Recently we announced that Consul users can now leverage F5 BIG-IP as a terminating gateway for Consul service mesh. As more organizations make the shift from monolithic infrastructure to microservice-based architectures, there remain some applications which cannot be added to a service mesh, either because of technology or operational constraints (e.g. managed database services). However, services running inside the mesh require a secure and intelligent way to communicate with these external services. Consul and BIG-IP provide organizations an end-to-end solution to achieve this communication.
Terminating gateways are specific configurations of proxies that terminate Consul service mesh mTLS connections, enforce intentions, and forward requests to one or more external destinations.
The simplest use-case for terminating gateways is routing to external services in the same logical network as Consul service mesh. In this situation, the gateway and the external services would be registered in Consul’s catalog. Traffic from services in the mesh would flow through their sidecar to the terminating gateway. Then the gateway will forward the traffic to the destination service.
With terminating gateways in place, the network must be secured so that the external services can only be reached from the terminating gateway hosts.
To terminate TLS connections, the gateway will present leaf certificates for the services it represents. Connections to it will be encrypted with mTLS and controlled by intentions as expected with Consul Connect. Intentions will reference the source and destination services and will not require knowledge of the gateway itself.
The routing between gateways and external services will be determined by centralized configuration. Gateways will be registered by name, and a config entry will determine which external services each gateway service is responsible for. Spinning up multiple gateway instances with the same name will add redundancy with no additional configuration.
Using F5 BIG-IP as a terminating gateway, Consul and BIG-IP can help connect mesh based services to non-mesh services, secure traffic using mTLS, and automate connections across on-premise and cloud environments; thereby, simplifying and securing communications between external applications and modern mesh-based applications.
To learn more about this feature, please read the recent technical overview blog published by F5. Or register to attend the upcoming “BIG-IP terminating gateway for Consul Connect – an app modernization solution by F5 and HashiCorp webinar” on September 16th.
For more information about Consul, please visit our product page.
To learn more about the F5 & HashiCorp partnership and joint solutions, please visit www.f5.com/hashicorp
The latest version of HashiCorp Consul on Amazon ECS adds support for AWS IAM authentication and mesh gateways.
HashiCorp Cloud Platform has added several new capabilities, including managed services for HashiCorp Boundary and Waypoint, and Drift Detection for Terraform Cloud.
The latest release of the HashiCorp Consul API Gateway allows users to generate multiple instances of a logical gateway — avoiding single points of failure.