Consul replicaion for kv in cross region

Hi All,

Please share your approach to replicate consul cluster which have kv ( ACL )from one region to another region.


If you just need to replicate the KV then consul-replicate will do what you need.

Thanks. Can we also replicate the ACL tokens also. ?

ACL tokens and policies can already be replicated. In fact the default behavior in 1.4.0+ requires replicating policies and token replication can then be enabled with the acl.enable_token_replication configuration setting.

The ACL system in Consul requires you to pick a primary Datacenter. After that all servers in secondary data enters should be given a replication token that grants acl = “write” for token replication or acl = “read” for policy only replication. Then once replication has caught up all your tokens and policies can be used in every Datacenter.

One thing to note is that you don’t have to replicate tokens to use them within secondary datacenters. (policy replication is always mandatory though). If not replicating tokens a cross-dc request will be made to the primary Datacenter to resolve the token when it is used.

Also pre-1.4.0 the ACL system was very different so all of this would happen a little differently. In either case using tokens from the primary/authoritative Datacenter even without replication should work.

1 Like

I’m planning to eventually release something that can replicate consul kv changes in real time, but right now it is very alpha state. I’ll reply here if I get it to a state I think others can use :slight_smile:

1 Like