Agents behind corporate firewall

Hi, after setting up our Consul cluster and K8S sync mechanism it is all working. However now we would like to add agents that are behind a corporate firewall, meaning that the Consul cluster does not have access to the agents, but the agents do have outbound connectivity to the consul server.

Does consul require bi-directional connectivity to be able to work? Or is it possible to have uni-directional pull only connectivity to the cluster to sync the catalog…

The agents then have the following message…

## Failing serf check

This node has a failing serf node check. The health statuses shown on this page are the statuses as they were known before the node became unreachable.
Agent not live or unreachable

The nodes do show up on the Cluster but of course due to the firewall they are not reachable. Just wondering if this scenario is supported via config… the Values file for the consul helm chart is over 2300+ lines so I may have missed an option.

Hi, all consul agents and servers must have bi-directional connectivity for LAN gossip (see arch diagram Consul Architecture | Consul by HashiCorp).

1 Like