Consul as Envoy EDS

I wonder if Consul provides any endpoints that can be consumed by Envoy for Endpoint Discovery.

I want to setup Envoy as a public facing proxy that will use private Nomad cluster as upstream cluster and as the cluster scales, I want Envoy configuration to be updated automatically.

I started looking at the Envoy docs and it seems Envoy can query members of a cluster via EDS (Endpoints Discovery Service) and dynamically update the upstream cluster.

So is there a Consul API that Envoy can query for endpoints?

Hi @seanlee10,

Are you looking to use Envoy as an ingress for a Nomad cluster that is using Consul service mesh (i.e., sidecars deployed for each task), or as a standalone ingress for a non-service mesh enabled cluster?

Consul service mesh uses Envoy as its data plane proxy and uses EDS to populate cluster endpoints. There’s no additional configuration required to use EDS service discovery.

We currently do not provide a way to use xDS outside of a full service mesh environment. If you’re looking to utilize Envoy as a standalone ingress, you might consider using logical DNS or static DNS service discovery to discover upstream endpoints.

Hi Blake, thanks for getting back to my question.

I’m thinking of having a standalone ingress (public) but to a service mesh (consul) enabled cluster (private). So I’ll have two envoys running. One runs in public network and custom managed by myself and another runs in private network managed by Consul.

From my humble research, it looks like I can generate envoy configuration for the ingress by running this command consul connect envoy and hopefully envoy ingress can discover nomad cluster as an EDS cluster and then forward traffic to one of the containers managed by nomad.

What I want to achieve is keeping my nomad/consul cluster running private and only exposed via this public facing envoy ingress.

Of course I still want to use sidecars for service-to-service communication, I recently discovered that I can leverage DNS capability of consul so that I can make calls like GET http://users.service.consul/api/v1/users within the app code and the it will resolve to a container registered to users service.

Maybe there are things I don’t understand quite clearly yet. I’d love to get the feedback from you.

Thanks!

Hi @seanlee10,

Conslu 1.8 introduced a support for ingress gateways which enable you to expose services through the ingress, and have the ingress route to backend services using mTLS.

Does this look like it would meet your requirements?