Consul 1.6 sets out to make service traffic routing more secure

Consul 1.6 sets out to make service traffic routing more secure

HashiCorp’s Consul team has released version 1.6 beta of its distributed service mesh. Stand-out additions of the release are new Layer 7 features and a mesh gateway.

The latter are Envoy proxies that facilitate communication between services in different networking environments, but aren’t suited for “general purpose ingress from non-mesh traffic”. The mesh gateways use the server name indication which is part of the TLS handshake to route traffic from one service to another. Like that, there is no way for the gateway to decrypt the data of a payload, which comes in handy in case the gateway is compromised.

To make it even more useful, the Kubernetes integration now also allows gateway deployment. This is meant to simplify communication between services running inside the orchstrator’s environment and those on other platforms, which can be quite tricky at times.

In terms of application layer (Layer 7 of the OSI model) features, the Consul team has built on the observability features they introduced in v1.5. New configuration entry types service-resolver, service-splitter, and service-router should help with traffic management. 

Routing can be used to intercept traffic using path prefixes or HTTP headers for example, while splitting allows dividing requests across services and the resolver lets users “define which instances of a service should satisfy discovery requests for the provided name”.

The goal of those additions can be boiled down to making systems more reliable in case of failure and helping with deployment patterns like HTTP path-based routing, and traffic shifting.

On top of that all, HashiCorp has decided to open source intention and certificate authority replication features. They have been part of Consul Enterprise since the 1.4 release, but are also a crucial mesh gateway component, which seems to be the major motivation for the move. However, even smaller teams have to manage all kinds of different infrastructure components across platforms nowadays, so having them publicly available could encourage people to decide for Consul.