Consul TLS multi DC architecture advice needed

Hello. We’re looking to build a consul+nomad stack that must be very flexible: as well as quickly scaling within a region, we need to be able to add new clusters in different regions on different providers very quickly.
I was hoping that using Consul Connect would allow us to simplify the networking layer, so that we don’t have to think about VPNs or whitelisting IPs. I have a working multi-dc setup with consul and now want to try to expand it to other DCs.
The issue is, (from the docs):

A federated Consul environment requires the server certificate to include the names of all Consul datacenters that are within the federated environment.

But we don’t know in advance how many DCs we’re going to have, or where they might be. I’d really like some advice on how to architect this in a way that will not require us to redistribute hundreds of certificates. We want to create completely immutable infrastructure without the need for config management.



can you please provide link into docs? I was just curious but was unable to find given citation.


sorry for late reply, I was on holiday last week. The line is here:

You have to click on the “Federated Consul Datacenter” tab

Thank you for link, I was unable to find it anywhere. Also this is the first time I was it documented anywhere.

I did little test setup with two consul clusters federated via WAN Mesh Gateways (with gossip encrypt, tls auth and ACLs) and didn’t do anything like this. Both clusters shares single CA generated for primary cluster and everything works just fine (ACL replication, service discovery, consul connect).

Unfortunately I don’t run this setup in production, so I don’t have much real information for you.

Also I am curious why exactly such thing is needed :thinking: It doesn’t make much sense to me and looks like quite serious hit to scalability :man_shrugging:.