Consul Connect Service Identity Token


Apologies if this was covered in a tutorial, but I have what may be a silly question.

If some of my Nomad jobs use Consul Connect, and Consul has ACL enabled, do I need a Consul agent (i.e. a Consul client agent) running on the same host as each server node in my Nomad cluster? It appears that Nomad client agents make a request to the Nomad server leader to request SI tokens on their behalf.

I could set up my Nomad servers to point to one of the Consul servers that are NOT co-located on the same host, or I could put a Consul agent on the Nomad servers themselves.

Is one way considered better than another?