Service Mesh Made Easy

A distributed networking layer to connect, secure and observe services across any runtime platform and public or private cloud.

Simplify networking by shifting functionality from network middleware to the endpoints

The Challenge

Network appliances, like load balancers or firewalls with manual processes, don't scale in dynamic settings to support modern applications


  • Increased risk caused by flat networks behind a perimeter firewall

  • Reduced productivity from waiting for manual updates to network middleware, blocking development throughput

  • Increased cost from expensive network appliances and overheads for maintenance

  • Increased complexity from maintaining topologies that constrain traffic through centralized middleware

The Solution

Service mesh as an automated and distributed approach to networking and security


  • Improve Security with fine-grained authorization and mutual-TLS

  • Increase productivity by automating changes and minimizing the management overhead of networks

  • Reduce cost by avoiding a proliferation of network appliances

  • Simplify Networks by pushing authorization and traffic management to the endpoints, avoiding complex topologies

Consul Service Mesh Architecture

Consul has a client-server architecture and is the “control plane” for the service mesh. Multiple servers are deployed for high availability, and a pool of clients run on every host. Clients integrate with sidecar proxies, such as Envoy, that provide the “data plane” for the service mesh.

The centralized servers hold the service registry, access and traffic policies, configurations and certificate authorities, which are efficiently transferred to the distributed clients in real time. The clients configure local proxies, cache data and policies, and provide health checking.

A journey to service mesh

How Consul helps Criteo evolve from bare metal machines with load balancers to containers with service mesh to reduce cost, decrease application latency, improve security and avoid costly software development efforts.

Read Case Study

Consul Service Mesh Features

Service Discovery

Service registry, integrated health checks, and DNS and API interfaces enable any service to register and discover each other across multiple runtime platforms and datacenters

  1. $ dig web-frontend.service.consul. ANY
  2. ; <<>> DiG 9.8.3-P1 <<>> web-frontend.service.consul. ANY
  3. ;; global options: +cmd
  4. ;; Got answer:
  5. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29981
  6. ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
  8. ;web-frontend.service.consul. IN ANY
  10. web-frontend.service.consul. 0 IN A
  11. web-frontend.service.consul. 0 IN A

Dynamic Traffic Management

Enable advanced traffic management patterns such as service failover, path-based routing, and traffic shifting to support different deployment strategies and improve application resiliency. The service-to-service communication policy at Layer 7 can be managed centrally.

Service Segmentation

Service identity-based security policies and encrypted communication by mutual TLS, consistently enforced across heterogeneous environments. Instead of physical IP-to-IP rules, logical rules use Service-to-Service to reduce the number of policies needed and to handle dynamic infrastructure.


Enable networking metric collection, distributed tracking and logging via proxies with centralized configuration to provide insights into application behavior and performance without code modifications

Mesh Gateway

Transparently and securely route traffic between different network environments. Enable secure service-to-service communication across multiple clusters, runtime platforms, data centers or clouds, without the need for complex network configurations and VPN tunneling.

Consul Open Source and Enterprise Features

Learn more about service discovery, service segmentation and service configuration features with Consul Open Source and operations, governance, and multi-datacenter features with Consul Enterprise