Consul to consul connect incremental migration

dantodor · October 7, 2019, 7:09am

Hello!

My question is regarding a path for incremental migration. Let’s assume I have used Consul service discovery for a while, and I would like to migrate to Connect. But forcing Connect on everybody is not really an option. Thus, I would like to deploy, for starters, Envoy proxy on a few selected services, see how they work, then gradually have everybody join the mesh.

The most important feature I’m looking for is have Service A registering to Consul, without sidecar, then have it defined as upstream in Service B, which uses Envoy. So service B would need to know only the port on localhost where to connect, and from there Envoy routing and service discovery capabilities take over.

Is that even possible ?

Thank you!

blake · November 17, 2019, 5:27am

Hello,

It is not possible to support this scenario in Consul. Connect utilizes mutual TLS between applications participating in the mesh. Connections from the Envoy proxy for Service B expect they will connect to a server destination (e.g., proxy) which presents a TLS certificate signed by the same CA that signed the client-side cert provided by Service B.

You would need to deploy sidecars for both Service A and B (or use Connect-Native App Integration, which requires code changes) in order to be able to route traffic between the two services using Connect.

Topic		Replies	Views
Transitioning existing clusters to use consul connect Consul connect	0	564	May 6, 2020
Does k8s consul connect work without connect-service-upstreams? Consul	2	567	December 20, 2020
Consul Connect dynamic upstreams Consul connect	4	1788	January 5, 2021
Serve Consul-API to Services with Consul Connect Consul connect , consul-nomad	1	602	December 18, 2020
Replacing Envoy with something else Nomad	1	302	June 9, 2022

Consul to consul connect incremental migration

Related topics