github.com/outbrain/consul@v1.4.5/website/source/docs/connect/proxies.html.md (about) 1 --- 2 layout: "docs" 3 page_title: "Connect - Proxies" 4 sidebar_current: "docs-connect-proxies" 5 description: |- 6 A Connect-aware proxy enables unmodified applications to use Connect. A per-service proxy sidecar transparently handles inbound and outbound service connections, automatically wrapping and verifying TLS connections. 7 --- 8 9 # Connect Proxies 10 11 A Connect-aware proxy enables unmodified applications to use Connect. 12 A per-service proxy sidecar transparently handles inbound and outbound 13 service connections, automatically wrapping and verifying TLS connections. 14 15 When a proxy is used, the actual service being proxied should only accept 16 connections on a loopback address. This requires all external connections 17 to be established via the Connect protocol to provide authentication and 18 authorization. 19 20 -> **Deprecation Note:** Managed Proxies are deprecated as of Consul 1.3. See 21 [managed proxy deprecation](/docs/connect/proxies/managed-deprecated.html) for 22 more information. It's strongly recommended to switch to one of the approaches 23 listed on this page as soon as possible. 24 25 ## Proxy Service Definitions 26 27 Connect proxies are registered using regular [service 28 definitions](/docs/agent/services.html). They can be registered both in config 29 files or via the API just like any other service. 30 31 Additionally, to reduce the amount of boilerplate needed for a sidecar proxy, 32 application service definitions may define inline [sidecar service 33 registrations](/docs/connect/proxies/sidecar-service.html) which are an 34 opinionated shorthand for a separate full proxy registration as described here. 35 36 To function as a Connect proxy, they must be declared as a proxy type and 37 provide information about the service they represent. 38 39 To declare a service as a proxy, the service definition must contain 40 the following fields: 41 42 * `kind` `(string)` must be set to `connect-proxy`. This declares that the 43 service is a proxy type. 44 45 * `proxy.destination_service_name` `(string)` must be set to the service that 46 this proxy is representing. Note that this replaces `proxy_destination` in 47 versions 1.2.0 to 1.3.0. 48 49 * `port` `(int)` must be set so that other Connect services can discover the 50 exact address for connections. `address` is optional if the service is being 51 registered against an agent, since it'll inherit the node address. 52 53 Minimal Example: 54 55 ```json 56 { 57 "name": "redis-proxy", 58 "kind": "connect-proxy", 59 "proxy": { 60 "destination_service_name": "redis" 61 }, 62 "port": 8181 63 } 64 ``` 65 66 With this service registered, any Connect clients searching for a 67 Connect-capable endpoint for "redis" will find this proxy. 68 69 ### Sidecar Proxy Fields 70 71 Most Connect proxies are deployed as "sidecars" which means they are co-located 72 with a single service instance which they represent and proxy all inbound 73 traffic to. In this case the following fields should also be set: 74 75 * `proxy.destination_service_id` `(string: <required>)` is set to the _id_ 76 (and not the _name_ if they are different) of the specific service instance 77 that is being proxied. The proxied service is assumed to be registered on 78 the same agent although it's not strictly validated to allow for 79 un-coordinated registrations. 80 81 * `proxy.local_service_port` `(int: <required>)` must specify the port the 82 proxy should use to connect to the _local_ service instance. 83 84 * `proxy.local_service_address` `(string: "")` can be set to override the IP or 85 hostname the proxy should use to connect to the _local_ service. Defaults to 86 `127.0.0.1`. 87 88 ### Complete Configuration Example 89 90 The following is a complete example showing all the options available when 91 registering a proxy instance. 92 93 ```json 94 { 95 "name": "redis-proxy", 96 "kind": "connect-proxy", 97 "proxy": { 98 "destination_service_name": "redis", 99 "destination_service_id": "redis1", 100 "local_service_address": "127.0.0.1", 101 "local_service_port": 9090, 102 "config": {}, 103 "upstreams": [] 104 }, 105 "port": 8181 106 } 107 ``` 108 109 -> **Deprecation Notice:** From version 1.2.0 to 1.3.0, proxy destination was 110 specified using `proxy_destination` at the top level. This will continue to work 111 until at least 1.5.0 but it's highly recommended to switch to using 112 `proxy.destination_service_name`. 113 114 #### Proxy Parameters 115 116 - `destination_service_name` `(string: <required>)` - Specifies the _name_ of the 117 service this instance is proxying. Both side-car and centralized 118 load-balancing proxies must specify this. It is used during service 119 discovery to find the correct proxy instances to route to for a given service 120 name. 121 122 - `destination_service_id` `(string: "")` - Specifies the _ID_ of a single 123 specific service instance that this proxy is representing. This is only valid 124 for side-car style proxies that run on the same node. It is assumed that the 125 service instance is registered via the same Consul agent so the ID is unique 126 and has no node qualifier. This is useful to show in tooling which proxy 127 instance is a side-car for which application instance and will enable 128 fine-grained analysis of the metrics coming from the proxy. 129 130 - `local_service_address` `(string: "")` - Specifies the address a side-car 131 proxy should attempt to connect to the local application instance on. 132 Defaults to 127.0.0.1. 133 134 - `local_service_port` `(int: <optional>)` - Specifies the port a side-car 135 proxy should attempt to connect to the local application instance on. 136 Defaults to the port advertised by the service instance identified by 137 `destination_service_id` if it exists otherwise it may be empty in responses. 138 139 - `config` `(object: {})` - Specifies opaque config JSON that will be 140 stored and returned along with the service instance from future API calls. 141 142 - `upstreams` `(array<Upstream>: [])` - Specifies the upstream services 143 this proxy should create listeners for. The format is defined in 144 [Upstream Configuration Reference](#upstream-configuration-reference). 145 146 ### Upstream Configuration Reference 147 148 The following examples show all possible upstream configuration parameters. 149 150 Note that in versions 1.2.0 to 1.3.0, managed proxy upstreams were specified 151 inside the opaque `connect.proxy.config` map. The format is almost unchanged 152 however managed proxy upstreams are now defined a level up in the 153 `connect.proxy.upstreams`. The old location is deprecated and will be 154 automatically converted into the new for an interim period before support is 155 dropped in a future major release. The only difference in format between the 156 upstream defintions is that the field `destination_datacenter` has been renamed 157 to `datacenter` to reflect that it's the discovery target and not necessarily 158 the same as the instance that will be returned in the case of a prepared query 159 that fails over to another datacenter. 160 161 Note that `snake_case` is used here as it works in both [config file and API 162 registrations](/docs/agent/services.html#service-definition-parameter-case). 163 164 Upstreams support multiple destination types. Both examples are shown below 165 followed by documentation for each attribute. 166 167 #### Service Destination 168 169 ```json 170 { 171 "destination_type": "service", 172 "destination_name": "redis", 173 "datacenter": "dc1", 174 "local_bind_address": "127.0.0.1", 175 "local_bind_port": 1234, 176 "config": {} 177 }, 178 ``` 179 180 #### Prepared Query Destination 181 182 ```json 183 { 184 "destination_type": "prepared_query", 185 "destination_name": "database", 186 "local_bind_address": "127.0.0.1", 187 "local_bind_port": 1234, 188 "config": {} 189 }, 190 ``` 191 192 * `destination_name` `(string: <required>)` - Specifies the name of the service 193 or prepared query to route connect to. The prepared query should be the name 194 or the ID of the prepared query. 195 * `local_bind_port` `(int: <required>)` - Specifies the port to bind a local 196 listener to for the application to make outbound connections to this upstream. 197 * `local_bind_address` `(string: "")` - Specifies the address to bind a 198 local listener to for the application to make outbound connections to this 199 upstream. Defaults to `127.0.0.1`. 200 * `destination_type` `(string: "")` - Speficied the type of discovery 201 query to use to find an instance to connect to. Valid values are `service` or 202 `prepared_query`. Defaults to `service`. 203 * `datacenter` `(string: "")` - Specifies the datacenter to issue the 204 discovery query too. Defaults to the local datacenter. 205 * `config` `(object: {})` - Specifies opaque configuration options that 206 will be provided to the proxy instance for this specific upstream. Can contain 207 any valid JSON object. This might be used to configure proxy-specific features 208 like timeouts or retries for the given upstream. See the [built-in proxy 209 configuration 210 reference](/docs/connect/configuration.html#built-in-proxy-options) for 211 options available when using the built-in proxy. If using Envoy as a proxy, 212 see [Envoy configuration 213 reference](/docs/connect/configuration.html#envoy-options) 214 215 216 ### Dynamic Upstreams 217 218 If an application requires dynamic dependencies that are only available 219 at runtime, it must currently [natively integrate](/docs/connect/native.html) 220 with Connect. After natively integrating, the HTTP API or 221 [DNS interface](/docs/agent/dns.html#connect-capable-service-lookups) 222 can be used.