Consul Service Mesh Intentions "Deny" Not Blocking API Access to Database


I have a setup with 4 Vagrant VMs running Consul (on VMS), and I’m following this tutorial to get started. However, I’m encountering an issue where changing my intention from allow to deny for the source api to the destination db doesn’t seem to work. The api application can still connect to the db, which it shouldn’t.

What am I missing here?

My Setup

Consul Server: 1 node
Bastion Host: 1 node
Django API: 1 node
PostgreSQL Database: 1 node

Consul Members

john@baston:~$ consul members
Node             Address              Status  Type    Build   Protocol  DC   Partition  Segment
consul-server-0  alive   server  1.18.2  2         dc1  default    <all>
api      alive   client  1.18.2  2         dc1  default    <default>
db       alive   client  1.18.2  2         dc1  default    <default>

Consul Services

john@baston:~$ consul catalog services


john@baston:~$ consul intention list
ID  Source           Action  Destination    Precedence
    api              deny    db             9


john@api:/etc/consul.d$ cat svc-api.hcl 
## svc-api.hcl
service {
  name = "api"
  id = "api-1"
  port = 8080
  token = "1a6d18f7-0c19-6cb3-fb3d-41ed2bcdf433"
  connect {
    sidecar_service {         
        proxy {
          upstreams = [
              destination_name = "db"
              local_bind_port = 5432
  checks =[    
    id =  "check-api.public",
    name = "api.public status check",
    service_id = "api-1",
    tcp  = "",
    interval = "5s",
    timeout = "5s"


john@database:/etc/consul.d$ cat svc-db.hcl 
## svc-db.hcl
service {
  name = "db"
  id = "db-1"
  port = 5432
  token = "1a6d18f7-0c19-6cb3-fb3d-41ed2bcdf433"
  connect {
    sidecar_service {  }
    id =  "check-db",
    name = "db status check",
    service_id = "db-1",
    tcp  = "",
    interval = "5s",
    timeout = "5s"


    'default': {
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': 'django_db',
        'USER': 'UserName',
        'PASSWORD': 'Password',
        'HOST': '',
        'PORT': '5432'

Hi @cody.s.kody,

Welcome to the HashiCorp Forums!

I can see that your has HOST set to the IP address of the DB VM. When using Service Mesh, you should dial the remote services over localhost:<local_bind_port>.

So, in your case, the HOST should be, and the PORT be 5432 (the local_bind_port on your svc-api.hcl). This is because the service mesh intentions are enforced by the envoy sidecar proxies.

I hope this helps.

Hi @Ranjandas,
Thank you for your answer. It worked!
Could you also guide me on how to integrate service discovery with this setup?