Accessing external services registered in a peered Consul DC


I have the following setup:

  1. Two Consul DCs (deployed using Consul Helm Chart v1.0.2, so it is Consul 1.14.2) running on two GKE clusters
  2. The two Consul DCs are peered together and peering is done using Consul Mesh Gateways on both sides. Peering has been established using Consul UI
  3. I exported and imported a couple of Connect services on each side of the peering. Proper cross-cluster Intentions exist. I am able to call from one peered DC services running on the second peered DC. This works as expected using upstreams annotation and Consul virtual IPs.
  4. What does not work is the following:
    4.1 I have also an external service properly registered in Consul Catalog (using Node name). The external service is configured properly on each Consul DC and exposed using Terminating Gateway. The external service can be reached from other Connect services running in the same Consul DC (This works as expected) through Terminating Gateway.
    4.2 I exported/imported the external services, so that they are visible on the peers. Correct cross-cluster Intention is also created.
    4.3 When I tried to call an external service registered in peer peer-2 from a Connect Service running in peer peer-1 I am getting the following errors:
    “RBAC access denied”
    I tried using upstreams annotation and Consul Virtual IPs - the same result.

Any ideas what may be wrong.

Any help would be greatly appreciated.