github.com/clly/consul@v1.4.5/website/source/segmentation.html.erb (about) 1 --- 2 description: |- 3 Consul is a highly available and distributed service discovery and KV 4 store designed with support for the modern data center to make distributed 5 systems and configuration easy. 6 --- 7 8 <div class='consul-connect'> 9 10 <section class='g-hero'> 11 <span>New Feature</span> 12 <h1>Service segmentation made easy</h1> 13 <p>Secure service-to-service communication with automatic TLS encryption and identity-based authorization</p> 14 <div> 15 <a href="/downloads.html" class="g-btn download"> 16 <svg xmlns="http://www.w3.org/2000/svg" width="20" height="22" viewBox="0 0 20 22"> 17 <path d="M9.292 15.706a1 1 0 0 0 1.416 0l3.999-3.999a1 1 0 1 0-1.414-1.414L11 12.586V1a1 1 0 1 0-2 0v11.586l-2.293-2.293a1 1 0 1 0-1.414 1.414l3.999 3.999zM20 16v3c0 1.654-1.346 3-3 3H3c-1.654 0-3-1.346-3-3v-3a1 1 0 1 1 2 0v3c0 .551.448 1 1 1h14c.552 0 1-.449 1-1v-3a1 1 0 1 1 2 0z"/> 18 </svg> 19 Download 20 </a> 21 <a href="https://learn.hashicorp.com/consul/getting-started/connect" class="g-btn dark-outline">Explore Docs</a> 22 </div> 23 </section> 24 25 <section class='g-section'> 26 <div class='g-container'> 27 <div class='g-timeline no-intro'> 28 <div> 29 <span class='line'></span> 30 <span class='line'> 31 <svg xmlns="http://www.w3.org/2000/svg" width="11" height="15" viewBox="0 0 11 15"> 32 <path fill="#CA2171" d="M0 0v15l5.499-3.751L11 7.5 5.499 3.749.002 0z"/> 33 </svg> 34 </span> 35 <span class='dot'></span> 36 <h3>The Challenge</h3> 37 <span class='sub-heading'>Securing service-to-service communication with firewalls doesn’t scale in dynamic settings.</span> 38 <div id='segmentation-challenge-animation' class='g-animation-block'> 39 <%= inline_svg 'consul-connect/svgs/segmentation-challenge.svg' %> 40 </div> 41 <p>East-west firewalls use IP-based rules to secure ingress and 42 egress traffic. But in a dynamic world where services move across 43 machines and machines are frequently created and destroyed, this 44 perimeter-based approach is difficult to scale as it results in 45 complex network topologies and a sprawl of short-lived 46 firewall rules.</p> 47 </div> 48 <div> 49 <span class='dot'></span> 50 <h3>The Solution</h3> 51 <span class='sub-heading'>Service segmentation for dynamic service authorization.</span> 52 <div id='segmentation-solution-animation' class='g-animation-block'> 53 <%= inline_svg 'consul-connect/svgs/segmentation-solution.svg' %> 54 </div> 55 <p>Service segmentation is a new approach to secure the service itself 56 rather than relying on the network. Consul uses service policies to 57 codify which services are allowed to communicate. These policies 58 scale across datacenters and large fleets without IP-based rules or 59 networking middleware.</p> 60 </div> 61 </div> 62 </div> 63 </section> 64 65 <section class='g-section border-top'> 66 <div class='g-container'> 67 <div class='intro'> 68 <h2>Features</h2> 69 </div> 70 <div class='g-text-asset large'> 71 <div> 72 <div> 73 <h3>Service Access Graph </h3> 74 <p>Define and enforce service to service communication with a simple Intentions configuration. Service based rules, instead of IP-based rules, make it easy to manage dynamic infrastructure with frequently changing machines and service locations.</p> 75 <p> 76 <a class="learn-more" href='/docs/connect/intentions.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a> 77 </p> 78 </div> 79 </div> 80 <div> 81 <picture> 82 <source type="image/webp" srcset=" 83 /assets/images/consul-connect/ui-intentions-list/ui-intentions-list_230.webp 230w, 84 /assets/images/consul-connect/ui-intentions-list/ui-intentions-list_844.webp 844w, 85 /assets/images/consul-connect/ui-intentions-list/ui-intentions-list_1290.webp 1290w" /> 86 <source type="image/jpg" srcset=" 87 /assets/images/consul-connect/ui-intentions-list/ui-intentions-list_230.jpg 230w, 88 /assets/images/consul-connect/ui-intentions-list/ui-intentions-list_844.jpg 844w, 89 /assets/images/consul-connect/ui-intentions-list/ui-intentions-list_1290.jpg 1290w" /> 90 <img src='/assets/images/consul-connect/ui-intentions-list/ui-intentions-list_1290.jpg' alt='Service Access Graph'> 91 </picture> 92 </div> 93 </div> 94 </div> 95 </section> 96 97 <section class='g-section border-top'> 98 <div class='g-container'> 99 <div class='g-text-asset reverse'> 100 <div> 101 <div> 102 <h3>Secure services across any runtime platform</h3> 103 <p>Secure communication between legacy and modern workloads. Sidecar proxies allow applications to be integrated without code changes and Layer 4 support provides nearly universal protocol compatibility.</p> 104 <p> 105 <a class="learn-more" href='/docs/connect/proxies.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a> 106 </p> 107 </div> 108 </div> 109 <div> 110 <picture> 111 <source type="image/webp" srcset=" 112 /assets/images/consul-connect/grid_3/grid_3_300.webp 300w, 113 /assets/images/consul-connect/grid_3/grid_3_976.webp 976w, 114 /assets/images/consul-connect/grid_3/grid_3_1256.webp 1256w" /> 115 <source type="image/png" srcset=" 116 /assets/images/consul-connect/grid_3/grid_3_300.png 300w, 117 /assets/images/consul-connect/grid_3/grid_3_976.png 976w, 118 /assets/images/consul-connect/grid_3/grid_3_1256.png 1256w" /> 119 <img src='/assets/images/consul-connect/grid_3/grid_3_1256.png' alt='Secure services across any runtime platform'> 120 </picture> 121 </div> 122 </div> 123 </div> 124 </section> 125 126 <section class='g-section border-top'> 127 <div class='g-container'> 128 <div class='g-text-asset'> 129 <div> 130 <div> 131 <h3>Certificate-Based Service Identity</h3> 132 <p>TLS certificates are used to identify services and secure communications. Certificates use the SPIFFE format for interoperability with other platforms. Consul can be a certificate authority to simplify deployment, or integrate with external signing authorities like Vault.</p> 133 <p> 134 <a class="learn-more" href='/docs/connect/ca.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a> 135 </p> 136 </div> 137 </div> 138 <div class='logos'> 139 <div> 140 <img src='/assets/images/consul-connect/logos/vault.png' alt='Vault'> 141 <img src='/assets/images/consul-connect/logos/spiffe.png' alt='Spiffe'> 142 </div> 143 </div> 144 </div> 145 </div> 146 </section> 147 148 <section class='g-section border-top'> 149 <div class='g-container'> 150 <div class='g-text-asset reverse'> 151 <div> 152 <div> 153 <h3>Encrypted communication</h3> 154 <p>All traffic between services is encrypted and authenticated with mutual TLS. Using TLS provides a strong guarantee of the identity of services communicating, and ensures all data in transit is encrypted.</p> 155 <p> 156 <a class="learn-more" href='/docs/connect/security.html'>Learn more<svg xmlns="http://www.w3.org/2000/svg" width="6" height="10" viewBox="0 0 6 10"><g fill="none" fill-rule="evenodd" transform="translate(-6 -3)"><mask id="a" fill="#fff"><path d="M7.138 3.529a.666.666 0 1 0-.942.942l3.528 3.53-3.529 3.528a.666.666 0 1 0 .943.943l4-4a.666.666 0 0 0 0-.943l-4-4z"/></mask><g fill="#1563FF" mask="url(#a)"><path d="M0 0h16v16H0z"/></g></g></svg></a> 157 </p> 158 </div> 159 </div> 160 <div class='code-sample'> 161 <div> 162 <span></span> 163 <div class='code'><code>$ consul connect proxy -service web \ 164 -service-addr 127.0.0.1:8000 165 -listen <code class="keyword">10.0.1.109:7200</code> 166 ==> Consul Connect proxy starting... 167 Configuration mode: Flags 168 Service: web 169 Public listener: <code class="keyword">10.0.1.109:7200</code> => 127.0.0.1:8000 170 ... 171 $ tshark -V \ 172 -Y "ssl.handshake.certificate" \ 173 -O "ssl" \ 174 -f <code class="keyword">"dst port 7200"</code> 175 Frame 39: 899 bytes on wire (7192 bits), 899 bytes captured (7192 bits) on interface 0 176 Internet Protocol Version 4, Src: 10.0.1.110, Dst: <code class="keyword">10.0.1.109</code> 177 Transmission Control Protocol, Src Port: 61918, Dst Port: 7200, Seq: 136, Ack: 916, Len: 843 178 Secure Sockets Layer 179 TLSv1.2 Record Layer: Handshake Protocol: Certificate 180 Version: TLS 1.2 (0x0303) 181 Handshake Protocol: Certificate 182 RDNSequence item: 1 item (id-at-commonName=<code class="keyword">Consul CA 7</code>) 183 RelativeDistinguishedName item (id-at-commonName=<code class="keyword">Consul CA 7</code>) 184 Id: 2.5.4.3 (id-at-commonName) 185 DirectoryString: printableString (1) 186 printableString: <code class="keyword">Consul CA 7</code></code> 187 </div> 188 </div> 189 </div> 190 </div> 191 </div> 192 </section> 193 194 <section class='g-section g-cta-section'> 195 <div> 196 <h2>Ready to get started?</h2> 197 <a href="/downloads.html" class="g-btn white download"> 198 <svg xmlns="http://www.w3.org/2000/svg" width="20" height="22" viewBox="0 0 20 22"> 199 <path d="M9.292 15.706a1 1 0 0 0 1.416 0l3.999-3.999a1 1 0 1 0-1.414-1.414L11 12.586V1a1 1 0 1 0-2 0v11.586l-2.293-2.293a1 1 0 1 0-1.414 1.414l3.999 3.999zM20 16v3c0 1.654-1.346 3-3 3H3c-1.654 0-3-1.346-3-3v-3a1 1 0 1 1 2 0v3c0 .551.448 1 1 1h14c.552 0 1-.449 1-1v-3a1 1 0 1 1 2 0z"/> 200 </svg> 201 Download 202 </a> 203 <a href="https://learn.hashicorp.com/consul/getting-started/connect" class="g-btn white-outline">Explore docs</a> 204 </div> 205 </section> 206 207 </div>