Consul Cluster and Consul Clients in different private networks

Hi,

we have a special on premise setup with the focus on high network isolation.
The setup we want to implement will be the following.

  • consul cluster reachable from all private networks (example address space 100.xxx)
  • some consul clients run in the same address space (100.xxx)
  • some consul clients run in a complete isolate private network space (10.xx.xx.xx)

The initial impression for us was that its enough for the consul client to reach the consul server. But the consul server doesn’t need to be able to reach the consul client.

We achieved already similar setup with other solutions for other purposes.

After reading a lot of documentation and having a first poc it looks like its not achievable what we planned to do with consul here.

For better understanding i will share a example setup of us.

Network setup:

  • consul cluster running in 10.68.2.0 (advertise_addr: 100.27.8.0)
  • consul clients running in 10.67.6.0
  • network routing is setup like
    ** 10.67.6.0 → 100.27.8.0 → 10.68.2.0

Have a nice day

Consul does require full bi-directional connectivity between all client and server agents.

The consul enterprise network segments feature can get around all clients needing to be able to connect with each other but there is no way to remove the need for all clients to be reachable from the servers.

The 10,000 foot view diagram should go over the general requirements for Consul networking.