Consul Agent TLS
Securing agent-to-agent communication is critical when running in untrusted networks or across cloud regions. Consul agents can use TLS certificates for both RPC (Raft, Serf) and the HTTP API.
Add the following to each agent’s JSON or HCL configuration:
{
"tls_cert_file": "/path/to/agent.crt",
"tls_key_file": "/path/to/agent.key",
"tls_ca_file": "/path/to/ca.pem"
}
Note
Consul will verify peer hostnames on incoming connections. Ensure your certificate’s Common Name (CN) or SAN matches the agent’s advertised address.
3. Mutual TLS (mTLS)
mTLS provides both encryption and peer authentication, forming the backbone of Consul’s Service Mesh:
- Services present client certificates issued by a trusted CA.
- Peers validate each other’s certificates before establishing an encrypted channel.
- Identity information (e.g., service name) is embedded in the certificate and used for authorization.
4. Certificate Authority Integration
Consul can act as its own CA or delegate certificate issuance to an external CA such as HashiCorp Vault. Centralized certificate management simplifies rotation and revocation.
Using the Built-in CA
# Generate server cert
consul tls cert create -server
# Generate client cert
consul tls cert create -client
# Generate CLI cert
consul tls cert create -cli
Delegating to Vault (or other CA)
# consul.hcl
certificate_authority = {
provider = "vault"
options = {
address = "https://vault.example.com"
token = "VAULT_TOKEN"
# additional Vault settings…
}
}
Note
When integrating with Vault, configure ACL tokens and policies to allow Consul to request and renew certificates automatically.
By enabling Gossip encryption, the ACL system, agent TLS, mTLS, and CA integration, you secure every layer of Consul’s communication—from cluster membership and Raft consensus to HTTP APIs and service-to-service traffic in the mesh.
Links and References
Watch Video
Watch video content