Demo Enable and Configure the Consul ACL System

Prerequisites
1. Update Configuration on consul-node-a
2. Update Configuration on consul-node-b
3. Verify Cluster Membership
4. Bootstrap the ACL System
Next Steps
Links and References

In this guide, you’ll enable and configure the Consul ACL system to secure your service mesh. By default, Consul ACLs are disabled. We’ll update the agent configuration on both server nodes, restart the agents, verify cluster membership, and bootstrap the ACL subsystem.

Consul ACLs are disabled out of the box. Enabling them enforces access control for API requests, service registrations, and key/value operations.

Prerequisites

Two Consul server nodes:
- consul-node-a (10.0.101.110)
- consul-node-b (10.0.101.248)
SSH access to each node
Consul 1.9+ installed and running without ACLs

Resource	Details
Consul version	≥ 1.9.0 (Enterprise or OSS)
Configuration file	`/etc/consul.d/config.hcl`
Data directory	`/etc/consul.d/data`
Consul datacenter	`us-east-1`

1. Update Configuration on consul-node-a

SSH into consul-node-a:
```
ssh user@10.0.101.110
```

Backup and open the Consul HCL file:

sudo cp /etc/consul.d/config.hcl /etc/consul.d/config.hcl.bak
sudo vi /etc/consul.d/config.hcl

Append or update the following stanzas:

node_name           = "consul-node-a"
server              = true
ui                  = true
leave_on_terminate  = true
data_dir            = "/etc/consul.d/data"
datacenter          = "us-east-1"
client_addr         = "0.0.0.0"
bind_addr           = "10.0.101.110"
advertise_addr      = "10.0.101.110"
retry_join          = ["10.0.101.248"]
bootstrap_expect    = 2
enable_syslog       = true

connect {
  enabled = true
}

acl {
  enabled        = true
  default_policy = "allow"
  down_policy    = "extend-cache"
}

performance {
  raft_multiplier = 1
}

Save and exit (:wq).
Restart the Consul agent:
```
sudo systemctl restart consul
```

2. Update Configuration on consul-node-b

Repeat on consul-node-b:

SSH into consul-node-b:
```
ssh user@10.0.101.248
```
Edit the configuration:
```
sudo vi /etc/consul.d/config.hcl
```

Ensure the file matches this configuration (update bind and advertise addresses):

node_name           = "consul-node-b"
server              = true
ui                  = true
leave_on_terminate  = true
data_dir            = "/etc/consul.d/data"
datacenter          = "us-east-1"
client_addr         = "0.0.0.0"
bind_addr           = "10.0.101.248"
advertise_addr      = "10.0.101.248"
retry_join          = ["10.0.101.110"]
bootstrap_expect    = 2
enable_syslog       = true

connect {
  enabled = true
}

acl {
  enabled        = true
  default_policy = "allow"
  down_policy    = "extend-cache"
}

performance {
  raft_multiplier = 1
}

Save and restart:
```
sudo systemctl restart consul
```

3. Verify Cluster Membership

On either server, confirm both nodes are alive:

consul members

Expected output:

Node            Address             Status  Type    Build       Protocol  DC         Segment
consul-node-a   10.0.101.110:8301   alive   server  1.9.3+ent   2         us-east-1  <all>
consul-node-b   10.0.101.248:8301   alive   server  1.9.3+ent   2         us-east-1  <all>

If a node isn’t listed as alive, check logs with journalctl -u consul and verify network connectivity.

4. Bootstrap the ACL System

Bootstrap the ACL subsystem to generate your initial management token:

consul acl bootstrap

Sample output:

AccessorID:  0955cdf-4531-3165-fa8e-2e5715cb5e66
SecretID:    c71425da-8ab1-78ba-f521-189712e29c24
Namespace:   default
Description: Bootstrap Token (Global Management)
Local:       false
Create Time: 2021-02-12 20:01:19.247927413 +0000 UTC
Policies:    00000000-0000-0000-0000-000000000001 - global-management

AccessorID: token identifier
SecretID: the token for CLI/API authentication
Policies: grants global-management privileges

Because default_policy = "allow", you can still run commands like consul members without specifying -token. If you switch to default_policy = "deny", every request will require a valid token.

Store the SecretID securely. Losing it may lock you out of ACL management. Consider rotating tokens after bootstrapping.

Next Steps

Create fine-grained policies to restrict access by service or path.
Generate scoped tokens for applications, operators, and CI/CD pipelines.

Practice authenticating with ACL tokens:

consul kv put -token=<your-token> secret/application/key value

Integrate Consul ACLs with Terraform or Vault for automated policy management.

Links and References

Watch Video

Practice Lab

Introduction to the Consul ACL System

Creating ACL Policies

Introduction

Explain Consul Architecture

Deploy a Single Datacenter

Register Services and Use Service Discovery

Access the Consul Key/Value (KV)

Back up and Restore

Register a Service Proxy

Secure Agent Communication

Secure Services with Basic ACLs

Use Gossip Encryption

HashiCorp Cloud Platform - Consul

Demo Enable and Configure the Consul ACL System

Prerequisites

1. Update Configuration on consul-node-a

2. Update Configuration on consul-node-b

3. Verify Cluster Membership

4. Bootstrap the ACL System

Next Steps

Links and References

Watch Video

Practice Lab

Introduction

Explain Consul Architecture

Deploy a Single Datacenter

Register Services and Use Service Discovery

Access the Consul Key/Value (KV)

Back up and Restore

Register a Service Proxy

Secure Agent Communication

Secure Services with Basic ACLs

Use Gossip Encryption

HashiCorp Cloud Platform - Consul

Documentation Index

​Prerequisites

​1. Update Configuration on consul-node-a

​2. Update Configuration on consul-node-b

​3. Verify Cluster Membership

​4. Bootstrap the ACL System

​Next Steps

​Links and References

Watch Video

Practice Lab

Prerequisites

1. Update Configuration on consul-node-a

2. Update Configuration on consul-node-b

3. Verify Cluster Membership

4. Bootstrap the ACL System

Next Steps

Links and References