Introducing the Consul API Gateway

Today at HashiConf Global 2021, we are introducing the new Consul API Gateway, a dedicated ingress solution for intelligently routing traffic to applications running on the HashiCorp Consul service mesh.

As part of service networking in the multi-cloud era, we find that organizations have four distinct pillars that they need to account for:

• Service discovery
• Service mesh
• Network automation
• Access to the mesh

The new HashiCorp Consul API Gateway is designed to address the access pillar, providing users with consistency in how they handle inbound requests to the service mesh from external clients.

In this blog post, we’ll explore the capabilities of the Consul API Gateway, see how it works, and provide you with next steps for how to access this solution when it becomes broadly available toward the end of the year.

»Managing Access to the Service Mesh

Typically when we talk about service mesh capabilities and benefits, we’re really addressing the challenges of intra-datacenter communication between applications, what we call east-west traffic patterns. In more modern security architectures, we solve this challenge through enforcing strict authorization (access controls, intentions) and encryption (mTLS) practices.

However, the existing challenge of how we regulate north-south traffic (e.g. requests from external clients into an environment via the public internet) doesn’t go away with these new network patterns. We still need to ensure that we are handling inbound requests to the service mesh in a way that is intelligent and consistent. Leveraging a single control plane for managing both east-west and north-south traffic makes achieving this consistency that much easier — and with the Consul API Gateway, we can provide this single control plane to Consul users.

»Control the Point of Entry

First and foremost, the Consul API Gateway is exactly that, a gateway to the Consul service mesh. Our goal is to provide users with the ability to detect inbound requests to mesh-based applications, present those clients with verifiable certificates from a trusted authority, and facilitate the necessary secure connections to fulfill the requests.

At launch, the Consul API Gateway will support only Kubernetes environments, but the plan is to eventually extend these capabilities to anywhere that Consul service mesh is running. Providing this controlled entrypoint enables customers to specify the connection types between internal and external clients as well. Users can have the Consul API Gateway create HTTP, HTTPS, TCP, and TCP + TLS connections between clients and mesh services.

»Simplify Traffic Patterns

Aside from establishing how these clients connect with mesh-based services, the Consul API Gateway also provides the ability to direct the flow of these requests and route the traffic to align with the management policies present within the service mesh. This creates consistency in how both north-south and east-west traffic are maintained and lets users establish a single workflow for managing these connections.

»Identify External Client Traffic

Organizations that want to open their service mesh applications to external clients also want to know what type of connection requests are being initiated by those clients. Consul API gateway can detect key metadata, such as the URL, hostname, and header values, and users can configure rules for which service mesh applications those requests should get routed to. This is a key facilitator for implementing a service-oriented architecture, particularly when taking an incremental approach.

»How It Works

When released, the Consul API Gateway can be installed on a Kubernetes cluster by enabling it in the standard Consul Helm chart. To configure and deploy individual API Gateways, an administrator creates a YAML file based on the Kubernetes Gateway API, an emerging standard supported by multiple vendors.

When the file is loaded, the Consul API Gateway Controller deploys an API Gateway pod and configures the gateway, listeners, and the routes to services. If TLS is enabled on a listener, the controller will load the certificate from the Kubernetes Secrets storage. If the certificate is rotated, the Gateway Controller will automatically update the listener.

Other features of the Consul API Gateway include modifying (add/change/delete) HTTP headers and their values, and splitting traffic between multiple services based on weighted ratios.

Watch Consul Engineer Nick Ethier demo the Consul API Gateway in the HashiConf Global 2021 keynote below:

»Next Steps

The Consul API Gateway is now available as a Tech Preview. Users can try out the Consul API gateway by accessing this repo. To be alerted when the beta is available, please fill out this form and we will contact you. For more information about HashiCorp Consul, please visit our documentation.