I am reading consul documentation and use cases and I see it is best suited for containers or servers within a datacenter LAN.
In my case I have some dedicated servers with only public address (1 NIC) I would like to be able to use Consul services.
I see there are configuration option to bind to WAN address but is this safe?
I could create firewall rules to allow consul traffic only from servers IPs but this will need constant updates for every change of IPs for new nodes.
Another doubt I have is: can Consul servers run on machine hosting other services or is it better practice to use dedicated instances for Consul servers?
Its probably best to think of LAN and WAN in terms of their literal sense, and not in terms of address type (i.e., private RFC1918 addresses vs global unicast addresses).
A local area network ( LAN ) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, university campus or office building
A LAN is a network that you own & control. The WAN are the networks outside of your organization which interconnect you to the wider internet.
Consul can be used with any IP address. It does not differentiate between public or private addresses. In fact there is no technical difference between the two other than the fact that the Internet community has agreed by policy not to route IPv4 “private” (and to some extent IPv6) addresses across organizational boundaries, which restricts them to a local site.
You can configure Consul to bind to your public IP address. As you’ve highlighted, the primary concern is establishing security at your network perimeter. I would recommend only allowing connectivity to Consul’s ports from trusted IP ranges. Everything else should be denied at your perimeter.
Generally Consul is deployed on dedicated server nodes. However, the decision will largely depend on the scale of your deployment & performance requirements. I recommend reviewing Server Performance Requirements | Consul | HashiCorp Developer to gain a better understanding of Consul’s CPU, memory, and disk requirements.