Service Segmentation Made Easy

Secure service-to-service communication with automatic TLS encryption and identity-based authorization

Service segmentation for security to reduce firewall rule sprawls

The Challenge

Securing service-to-service communication with firewalls doesn’t scale in dynamic settings


  • Increased risk caused by firewall sprawl and the potential for configuration errors

  • Reduced productivity from waiting for manual updates to firewalls rules, blocking development throughput

  • Increased cost from expensive east-west firewalls and micro-segmentation solutions

The Solution

Service segmentation with identity based authorization


  • Improve Security by enforcing consistent security policies and encrypting service traffic across heterogenous environments

  • Increase productivity by removing networking bottlenecks with scale-independent security rules

  • Reduce cost by eliminating the need for east-west firewalls and other traditional network segmentation solutions

A journey to service mesh

How Consul helps Criteo evolve from bare metal machines with load balancers to containers with service mesh to reduce cost, decrease application latency, improve security and avoid costly software development efforts.

Read Case Study

Service Segmentation Features

Service Access Graph

Define and enforce service to service communication with a simple Intentions configuration. Service based rules, instead of IP-based rules, make it easy to manage dynamic infrastructure with frequently changing machines and service locations.

Consul Intentions UI

Secure Services Across Any Runtime Platform

Secure communication between legacy and modern workloads. Sidecar proxies allow applications to be integrated without code changes and Layer 4 support provides nearly universal protocol compatibility.

Consul platform compatibility logo grid

Certificate-based Service Identity

TLS certificates are used to identify services and secure communications. Certificates use the SPIFFE format for interoperability with other platforms. Consul can be a certificate authority to simplify deployment, or integrate with external signing authorities like Vault.

Vault and Spiffe logos

Encrypted Communication

All traffic between services is encrypted and authenticated with mutual TLS. Using TLS provides a strong guarantee of the identity of services communicating, and ensures all data in transit is encrypted.

  1. $ consul connect proxy -service web \
  2. -service-addr
  3. -listen
  4. ==> Consul Connect proxy starting...
  5. Configuration mode: Flags
  6. Service: web
  7. Public listener: =>
  8. ...
  9. $ tshark -V \
  10. -Y "ssl.handshake.certificate" \
  11. -O "ssl" \
  12. -f "dst port 7200"
  13. Frame 39: 899 bytes on wire (7192 bits), 899 bytes captured (7192 bits) on interface 0
  14. ...

Consul Open Source and Enterprise Features

Learn more about service discovery, service segmentation and service configuration features with Consul Open Source and operations, governance, and multi-datacenter features with Consul Enterprise

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now