Hi,
I have a setup with 4 Vagrant VMs running Consul (on VMS), and I’m following this tutorial to get started. However, I’m encountering an issue where changing my intention from allow to deny for the source api to the destination db doesn’t seem to work. The api application can still connect to the db, which it shouldn’t.
What am I missing here?
My Setup
Consul Server: 1 node
Bastion Host: 1 node
Django API: 1 node
PostgreSQL Database: 1 node
Consul Members
john@baston:~$ consul members
Node Address Status Type Build Protocol DC Partition Segment
consul-server-0 192.168.56.200:8301 alive server 1.18.2 2 dc1 default <all>
api 192.168.56.201:8301 alive client 1.18.2 2 dc1 default <default>
db 192.168.56.202:8301 alive client 1.18.2 2 dc1 default <default>
Consul Services
john@baston:~$ consul catalog services
consul
api
api-sidecar-proxy
db
db-sidecar-proxy
Intentions
john@baston:~$ consul intention list
ID Source Action Destination Precedence
api deny db 9
svc-api.hcl
john@api:/etc/consul.d$ cat svc-api.hcl
## svc-api.hcl
service {
name = "api"
id = "api-1"
port = 8080
token = "1a6d18f7-0c19-6cb3-fb3d-41ed2bcdf433"
connect {
sidecar_service {
proxy {
upstreams = [
{
destination_name = "db"
local_bind_port = 5432
}
]
}
}
}
checks =[
{
id = "check-api.public",
name = "api.public status check",
service_id = "api-1",
tcp = "192.168.56.201:8080",
interval = "5s",
timeout = "5s"
}]
}
svc-db.hcl
john@database:/etc/consul.d$ cat svc-db.hcl
## svc-db.hcl
service {
name = "db"
id = "db-1"
port = 5432
token = "1a6d18f7-0c19-6cb3-fb3d-41ed2bcdf433"
connect {
sidecar_service { }
}
check
{
id = "check-db",
name = "db status check",
service_id = "db-1",
tcp = "192.168.56.202:5432",
interval = "5s",
timeout = "5s"
}
}
django settings.py
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': 'django_db',
'USER': 'UserName',
'PASSWORD': 'Password',
'HOST': '192.168.56.202',
'PORT': '5432'
}
}