From 0a30d51ec7f4597ae322b5a80965dfd11c64ee99 Mon Sep 17 00:00:00 2001 From: boruszak Date: Tue, 28 Mar 2023 15:56:27 -0700 Subject: [PATCH] Tech specs fixes --- .../connect/cluster-peering/tech-specs.mdx | 54 +++++++++++-------- 1 file changed, 32 insertions(+), 22 deletions(-) diff --git a/website/content/docs/connect/cluster-peering/tech-specs.mdx b/website/content/docs/connect/cluster-peering/tech-specs.mdx index c406f73e0f9c..34299dc29475 100644 --- a/website/content/docs/connect/cluster-peering/tech-specs.mdx +++ b/website/content/docs/connect/cluster-peering/tech-specs.mdx @@ -13,35 +13,47 @@ For cluster peering requirements in Kubernetes deployments, refer to [cluster pe ## Requirements -To use cluster peering features, make sure your Consul environment meets the following prerequisites: +Consul's default configuration supports cluster peering connections directly between clusters. In production environments, we recommend using mesh gateways to securely route service mesh traffic between partitions with cluster peering connections. + +In addition, make sure your Consul environment meets the following prerequisites: - Consul v1.14 or higher. -- A local Consul agent is required to manage mesh gateway configuration. - Use [Envoy proxies](/consul/docs/connect/proxies/envoy). Envoy is the only proxy with mesh gateway capabilities in Consul. +- A local Consul agent is required to manage mesh gateway configurations. -In addition, the following service mesh components are required in order to establish cluster peering connections: - -- [Cluster peering technical specifications](#cluster-peering-technical-specifications) - - [Requirements](#requirements) - - [Mesh gateway requirements](#mesh-gateway-requirements) - - [Mesh gateway modes](#mesh-gateway-modes) - - [Sidecar proxy requirements](#sidecar-proxy-requirements) - - [Exported service requirements](#exported-service-requirements) - - [ACL requirements](#acl-requirements) +## Mesh gateway specifications -### Mesh gateway requirements +To change Consul's default configuration and enable cluster peering through mesh gateways, use a mesh configuration entry to update your network's service mesh proxies globally: -Mesh gateways are required for routing service mesh traffic between partitions with cluster peering connections. Consider the following general requirements for mesh gateways when using cluster peering: +1. In a `mesh` configuration entry, set `PeerThroughMeshGateways` to `true`: -- A cluster requires a registered mesh gateway in order to export services to peers. -- For Enterprise, this mesh gateway must also be registered in the same partition as the exported services and their `exported-services` configuration entry. -- To use the `local` mesh gateway mode, you must register a mesh gateway in the importing cluster. + + + ```hcl + Kind = "mesh" + Peering { + PeerThroughMeshGateways = true + } + ``` -In addition, you must define the `Proxy.Config` settings using opaque parameters compatible with your proxy. Refer to the [Gateway options](/consul/docs/connect/proxies/envoy#gateway-options) and [Escape-hatch Overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides) documentation for additional Envoy proxy configuration information. + -#### Mesh gateway modes +1. Write the configuration entry to Consul: -By default, all cluster peering connections use mesh gateways in [remote mode](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters#remote). Be aware of these additional requirements when changing a mesh gateway's mode. + ```shell + $ consul config write mesh-config.hcl + ``` + +When cluster peering through mesh gateways, consider the following deployment requirements: + +- A cluster requires a registered mesh gateway in order to export services to peers in other regions or cloud providers. +- The mesh gateway must also be registered in the same admin partition as the exported services and their `exported-services` configuration entry. An enterprise license is required to use multiple admin partitions with a single cluster of Consul servers. +- To use the `local` mesh gateway mode, you must register a mesh gateway in the importing cluster. +- Define the `Proxy.Config` settings using opaque parameters compatible with your proxy. Refer to the [Gateway options](/consul/docs/connect/proxies/envoy#gateway-options) and [Escape-hatch Overrides](/consul/docs/connect/proxies/envoy#escape-hatch-overrides) documentation for additional Envoy proxy configuration information. + +### Mesh gateway modes + +By default, cluster peering connections use mesh gateways in [remote mode](/consul/docs/connect/gateways/mesh-gateway/service-to-service-traffic-wan-datacenters#remote). Be aware of these additional requirements when changing a mesh gateway's mode. - For mesh gateways that connect peered clusters, you can set the `mode` as either `remote` or `local`. - The `none` mode is invalid for mesh gateways with cluster peering connections. @@ -59,9 +71,7 @@ The Envoy proxies that function as sidecars in your service mesh require configu ## Exported service requirements -The `exported-services` configuration entry is required in order for services to communicate across partitions with cluster peering connections. - -Basic guidance on using the `exported-services` configuration entry is included in [Establish cluster peering connections](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering). +The `exported-services` configuration entry is required in order for services to communicate across partitions with cluster peering connections. Basic guidance on using the `exported-services` configuration entry is included in [Establish cluster peering connections](/consul/docs/k8s/connect/cluster-peering/usage/establish-peering#export-services-between-clusters). Refer to the [`exported-services` configuration entry](/consul/docs/connect/config-entries/exported-services) reference for more information.