Consul Initial Federation through Mesh Gateways

Is it possible to federate 2 consul clusters initially through mesh gateways?
According to this quick overview: WAN Federation Through Mesh Gateways - Overview | Consul | HashiCorp Developer
it should be possible to start up a primary DC1 and federate a second DC2 through an up and running mesh gateway in DC1.

I have been trying to do this for several days now and I’m not able to get it to work.
Some facts beside:
Both DC1 and DC2 consul servers don’t have public IP addresses - the goal should be to only cummunicate across the mesh gateways.
Though as stated in this guide initially I tried to bin consul servers in DC2 to public ip addresses that are able to reach mesh gateway in DC1. But I really get confused in doing so bacause I’m not able to clearly trace where the connection starts to get interruped.

What ports need to be enabled on the primary DC1 mesh gateway to allow the initial federation to happen from DC2 - is 8443 enough? Does the consul client running on the same host as the mesh gateway also needs to be exposed with it’s port?

Any help would be appreciated.
A lot of the guides on service mesh gateway topics on the consul docs website describe adding mesh gateways after an federation already happened - so I’m a bit thrown what exactly needs to be done to get a federation going with only mesh gateways public IP’s exposed.

Any help would be appreciated!

Hi @fluxkompensator,

Welcome to the HashiCorp Forums!

Yes, it is possible to federate 2 Consul DCs over the mesh gateways. However, one essential requirement for this to work is to have the Consul Servers in DC2 be able to talk to the Mesh Gateway of DC1. This one-time requirement would enable the secondary Mesh Gateway to start, which can be considered an initial handshake between DCs.

This is documented here: WAN Federation Through Mesh Gateways - Overview | Consul | HashiCorp Developer.

Once the initial replication is successful, and the mesh gateway in DC2 starts successfully, all the traffic from there on would go between the mesh gateways.

In addition to the above, the following doc summarises the steps in federating two DCs over mesh gateways (e.g., TLS requirement, expose-server requirement, config example etc.).

ref: Enabling WAN Federation Control Plane Traffic | Consul | HashiCorp Developer

Thank you very much @Ranjandas for that fast and clear reply, I will try to get this up and running again tomorrow. I will report back about what my essential problem was then, at least I now know for sure this is possible!

So the first mistake I made was not adding “-expose-servers” to DC2, I only added it in DC1 - I got most of my settings from this guide / this config for mesh gateway DC2: getting-into-consul/ at part-11 · jcolemorrison/getting-into-consul · GitHub
Not adding this flag produced a lot of errors in my log files and I was never able to reach DC2 from DC1. //Edit I was probably blind on one eye reading this file as the flag is there, but I thought it’s not needed.

The second thing (still investigating this) is maybe due to having same private ip subnets on both datacenters, but I’m not sure if this really is a problem - will report back on this.

Thanks so far, I will mark your answer as solution as it basically answered my question instant.

1 Like