Ingress Gateway as Reverse Proxy for North/South User Traffic

I’ve read the docs/tutorials for Consul Connect and the Ingress Gateway, and unless I’ve missed something the purpose of the IG is to route traffic from services external to the Connect mesh to services inside the mesh.

But, what about user traffic? Are there any issues with using the IG to, e.g., route users through the IG to a service (e.g. a web app) running inside the service mesh? The main thought around using the IG in this way to avoid having to configure and maintain two proxies.

If there are docs that talk about this use case, feel free to point me to them.

1 Like


The primary purpose of Consul’s ingress is to facilitate east-west service-to-service communication within a datacenter environment or region.

It can potentially also be used for user traffic, but it really depends on your requirements. Currently ingress gateways only support L4/L7 traffic routing, and TLS listeners which are secured with private certificates provisioned by the configured Connect CA (e.g, built-in, Vault, custom CA). If you require the ability to use TLS certificates from a publicly signed certificate authority, or features such as IP access lists, web application firewall (WAF), identity-aware proxying (JWT, OIDC, SAML), etc then you’ll need to use a third-party API Gateway or Proxy, like Ambassador.

I hope this helps. Let me know if I can provide any additional detail.


@blake Envoy is listed among the proxies supported. Is it possible to setup Envoy as a Edge Balancer serving customer’s traffic and configure it with Consul? Especially is it possible to supplement Envoy with LetsEncrypt certificates stored in Consul?