Consul Service Mesh Intentions "Deny" Not Blocking API Access to Database

Hi,

I have a setup with 4 Vagrant VMs running Consul (on VMS), and I’m following this tutorial to get started. However, I’m encountering an issue where changing my intention from allow to deny for the source api to the destination db doesn’t seem to work. The api application can still connect to the db, which it shouldn’t.

What am I missing here?

My Setup

Consul Server: 1 node
Bastion Host: 1 node
Django API: 1 node
PostgreSQL Database: 1 node

Consul Members

john@baston:~$ consul members
Node             Address              Status  Type    Build   Protocol  DC   Partition  Segment
consul-server-0  192.168.56.200:8301  alive   server  1.18.2  2         dc1  default    <all>
api              192.168.56.201:8301  alive   client  1.18.2  2         dc1  default    <default>
db               192.168.56.202:8301  alive   client  1.18.2  2         dc1  default    <default>

Consul Services

john@baston:~$ consul catalog services
consul
api
api-sidecar-proxy
db
db-sidecar-proxy

Intentions

john@baston:~$ consul intention list
ID  Source           Action  Destination    Precedence
    api              deny    db             9

svc-api.hcl

john@api:/etc/consul.d$ cat svc-api.hcl 
## svc-api.hcl
service {
  name = "api"
  id = "api-1"
  port = 8080
  token = "1a6d18f7-0c19-6cb3-fb3d-41ed2bcdf433"
  connect {
    sidecar_service {         
        proxy {
          upstreams = [
            {
              destination_name = "db"
              local_bind_port = 5432
            }
          ]
        }
     }
  }  
  checks =[    
  {
    id =  "check-api.public",
    name = "api.public status check",
    service_id = "api-1",
    tcp  = "192.168.56.201:8080",
    interval = "5s",
    timeout = "5s"
  }]
}

svc-db.hcl

john@database:/etc/consul.d$ cat svc-db.hcl 
## svc-db.hcl
service {
  name = "db"
  id = "db-1"
  port = 5432
  token = "1a6d18f7-0c19-6cb3-fb3d-41ed2bcdf433"
  connect {
    sidecar_service {  }
  }  
  check     
  {
    id =  "check-db",
    name = "db status check",
    service_id = "db-1",
    tcp  = "192.168.56.202:5432",
    interval = "5s",
    timeout = "5s"
  }
}

django settings.py

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': 'django_db',
        'USER': 'UserName',
        'PASSWORD': 'Password',
        'HOST': '192.168.56.202',
        'PORT': '5432'
    }
}

Hi @cody.s.kody,

Welcome to the HashiCorp Forums!

I can see that your settings.py has HOST set to the IP address of the DB VM. When using Service Mesh, you should dial the remote services over localhost:<local_bind_port>.

So, in your case, the HOST should be 127.0.0.1, and the PORT be 5432 (the local_bind_port on your svc-api.hcl). This is because the service mesh intentions are enforced by the envoy sidecar proxies.

I hope this helps.

Hi @Ranjandas,
Thank you for your answer. It worked!
Could you also guide me on how to integrate service discovery with this setup?