Localhost, RPC, and TLS

Hi. I have ~100 servers I would like to monitor. I intend to spin up three machines to act as servers for both Consul and Vault. Every machine in my fleet will run one instance of the Consul client. Because every single machine will be running Consul (as either a client or server), do I actually need to expose its HTTP RPC to the network? Can it just be bound to localhost? Furthermore, if it’s bound to localhost, do I really need to enable TLS at all? AFAICT, agent-to-agent communication uses the gossip protocol, which should be secured with a symmetric key.