Service Mesh Made Easy

A distributed networking layer to connect, secure and observe services across any runtime platform and public or private cloud.

Simplify networking by shifting functionality from network middleware to the endpoint

The Challenge

Network appliances, like load balancers or firewalls with manual processes, don't scale in dynamic settings to support modern applications


  • Increased risk caused by flat networks behind a perimeter firewall

  • Reduced productivity from waiting for manual updates to network middleware, blocking development throughput

  • Increased cost from expensive network appliances and overheads for maintenance

  • Increased complexity from maintaining topologies that constrain traffic through centralized middleware

The Solution

Service mesh as an automated and distributed approach to networking and security


  • Improve Security with fine-grained authorization and mutual-TLS

  • Increase productivity by automating changes and minimizing the management overhead of networks

  • Reduce cost by avoiding a proliferation of network appliances

  • Simplify Networks by pushing authorization and traffic management to the endpoint, avoiding complex topologies

Consul Service Mesh Architecture

Consul has a client-server architecture and is the “control plane” for the service mesh. Multiple servers are deployed for high availability, and a pool of clients run on every host. Clients integrate with sidecar proxies, such as Envoy, that provide the “data plane” for the service mesh.

The centralized servers hold the service registry, access and traffic policies, configurations and certificate authorities, which are efficiently transferred to the distributed clients in real time. The clients configure local proxies, cache data and policies, and provide health checking.

A journey to service mesh

How Consul helps Criteo evolve from bare metal machines with load balancers to containers with service mesh to reduce cost, decrease application latency, improve security and avoid costly software development efforts.

Read Case Study

Consul Service Mesh Features

Service Discovery

Service registry, integrated health checks, and DNS and API interfaces enable any service to register and discover each other across multiple runtime platforms and datacenters

  1. $ dig web-frontend.service.consul. ANY
  2. ; <<>> DiG 9.8.3-P1 <<>> web-frontend.service.consul. ANY
  3. ;; global options: +cmd
  4. ;; Got answer:
  5. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29981
  6. ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
  8. ;web-frontend.service.consul. IN ANY
  10. web-frontend.service.consul. 0 IN A
  11. web-frontend.service.consul. 0 IN A

Service Segmentation

Service identity-based security policies and encrypted communication by mutual TLS, consistently enforced across heterogeneous environments. Instead of physical IP-to-IP rules, logical rules use Service-to-Service to reduce the number of policies needed and to handle dynamic infrastructure.


Enable networking metric collection, distributed tracking and logging via proxies with centralized configuration to provide insights into application behavior and performance without code modifications

Runtime Configuration

Feature-rich key/value store for dynamic service configuration data. Orchestrate changes with edge-triggered request to push updates across distributed services in real-time

Consul Open Source and Enterprise Features

Learn more about service discovery, service segmentation and service configuration features with Consul Open Source and operations, governance, and multi-datacenter features with Consul Enterprise

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now