Hi. I have ~100 servers I would like to monitor. I intend to spin up three machines to act as servers for both Consul and Vault. Every machine in my fleet will run one instance of the Consul client. Because every single machine will be running Consul (as either a client or server), do I actually need to expose its HTTP RPC to the network? Can it just be bound to localhost? Furthermore, if it’s bound to localhost, do I really need to enable TLS at all? AFAICT, agent-to-agent communication uses the gossip protocol, which should be secured with a symmetric key.
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| Consul api calls on http for localhost but on https for external calls | 1 | 382 | July 15, 2021 | |
| Connect Vault to Consul server service instead of local Consul client | 2 | 370 | June 23, 2022 | |
| Nomad + consul integration / tls setup | 0 | 228 | May 25, 2023 | |
| Why do consul TLS guides leave client in state where verify_incoming = false? | 3 | 355 | October 19, 2022 | |
| Why separate Gossip and RPC encryption methods? | 2 | 380 | July 13, 2020 |