Does consul Transparent Proxy supported in VM service mesh?

Hi, we feel the Transparent Proxy is really useful, but from the doc it only shows how to use it in k8s. We want to enable consul service mesh on the VM services, so we want to conform that does consul Transparent Proxy supported in VM?
And to make sure, when using transparent proxy in k8s, is it right that can connect the upstream service by KubeDNS hostname and don’t need to use in downstream service’s code?

Hi @hxidkd, it is possible to use transparent proxy on VMs, but it’s not currently documented as the user experience needs improvement to be on par with Consul on Kubernetes.

I gave a demo of this during the last Consul community office hours https://youtu.be/pJCprMwfUPw. The code shown in the video can be found at https://github.com/blake/ansible-collection-consul and https://github.com/blake/vagrant-consul-tproxy/tree/fake-service-l7/examples/vagrant/prebuilt-image.

I plan to eventually write a blog or short docs to show how to use tproxy with on VMs, and accessing K8s services with KubeDNS names.

2 Likes

Hi @blake, i’m trying to get this working with VMs. Have deployed a test service for now, but this VM would be hosting additional multiple services together later on. Confused on how should i set consul redirect-traffic for my test service? My test service listens on port 5000 and sidecar envoy proxy has a listener on port 20000. Running consul as root process for now.

Hi @narendrapatel,

At the moment the process I’ve documented only works when there is a single application running on a VM. I’ve done some exploration on how to run multiple apps on a single machine, with each app separated by namespaces. I don’t yet have a working solution for this, but I’ll publish some info on my GitHub once I figure it out.

1 Like

Hi @blake ,

Thanks for the revert :slight_smile:
Eagerly waiting for your working solution but namespaces are an enterprise feature. Anything we can do on the OSS front.

Also, is there any road map to make transparent proxies available generally for non k8s VM based services? At present the documentation around it and consul-redirect-traffic is a bit unclear.

HI @narendrapatel,

My apologies, I wasn’t clear in my previous post. I actually referring to Linux network namespaces. Kubernetes provisions a separate network namespace for each pod. Consul’s redirect-traffic command modifies the iptables rules within the namespace to redirect traffic to Envoy.

I am looking to document a method to provision individual applications into their own net NS when deploying the apps on a single Linux VM.

1 Like