Consul gossip between clients

Hi,

i am using a consul cluster with 3 consul servers and 25 consul clients.

In my current configuration, every client communicates with every client over gossip. So i must allow the gossip port from every client to every client, which is not the best for security reasons.

It is possible to configure, that the clients only talks to the consul servers??

Best regards,
Thomas

Hello Thomas,

thanks for reaching out. Consul’s gossip is using https://www.serf.io/ and one of its important features is that it is decentralized. Even when your network is experiencing issues, serf is able to spread information across the whole cluster.
Having said that, it is not possible to restrict gossip communication only to servers.

Thanks,
Hans

Hi @i0rek,

thanks for the response!

But why there are consul agents and consul servers, when consul decentralized?
Decentralized means, there is no central server?
If i stop the consul servers, the consul backend is not longer available?

Best regards,
Thomas

Thats right. Consul uses Serf to get manage about cluster membership. This part is decentralized and doesn’t rely on servers.
Consul provides other features as well like service discovery, kv store, and ultimately a service mesh and this information is stored centrally on the Consul servers.

Hope that makes sense. Thanks,
Hans

Ok, all right.

Thanks for response :slight_smile: !

Hello,

Does that mean that every Client must be able to communicate with all other Clients to have a working Gossip pool?

Would it work if some agent peer-links are blocked?

For example:

  • C1
    • -> C2
    • -> C3
  • C2
    • -> C3
    • -> C1 (blocked)
  • C3
    • C1
    • C2 (blocked)

Hi @fmartinou,

Consul Enterprise has Network Segments which allow creating dedicated gossip pools to support use cases like this where a full mesh of communication between agents is not possible.

Thank you for your quick answer @blake.
If I understand well, without using Network Segments, this kind of topology just won’t work?