Hi,
I am trying to understand consul service mesh as part of our service mesh evaluation at our org. I’ve a question for which I didn’t find a clear answer in Consul documentation. Is external inbound traffic allowed to Consul service mesh without some kind of consul gateways (Mesh/Ingress/API gateways).
Thanks
Hi @ravsri,
Is external inbound traffic allowed to Consul service mesh without some kind of consul gateways
Not generally, no. The proxies within the service mesh generally validate that any inbound traffic is encrypted with a client certificate that is provisioned by the internal mesh CA, so unencrypted general traffic would not be allowed through the mesh. For services outside of the mesh you would generally want to use an Ingress Gateway or our new Beta-released API Gateways.
Both will allow you to ingress traffic over HTTP and over HTTPS without a client certificate, but ingress gateways really only support using mesh CA-signed certificates on their listeners, whereas API gateways allow you to bring your own listener certificates. Additionally, API gateways are modeled around Kubernetes’ API Gateway Spec and will likely eventually completely replace ingress gateways.
Let me know if I can clarify any other mesh use-cases.
How does Ingress Gateway/ API Gateway authenticate the external traffic before it is routed to the services in the service mesh?
So, the inbound traffic itself isn’t authenticated as gateways are meant for general purpose ingress from external sources. The gateway to backend service traffic will be encrypted and use mTLS for authentication though.
If you let me know a particular use-case you’re thinking of I might be able to help a bit easier.