Hi. I have ~100 servers I would like to monitor. I intend to spin up three machines to act as servers for both Consul and Vault. Every machine in my fleet will run one instance of the Consul client. Because every single machine will be running Consul (as either a client or server), do I actually need to expose its HTTP RPC to the network? Can it just be bound to localhost? Furthermore, if it’s bound to localhost, do I really need to enable TLS at all? AFAICT, agent-to-agent communication uses the gossip protocol, which should be secured with a symmetric key.
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| Consul ports inbound/outbound per client/server | 2 | 3750 | June 14, 2019 | |
| TLS verification and web UI | 4 | 1288 | September 24, 2019 | |
| [ASK] Consul client ports HTTPS and gRPC Requirement | 0 | 249 | July 9, 2022 | |
| Why separate Gossip and RPC encryption methods? | 2 | 446 | July 13, 2020 | |
| Is there any drawback for hosting Hachicorp Vault Server and Agent on the same VM? | 0 | 301 | March 31, 2021 |