Discussion
Review of the following table for Consul Service Mesh TGW L4/L7 Valid Configurations in Regard to External Service Registration by means of Service Default destination configuration in conjunction with transparent proxy.
Figure 1-1: Consul Service Mesh Terminating Gateway
Table 1-1: Terminating Gateway External Service Registration w/
Transparent Proxy + Service Defaults Destinations
| External Services Layer (Protocol) | Client Dials | Client Uses TLS (Port) | Is Valid Config | Notes | |
| 1 | L4 (TCP) | Hostname (DNS) | Yes (443) | ✅️ |
|
| 2 | L4 (TCP) | IP | Yes (443) | ✅️ |
|
| 3 | L4 (TCP) | Hostname (DNS) | No (80) | 🚫️ | The sidecar is not protocol aware and cannot identify traffic going to the external service due to limitations in Envoy DNS name resolution. |
| 4 | L4 (TCP) | IP | No (80) | ✅️ | There are no limitations on dialing IPs without TLS. Envoy not limited by DNS resolution. |
| 5 | L7 (HTTP/HTTP2/gRPC) | Hostname (DNS) | Yes (443) | 🚫️ | Because traffic is already encrypted before the sidecar, it cannot route as L7 traffic. |
| 6 | L7 (HTTP/HTTP2/gRPC) | IP | Yes (443) | 🚫️ | Because traffic is already encrypted before the sidecar, it cannot route as L7 traffic. |
| 7 | L7 (HTTP/HTTP2/gRPC) | Hostname (DNS) | No (80) | ✅️ | A Host or :authority header is required. |
| 8 | L7 (HTTP/HTTP2/gRPC) | IP | No (80) | ✅️ | There are no limitations on dialing IPs without TLS. |
Service Default Configuration Entries
- The above table is important in testing/configuring external services for communication from within mesh as upstream services. Specifically for upstream service-default configurations.
- Each service_defaults combination below mirrors the above table configuration concepts, and show what will and will NOT be considered a valid working configuration for establishing upstream external service communication from a Consul Service Mesh.
Note: Transparent Proxying is assumed to already be configured and working properly and is not discussed below for the sake of clarifying the external service communication limitations. Additionally, the required service intentions, and mesh configuration entries to allow traffic between the terminating gateway registered services are also assumed to be established.
Service Default Config Entry Breakdown for Table 1-1
✅️ Row 1 -- Hostname (DNS Resolvable by Consul) | TCP (Layer 4) | TLS Encrypted (Port 443) | Destination Service: external-database
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
name: external-database
spec:
protocol: tcp
destination:
port: 443
addresses:
- "external-database.external.com"
- "external-db.external.com"
✅️ Row 2 -- IP Addressed | TCP (Layer 4) | TLS Encrypted (Port 443) | Destination Service: external-database (which has example routable ips of 229.113.179.58, 85.95.253.46, 228.161.31.125)
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
name: external-database
spec:
protocol: tcp
destination:
port: 443
addresses:
- "229.113.179.58"
- "85.95.253.46"
- "228.161.31.125"
🚫️ Row 3 -- Hostname (DNS Resolvable) | TCP (Layer 4) | non-TLS Encrypted (Port 80) | Destination Service: external-database
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
name: external-database
spec:
protocol: tcp
destination:
port: 80
addresses:
- "external-database.external.com"
- "external-db.external.com"
✅️ Row 4 -- IP Addressed | TCP (Layer 4) | non-TLS Encrypted (Port 80) | Destination Service: external-database (which has example routable ips of 229.113.179.58, 85.95.253.46, 228.161.31.125)
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
name: external-database
spec:
protocol: tcp
destination:
port: 80
addresses:
- "229.113.179.58"
- "85.95.253.46"
- "228.161.31.125"
🚫️ Row 5 -- Hostname (DNS Resolvable) | HTTPS (Layer 7) | TLS Encrypted | Destination Service: external-database
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
name: external-database
spec:
protocol: http
destination:
port: 443
addresses:
- "external-database.external.com"
- "external-db.external.com"
🚫️ Row 6 -- IP Addressed | HTTPS (Layer 7) | TLS Encrypted (Port 443) | Destination Service: external-database (which has example routable ips of 229.113.179.58, 85.95.253.46, 228.161.31.125)
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
name: external-database
spec:
protocol: http
destination:
port: 443
addresses:
- "229.113.179.58"
- "85.95.253.46"
- "228.161.31.125"
✅️ Row 7 -- Hostname (DNS Resolvable) | HTTP (Layer 7) | non-TLS Encrypted (Port 80) | Destination Service: external-database
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
name: external-database
spec:
protocol: http
destination:
port: 80
addresses:
- "external-database.external.com"
- "external-db.external.com"
✅️ Row 8 -- IP Addressed | HTTP (Layer 7) | none-TLS Encrypted (Port 80) | Destination Service: external-database (which has example routable ips of 229.113.179.58, 85.95.253.46, 228.161.31.125)
apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
name: external-database
spec:
protocol: http
destination:
port: 80
addresses:
- "229.113.179.58"
- "85.95.253.46"
- "228.161.31.125"
Key Take Aways
- Unencrypted TCP traffic (i.e., Row 3 in the example above) please note that Envoy has no means for resolving DNS Hostnames and therefore cannot populate the list of outbound listeners filter chains appropriately to route traffic to the external service.
Further Reading:
- Transparent Proxy - Kubernetes - link
- Consul Transparent Proxy - Kubernetes (Blog) - link
- Consul Transparent Proxy | Ingress Controller Integration - link
- Consul Transparent Proxy - Virtual Machines (Blog) - link
- Terminating Gateway Configuration Tutorial - link
- Understanding Terminating Gateways - link
- Terminating Gateway Documentation - link