Can Consul API Gateway be used for east-west traffic?

Hi,
I am aware that consul api gw is used to enable external network clients to access applications and services running inside the consul mesh (north-south traffic). I was wondering if the API gateway can be used for east-west traffic inside the consul mesh?
Thanks

This seems to work for me:
managedGatewayClass:
serviceType: NodePort
useHostPorts: true

Then I can do path based routing such as: http://clusterip:port/api/path_abc that’s defined under HTTPRoute
Thanks!

Same topic but another question:
Is it possible to deploy two consul api gateways on the same consul cluster where

  1. First one with serviceType = LoadBalancer
  2. Second one (internal routing) with serviceType = ClusterIP or NodePort
    ?

Thanks!

Hi @kha7281! The serviceType is configured once per GatewayClass - you’ll see the name of the class configured on a Gateway object - so you’d essentially need a second GatewayClass (and related GatewayClassConfig) in order to use a different serviceType within the same cluster.

Consul-k8s configures the “consul-api-gateway” GatewayClass and related GatewayClassConfig behind the scenes. This single GatewayClass is what’s supported out of the box right now; however, if you really needed to have two different configurations in the same cluster, you could do so by creating your own secondary GatewayClassConfig and GatewayClass and then using gatewayClassName: my-other-gateway-class when creating your Gateway (see minimal example below).

The downside to this approach is that it isn’t officially supported today and isn’t managed by the consul-k8s Helm chart (assuming here that that’s your install method). Every time you completed an upgrade, you’d potentially need to mirror a set of changes over to your second GatewayClassConfig + GatewayClass (in addition to figuring out what that set of changes should be).

Here’s an example of what I was talking about above. Disclaimer: this code is not guaranteed to work and, as I mentioned above, this approach isn’t officially supported today.

---
apiVersion: api-gateway.consul.hashicorp.com/v1alpha1
kind: GatewayClassConfig
metadata:
  name: my-other-gateway-class-config
spec:
  ...
  serviceType: NodePort
  useHostPorts: true
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: GatewayClass
metadata:
  name: my-other-gateway-class
spec:
  controllerName: hashicorp.com/consul-api-gateway-controller
  parametersRef:
    group: api-gateway.consul.hashicorp.com
    kind: GatewayClassConfig
    name: my-other-gateway-class-config
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: nodeport-gateway
spec:
  gatewayClassName: my-other-gateway-class
  ...

Hi @nathancoleman
Thanks so much for your guidance. I am giving it a try and report back.

1 Like

Hi @nathancoleman
Happy to report that it worked. Preliminary testing shows that I can hit my services internally (defined in HTTPRoute) via this internal api gw. Example:
curl -si http://internal-api-gateway:8081/api/service-a
curl si http://internal-api-gateway:8081/api/service-b

The consul api gw is so flexible. In the future I hope the internal routing use case like mine can be installed officially via Helm.

Many thanks again