How to configure inbound/outbound traffic rules in connect on k8s?

Hi, I have deployed Consul with Connect enabled in my EKS 1.18 cluster.
I am trying to achieve a few things related to routing that I am not sure how to:

  1. How can I specify per pod that i cannot access certain CIDR’s? for example disallow out traffic to 10.0.0.0/8
  2. How can I force a pod to speak only with connect? and drop all other traffic requests
  3. How can I define a service using connect that it should only accept other services (down streams) via connect.
  4. How can I pass dynamic configuration per pod to the sidecar proxy Envoy? I only found the protocol annotation.
    I am assuming most of what I need can be configured there but I can’t understand how I can pass dynamic (not bootstrap) configuration per deployment.
    i.e the service “my-nginx” should be configured so and so.

Would love a reference on those topics on how to do it, I did found several places in the docs mentioning those features but couldn’t find how to do it.

Would appreciate any help :pray:

Hi @Isan-Rivkin,

  1. Consul’s Intentions enforce access based on service identity, not individual IP addresses, which helps simplify policy management by abstracting away the underlying network details. We recommend you use Kubernetes Network Policies if you need to control access at the IP-level.
  2. At the moment you will need to configure your applications to use their proxy to reach remote destinations. I recommend subscribing to GitHub issue hashicorp/consul-k8s#23 which is feature request to add support for forcing traffic thru the sidecars using iptables.
  3. Similar to #2, you would need to configure your app to only listen on a loopback address so that it is only accessible from its local proxy. Transparent proxy will support will automate this traffic redirection.
  4. Consul Configuration Entries can be used to centrally configure proxies within the service mesh. Is this what you’re looking for?

Here are a few resources which show the use of config entries to manage sidecar and gateway configurations.

1 Like