HashiCorp Extends Service Mesh Capabilities With Major Update to Consul
Today onstage at HashiDays Amsterdam, HashiCorp, a leader in cloud infrastructure automation, announced major new functionality for HashiCorp Consul, an open source service mesh to connect, secure, and configure services in dynamic, low-trust network environments. The new capability, called Consul Connect, now enables users to efficiently secure service-to-service communications for containerized and non-containerized services in cloud or on-premises environments. First released in 2014, Consul already runs on more than 5 million machines worldwide.
Modern application architectures embrace public clouds, microservices, and container schedulers like Kubernetes and HashiCorp Nomad. The previous static application architectures featured dedicated servers, long-lived IP addresses, and a clear network perimeter. The new approach brings complex service-to-service communication patterns, increased scale, dynamic IP addresses, ephemeral infrastructure, and a low-trust network environment. These dynamic environments require a service mesh that allows users to discover, configure, and connect services across their on-premises and cloud-based fleet.
A service mesh provides a highly available, distributed solution to three critical problems:
- Discovery: Services must be able to find and communicate with each other.
- Configuration: Services must accept dynamic, runtime configuration from a central source.
- Segmentation: Service communication must be secured through authorization and encryption.
Prior to this release, Consul solved the discovery and configuration use cases with DNS for discovery and Key/Value for configuration. The Consul Connect feature now solves the segmentation use case. All three of these features work together to provide a complete service mesh solution that works on any platform.
“Microservices have introduced a critical new set of challenges for service-to-service traffic: how services find each other, how they are configured without being redeployed, and how to limit connectivity between them for security purposes,” said Armon Dadgar, founder and co-CTO of HashiCorp. “Consul has been used for years as a service discovery and service configuration tool. Now with Consul Connect, Consul rounds out its capabilities as a true service mesh and addresses that third challenge. Consul now significantly simplifies the way that you enforce service connectivity, enabling you to replace what can be many thousands of IP-based firewall rules with a few service-based intentions. By solving security challenges at the service layer, we simplify our network requirements and make it easy for networking and security teams to manage, while removing a bottleneck for developers to adopt cloud.”
“At jet.com, HashiCorp Consul helps us discover services that are connected across multiple cloud regions,” said Andrew Duch, DevOps technology lead for jet.com. “We believe the addition of the new Consul Connect capability will allow us to improve security by enabling us to easily introduce access policies between our microservices. We believe that by providing identities and access at the services level, Consul will help us streamline and scale persistent security, despite the constant changes that come as part of our continuous development and integration process.”
The new Consul Connect capability enables service segmentation, which isolates traffic between services through identity-based authorization. It assigns each service a unique identity using Transport Layer Security (TLS) certificates. Consul uses a set of simple rules to describe which services are allowed to communicate directly and then secures that communication with mutual TLS. Consul enforces security at the service level, rather than relying on the underlying network. Consul Connect decouples policy from IP addresses, ensuring consistent security policies are always applied as services are scaled and deployed dynamically.
Traditional approaches to network security require a tight coupling of firewalls, load balancers, and software-defined networks, adding operational complexity. Consul’s approach allows developers to deploy new services quickly and securely without waiting for the manual update of network security policies, and it also frees IT teams from dealing with complex network topologies and from managing short-lived firewall rules.