Configuration entries in federated Consul clusters


in a Consul mesh gateway federated Cluster setup are config entries also propagated through the primary to all secondary clusters or do I need to write the config to secondary explicitly?

I tried setting it up through the primary and also set the datacenter flag in the cli, but the Api gateway service did not appear in the secondary cluster

Hi @fmp88,

Yes, if you have federation with ACL replication enabled, the config entries are also replicated to the secondary DCs. In fact, if you write config entries against the secondary DCs, they will get routed to the primary DC, written in the primary DC, and then replicated to the secondary DCs.

Hi @Ranjandas ,
thanks for the clarification.

Does this mean if I upload a TLS certificate it will be distributed to all Consul clusters or can I restrict it to a certain cluster?

Hi @Ranjandas ,
when I use an API gateway and upload the TLS certificate for the listener, will that also be distributed in the federated cluster or is this specific to a single cluster?


Hi @fmp88,

First of all, please ignore my previous response about certificate distribution being outside the scope of Consul. That response was actually for another post; my apologies. I have deleted that response to avoid confusion.

The API Gateway listener certificates are configured as Config-Entries. If you are federating the cluster using WAN Federation with replication, these config entries will be replicated from primary to secondary clusters.

Hi @Ranjandas ,
no problem and thanks for the quick response.

So generally speaking all configuration entries are distributed in a federated mesh cluster?
If that is the case how can i tell consul that an api gateway configuration is for a specific cluster? Do I somehow need to pass the data center name?

For my primary cluster it works, but i fail to get an api gateway up and running in the secondary cluster

You will have to name gateways separately if you want to deploy them for separate use cases in specific DCs.

What issue are you facing in bringing up the API gateway in secondary DC? Do you have any logs that you can share?

I span up my clusters again, but now I have the issue again that the route does not bind

"failed to bind route to gateway consul-api-gw-tor1: gateway has not been accepted"

I am patching my vms to the latest consul version and then will deploy them again

This order is correct?

  1. Run and register Nomad service in consul mesh
  2. Allow intentions from api gateway to service
  3. Consul config entries
    3.1 TLS certificate upload
    3.2 Service defaults
    3.3 Api gateway config for listener
    3.4 Http route from api gateway to service