Host based Firewall / SDF vs. Consul


I am new to consul and just finished to first few tutorials. My intention in using consul is to secure intra-datacenter / east-west network traffic between VMs and prevent lateral movement of attackers / unhappy admins.

There is a interesting presentation (The What, Why, and How of Zero Trust Networking) about zero trust networking with consul. The part “software defined firewall” and it’s pros and cons is nicely explained.

But I don’t understand how consul helps protecting VMs/servers within flat networks from not being accessed from bad actors. An attacker can just bypass the proxy (*.service.consul DNS name) and directly access the IP/ports of the VM and it’s potential vulnerabilities?

What am I missing, glad to hear your hints. Thanks!