Service defaults configuration reference

This topic describes how to configure service defaults configuration entries. The service defaults configuration entry contains common configuration settings for service mesh services, such as upstreams and gateways. Refer to Define service defaults for usage information.

Configuration model

The following list outlines field hierarchy, language-specific data types, requirements, and any applicable default values in service defaults configuration entries. Click on a property name to view additional details.

Kind: string | required
Name: string | required
Namespace: string | default Enterprise
Partition: string | default Enterprise
Meta: map
Protocol: string | tcp
BalanceInboundConnections: string
Mode: string
RateLimits: map | Enterprise
- InstanceLevel: map
  - RequestsPerSecond: number
  - RequestsMaxBurst: number
  - Routes: list maps
    - PathExact: string
    - PathPrefix: string
    - PathRegex: string
    - RequestsPerSecond: number | required
    - RequestsMaxBurst: number
UpstreamConfig: map
- Overrides: map
  - Name: string
  - Namespace: string
  - Peer: string
  - Protocol: string
  - ConnectTimeoutMs: int | 5000
  - MeshGateway: map
    - mode: string
  - BalanceOutboundConnections: string
  - Limits: map
    - MaxConnections: number | 0
    - MaxPendingRequests: number | 0
    - MaxConcurrentRequests: number | 0
  - PassiveHealthCheck: map
    - Interval: string | 0s
    - MaxFailures: number | 0
    - EnforcingConsecutive5xx: number | 0
    - MaxEjectionPercent: number | 0
    - BaseEjectionTime: string | 30s
- Defaults: map
  - Protocol: string
  - ConnectTimeoutMs: int | 5000
  - MeshGateway: map
    - mode: string
  - BalanceOutboundConnections: string
  - Limits: map
    - MaxConnections: number | 0
    - MaxPendingRequests: number | 0
    - MaxConcurrentRequests: number | 0
  - PassiveHealthCheck: map
    - Interval: string | 0s
    - MaxFailures: number | 0
    - EnforcingConsecutive5xx: number | 100
    - MaxEjectionPercent: number | 0
    - BaseEjectionTime: string | 30s
TransparentProxy: map
- OutboundListenerPort: number | 15001
- DialedDirectly: boolean | false
MutualTLSMode: string
EnvoyExtensions: list
- Name: string
- Required: string
- Arguments: map
- ConsulVersion: string
- EnvoyVersion: string
Destination: map
- Addresses: list
- Port: integer | 0
MaxInboundConnections: number | 0
LocalConnectTimeoutMs: number | 0
LocalRequestTimeoutMs: number | 0
MeshGateway: map
- Mode: string
ExternalSNI: string
Expose: map
- Checks: boolean | false
- Paths: list
  - Path: string
  - LocalPathPort: integer | 0
  - ListenerPort: integer | 0
  - Protocol: string | http

apiVersion: string | required | must be set to consul.hashicorp.com/v1alpha1
kind: string
metadata: map
- name: string
- namespace: string | `default`` | Enterprise
spec: map
- protocol: string | tcp
- balanceInboundConnections: string
- mode: string
- rateLimits: map | Enterprise
  - instanceLevel: map
    - requestsPerSecond: number
    - requestsMaxBurst: number
    - routes: list maps
      - pathExact: string
      - pathPrefix: string
      - pathRegex: string
      - requestsPerSecond: number | required
      - requestsMaxBurst: number
- upstreamConfig: map
  - overrides: list
    - name: string
    - namespace: string
    - peer: string
    - protocol: string
    - connectTimeoutMs: number | 5000
    - meshGateway: map
      - mode: string
    - balanceOutboundConnections: string
    - limits: map
      - maxConnections: number | 0
      - maxPendingRequests: number | 0
      - maxConcurrentRequests: number | 0
    - passiveHealthCheck: map
      - interval: string | 0s
      - maxFailures: number | 0
      - enforcingConsecutive5xx: number | 100
      - maxEjectionPercent: number | 10
      - baseEjectionTime: string | 30s
  - defaults: map
    - protocol: string
    - connectTimeoutMs: number | 5000
    - meshGateway: map
      - mode: string
    - balanceOutboundConnections: string
    - limits: map
      - maxConnections: number | 0
      - maxPendingRequests: number | 0
      - maxConcurrentRequests: number | 0
    - passiveHealthCheck: map
      - interval: string | 0s
      - maxFailures: number | 0
      - enforcingConsecutive5xx: number | 100
      - maxEjectionPercent: number | 10
      - baseEjectionTime: string | 30s
- transparentProxy: map
  - outboundListenerPort: number | 15001
  - dialedDirectly: boolean | false
- mutualTLSMode: string
- envoyExtensions: list
  - name: string
  - required: string
  - arguments: map
  - consulVersion: string
  - envoyVersion: string
- destination: map
  - addresses: list
  - port: number | 0
- maxInboundConnections: number | 0
- localConnectTimeoutMs: number | 0
- localRequestTimeoutMs: number | 0
- meshGateway: map
  - mode: string
- externalSNI: string
- expose: map
  - checks: boolean | false
  - paths: list
    - path: string
    - localPathPort: number | 0
    - listenerPort: number | 0
    - protocol: string | http

Complete configuration

When every field is defined, a service-defaults configuration entry has the following form:

Kind      = "service-defaults"
Name      = "<service_name>"
Namespace = "default"
Partition = "default"
Meta = {
  Key = "value"
}
Protocol                  = "tcp"
BalanceInboundConnections = "exact_balance"
Mode                      = "<mode for directing traffic>"
RateLimits = {
  InstanceLevel = {
    RequestsPerSecond = <average number of requests allowed to the service per second>
    RequestsMaxBurst = <max number of concurrent requests allowed to the service>
    Routes = [      # Configure RequestsPerSecond and one route matching parameter for each member of the list
      {
        PathExact = "<limits apply paths that match this value>"
        PathPrefix = "<limits apply to paths starting with this value>"
        PathRegex = "<limits apply to paths that match this expression>"
        RequestsPerSecond = <overrides top-level limit>
        RequestMaxBurst = <overrides top-level limit>
      }
  ]
}
UpstreamConfig = {
  Overrides = {
    Name             = "<name of upstreams to override>"
    Namespace        = "<namespace containing upstreams to override>"
    Peer             = "<peer name of upstream service>"
    Protocol         = "<protocol for requests to upstream services>"
    ConnectTimeoutMs = 5000
    MeshGateway = {
      mode = "<mode for mesh gateway services>"
    }
    BalanceOutboundConnections = "exact_balance"
    Limits = {
      MaxConnections        = 0
      MaxPendingRequests    = 0
      MaxConcurrentRequests = 0
    }
    PassiveHealthCheck = {
      Interval                = "0s"
      MaxFailures             = 0
      EnforcingConsecutive5xx = 100
      MaxEjectionPercent      = 10
      BaseEjectionTime        = "30s"
    }
  }
  Defaults = {
    Protocol         = "<default protocol for upstream traffic>"
    ConnectTimeoutMs = 5000
    MeshGateway = {
      mode = "<default mode for mesh gateway services>"
    }
    BalanceOutboundConnections = "exact_balance"
    Limits = {
      MaxConnections        = 0
      MaxPendingRequests    = 0
      MaxConcurrentRequests = 0
    }
    PassiveHealthCheck = {
      Interval                = "0s"
      MaxFailures             = 0
      EnforcingConsecutive5xx = 100
      MaxEjectionPercent      = 10
      BaseEjectionTime        = "30s"
    }
  }
}
TransparentProxy = {
  OutboundListenerPort = 15001
  DialedDirectly       = false
}
MutualTLSMode = "strict" # only supported when services are in transparent proxy mode
EnvoyExtensions = [
  {
    Name = "<name of the extension>"
    Required = `false`
    Arguments = { <specific to each extension> }
    ConsulVersion = "<Consul version constraint for applying the extension>"
    EnvoyVersion = "<Envoy version constraint for applying the extension>"
  }
]
Destination = {
  Addresses = [
    "<first IP address>",
    "<second IP address>"
  ]
  Port = 0
}
MaxInboundConnections = 0
LocalConnectTimeoutMs = 5000
LocalRequestTimeoutMs = "15s"
MeshGateway = {
  Mode = "<default mode for mesh gateway services>"
}
ExternalSNI = "<SNI server host>"
Expose = {
  Checks = false
  Paths = [
    {
      Path          = "</local/dir>"
      LocalPathPort = 0
      LocalListenerPort = 0
      Protocol      = "http"
    }
  ]
}

apiVersion: consul.hashicorp.com/v1alpha1
kind: ServiceDefaults
metadata:
  name: <name of the service you are configuring>
  namespace: default
spec:
  protocol: tcp
  balanceInboundConnections: exact_balance
  mode: <mode for directing traffic>
  rateLimits:
    instanceLevel:
      requestsPerSecond: <average number of requests allowed to the service per second>
      requestsMaxBurst: <max number of concurrent requests allowed to the service>
      routes:       # Configure RequestsPerSecond and one route matching parameter for each member of the list
      - pathExact: "<limits apply paths that match this value>"
        pathPrefix: "<limits apply to paths starting with this value>"
        pathRegex: "<limits apply to paths that match this expression>"
        requestsPerSecond: <overrides top-level limit>
        requestMaxBurst: <overrides top-level limit>
  upstreamConfig:
    overrides:
    - name: <name of upstreams to override>
      namespace: <namespace containing upstream>
      peer: <peer name of upstream services>
      protocol: <protocol for the upstream listener>
      connectTimeoutMs: 5000
      meshGateway:
        mode: <mode for mesh gateway services>
      balanceOutboundConnections: exact_balance
      limits:
        maxConnections: 0
        maxPendingRequests: 0
        maxConcurrentRequests: 0
      passiveHealthCheck:
        interval: "0s"
        maxFailures: 0
        enforcingConsecutive5xx: 100
        maxEjectionPercent: 10
        baseEjectionTime: "30s"
    defaults:
      protocol: <default protocol for the upstream listener>
      connectTimeoutMs: 5000
      meshGateway:
        mode: <default mode for mesh gateway services>
      balanceOutboundConnections: exact_balance
      limits:
        maxConnections: 0
        maxPendingRequests: 0
        maxConcurrentRequests: 0
      passiveHealthCheck:
        interval: "0s"
        maxFailures: 0
        enforcingConsecutive5xx: 100
        maxEjectionPercent: 10
        baseEjectionTime: "30s"
  transparentProxy:
    outboundListenerPort: 15001
    dialedDirectly: false
  mutualTLSMode: strict
  envoyExtensions:
  - name: <name of the extension>
    required: false
    arguments:
    - <specific to each extension>
    consulVersion: <Consul version constraint for applying the extension>
    envoyVersion: <Envoy version constraint for applying the extension>
  destination:
    addresses:
    - <first hostname or IP address>
      <second hostname or IP address>
    port:  0
  maxInboundConnections: 0
  meshGateway:
    mode: <default mode for mesh gateway services>
  externalSNI: <name of TLS SNI outside o f the mesh>
  expose:
    checks: false
    paths:
    - path: <HTTP path to expose through Envoy>
      localPathPort: 0
      listenerPort: 0
      protocol: http

{
    "Kind": "ServiceDefaults",
    "Name": "<name of the service you are configuring>",
    "Namespace": "default",
    "Partition": "default",
    "Meta": {
        "<Keys>": "<Values>"
    },
    "Protocol": "tcp",
    "BalanceInboundConnections": "exact_balance",
    "Mode": "<mode for directing traffic>",
  "RateLimits": {
    "InstanceLevel": {
      "RequestsPerSecond": 100,
      "RequestsMaxBurst": 200,
      "Routes": [
        {
          "PathExact": "<limits apply paths that match this value>",
          "PathPrefix": "<limits apply to paths starting with this value>",
          "PathRegex": "<limits apply to paths that match this expression>",
          "RequestsPerSecond":  50,
          "RequestMaxBurst": 100
        }
      ]
    }
  },
    "UpstreamConfig": {
        "Overrides": [{
            "Name": "<name of upstream>",
            "Namespace": "<namespace containing upstream - Consul Enterprise>",
            "Peer": "<peer name of the upstream service>",
            "Protocol": "<protocol for the upstream listener>",
            "ConnectTimeoutMs": 5000,
            "MeshGateway": {
                "Mode": "<mode for mesh gateway services>"
            },
            "BalanceOutboundConnections": "exact_balance",
            "Limits": {
                "MaxConnections": 0,
                "MaxPendingRequests": 0,
                "MaxConcurrentRequests": 0
            },
            "PassiveHealthCheck": {
                "Interval": "0s",
                "MaxFailures": 0,
                "EnforcingConsecutive5xx": 100,
                "MaxEjectionPercent": 10,
                "BaseEjectionTime": "30s"
            }
        }]
    },
    "Defaults": {
        "Protocol": "<protocol for the upstream listener>",
        "ConnectTimeoutMs": 5000,
        "MeshGateway": {
            "Mode": "<mode for mesh gateway services>"
        },
        "BalanceOutboundConnections": "exact_balance",
        "Limits": {
            "MaxConnections": 0,
            "MaxPendingRequests": 0,
            "MaxConcurrentRequests": 0
        },
        "PassiveHealthCheck": {
            "Interval": "0s",
            "MaxFailures": 0,
            "EnforcingConsecutive5xx": 100,
            "MaxEjectionPercent": 10,
            "BaseEjectionTime": "30s"
        }
    },
    "TransparentProxy": {
        "OutboundListenerPort": 15001,
        "DialedDirectly": false
    },
    "MutualTLSMode": "strict",
    "EnvoyExtensions": [{
        "Name": "<name of the extension>",
        "Required": false,
        "Arguments": {
            "<specific to each extension>": "<specific to each extension>"
        },
        "ConsulVersion": "<Consul version constraint for applying the extension>",
        "EnvoyVersion": "<Envoy version constraint for applying the extension>"
    }],
    "Destination": {
        "Addresses": [
            "<first hostname or IP address>",
            "<second hostname or IP address>"
        ],
        "Port": 0
    },
    "MaxInboundConnections": 0,
    "MeshGateway": {
        "Mode": "<mode for mesh gateway services>"
    },
    "ExternalSNI": "<name of TLS SNI outside o f the mesh>",
    "Expose": {
        "Checks": false,
        "Paths": [{
            "Path": "<HTTP path to expose through Envoy>",
            "LocalPathPort": 0,
            "ListenerPort": 0,
            "Protocol": "http"
        }]
    }
}

Specification

This section provides details about the fields you can configure in the service defaults configuration entry.

`Kind`

Specifies the configuration entry type. The value must be set to service-defaults.

Values

Default: none
This field is required.
Data type: String value that must be set to service-defaults.

`Name`

Specifies the name of the service you are setting the defaults for.

Values

Default: none
This field is required.
Data type: String

`Namespace` Enterprise

Specifies the Consul namespace that the configuration entry applies to.

Values

Default: default
Data type: String

`Partition` Enterprise

Specifies the name of the Consul admin partition that the configuration entry applies to. Refer to Admin Partitions for additional information.

Values

Default: default
Data type: String

`Meta`

Specifies a set of custom key-value pairs to add to the Consul KV store.

Values

Default: none
Data type: Map of one or more key-value pairs.
- keys: String
- values: String, integer, or float

`Protocol`

Specifies the default protocol for the service. In service mesh use cases, the protocol configuration is required to enable the following features and components:

You can set the global protocol for proxies in the proxy-defaults configuration entry, but the protocol specified in the service-defaults configuration entry overrides the proxy-defaults configuration.

Values

Default: tcp
You can specify one of the following String values:
- tcp (default)
- http
- http2
- grpc

Refer to Set the default protocol for an example configuration.

`BalanceInboundConnections`

Specifies the strategy for allocating inbound connections to the service across Envoy proxy threads. The only supported value is exact_balance. By default, no connections are balanced. Refer to the Envoy documentation for details.

Values

Default: None
Data type: String

`Mode`

Specifies a mode for how the service directs inbound and outbound traffic.

Default: None
You can specify the following string values:
- direct: The proxy's listeners must be dialed directly by the local application and other proxies.
- transparent: The service captures inbound and outbound traffic and redirects it through the proxy. The mode does not enable the traffic redirection. It instructs Consul to configure Envoy as if traffic is already being redirected.

`RateLimits` Enterprise

Map containing an instance-level configuration for limiting the service's traffic rate.

Values

Default: None
Data type: Map

`RateLimits{}.InstanceLevel`

Map containing a set of request rate limit configurations for instances of the service.

Values

Default: None
Data type: Map

`RateLimits{}.InstanceLevel{}.RequestsPerSecond`

Specifies the average number of requests per second allowed to the service. If the RequestsMaxBurst parameter is set, the number of requests per second to the service can temporarily exceed the limit specified in the RequestsPerSecond up to the value specified in RequestsMaxBurst. Internally, this is the refill rate of the token bucket used for rate limiting.

Values

Default: None
Data type: Integer

`RateLimits{}.InstanceLevel{}.RequestsMaxBurst`

Specifies the maximum number of concurrent requests momentarily allowed to the service. When the limit is reached, Consul blocks additional requests. You must specify a value equal to or greater than the RequestsPerSecond parameter. If unspecified, this parameter defaults to RequestsPerSecond. Internally, this is the maximum size of the token bucket used for rate limiting.

Values

Default: None
Data type: Integer

`RateLimits{}.InstanceLevel{}.Routes`

Specifies a list of rate limiting configurations to apply to specific routes to the service. Each member of the Routes list must configure the RequestsPerSecond parameter and one of the following route-matching parameters:

Consul applies the rate limit configuration to the first matching route for each request. Refer to Examples for example configurations.

Values

Default: None
Data type: Map

The following table describes the parameters you can specify in the Routes map:

Parameter	Description	Data type	Default
`PathExact`	Specifies the exact path to match on the request path. When using this field, do not configure `PathPrefix` or `PathRegex` in the same `Routes` map.	String	None
`PathPrefix`	Specifies the path prefix to match on the request path. When using this field, do not configure `PathExact` or `PathRegex` in the same `Routes` map.	String	None
`PathRegex`	Specifies a regular expression to match on the request path. When using this field, do not configure `PathExact` or `PathPrefix` in the same `Routes` map. The syntax is proxy-specific. When using Envoy, refer to the documentation for Envoy v1.11.2 or newer or the documentation for Envoy v1.11.1 or older, depending on the version of Envoy you use.	String	None
`RequestsPerSecond`	Specifies the average number of requests per second allowed to the service. Overrides the `RequestsPerSecond` parameter specified for the service.	Integer	None
`RequestsMaxBurst`	Specifies the maximum number of concurrent requests temporarily allowed to the service. When the limit is reached, Consul blocks additional requests. You must specify a value equal to or greater than the `Routes.RequestsPerSecond` parameter. Overrides the `RequestsMaxBurst` parameter specified for the service.	Integer	None

`UpstreamConfig`

Controls default upstream connection settings and custom overrides for individual upstream services. If your network contains federated datacenters, individual upstream configurations apply to all pairs of source and upstream destination services in the network. Refer to the following fields for details:

Values

Default: None
Data type: Map

`UpstreamConfig.Overrides[]`

Specifies options that override the default upstream configurations for individual upstreams.

Values

Default: None
Data type: List

`UpstreamConfig.Overrides[].Name`

Specifies the name of the upstream service that the configuration applies to. We recommend that you do not use the * wildcard to avoid applying the configuration to unintended upstreams.

Values

Default: None
Data type: String

`UpstreamConfig.Overrides[].Namespace` Enterprise

Specifies the namespace containing the upstream service that the configuration applies to. Do not use the * wildcard to prevent the configuration from applying to unintended upstreams.

Values

Default: None
Data type: String

`UpstreamConfig.Overrides[].Peer`

Specifies the peer name of the upstream service that the configuration applies to. The * wildcard is not supported.

Values

Default: None
Data type: String

`UpstreamConfig.Overrides[].Protocol`

Specifies the protocol to use for requests to the upstream listener.

We recommend configuring the protocol in the main Protocol field of the configuration entry so that you can leverage L7 features. Setting the protocol in an upstream configuration limits L7 management functionality.

Values

Default: None
Data type: String

`UpstreamConfig.Overrides[].ConnectTimeoutMs`

Specifies how long in milliseconds that the service should attempt to establish an upstream connection before timing out.

We recommend configuring the upstream timeout in the connection_timeout field of the service-resolver configuration entry for the upstream destination service. Doing so enables you to leverage L7 features. Configuring the timeout in the service-defaults upstream configuration limits L7 management functionality.

Values

Default: 5000
Data type: Integer

`UpstreamConfig.Overrides[].MeshGateway`

Map that contains the default mesh gateway mode field for the upstream. Refer to Service Mesh Proxy Configuration in the mesh gateway documentation for additional information.

Values

Default: none
You can specify the following string values for the mode field:
- none: The service does not make outbound connections through a mesh gateway. Instead, the service makes outbound connections directly to the destination services.
- local: The service mesh proxy makes an outbound connection to a gateway running in the same datacenter.
- remote: The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter.

`UpstreamConfig.Overrides[].BalanceOutboundConnections`

Sets the strategy for allocating outbound connections from the upstream across Envoy proxy threads.

Values

The only supported value is exact_balance. By default, no connections are balanced. Refer to the Envoy documentation for details.

Default: None
Data type: String

`UpstreamConfig.Overrides[].Limits`

Map that specifies a set of limits to apply to when connecting to individual upstream services.

Values

The following table describes limits you can configure:

Limit	Description	Data type	Default
`MaxConnections`	Specifies the maximum number of connections a service instance can establish against the upstream. Define this limit for HTTP/1.1 traffic.	Integer	`0`
`MaxPendingRequests`	Specifies the maximum number of requests that are queued while waiting for a connection to establish. An L7 protocol must be defined in the `protocol` field for this limit to take effect.	Integer	`0`
`MaxConcurrentRequests`	Specifies the maximum number of concurrent requests. Define this limit for HTTP/2 traffic. An L7 protocol must be defined in the `protocol` field for this limit to take effect.	Integer	`0`

Refer to the upstream configuration example for additional guidance.

`UpstreamConfig.Overrides[].PassiveHealthCheck`

Map that specifies a set of rules that enable Consul to remove hosts from the upstream cluster that are unreachable or that return errors.

Values

The following table describes passive health check parameters you can configure:

Limit	Description	Data type	Default
`Interval`	Specifies the time between checks.	String	`0s`
`MaxFailures`	Specifies the number of consecutive failures allowed per check interval. If exceeded, Consul removes the host from the load balancer.	Integer	`0`
`EnforcingConsecutive5xx`	Specifies a percentage that indicates how many times out of 100 that Consul ejects the host when it detects an outlier status. The outlier status is determined by consecutive errors in the 500-599 response range.	Integer	`100`
`MaxEjectionPercent`	Specifies the maximum percentage of an upstream cluster that Consul ejects when the proxy reports an outlier. Consul ejects at least one host when an outlier is detected regardless of the value.	Integer	`10`
`BaseEjectionTime`	Specifies the minimum amount of time that an ejected host must remain outside the cluster before rejoining. The real time is equal to the value of the `BaseEjectionTime` multiplied by the number of times the host has been ejected.	String	`30s`

`UpstreamConfig.Defaults`

Specifies configurations that set default upstream settings. For information about overriding the default configurations for in for individual upstreams, refer to UpstreamConfig.Overrides.

Values

Default: None
Data type: Map

`UpstreamConfig.Defaults.Protocol`

Specifies default protocol for upstream listeners.

Default: None
Data type: String

`UpstreamConfig.Defaults.ConnectTimeoutMs`

Specifies how long in milliseconds that all services should continue attempting to establish an upstream connection before timing out.

For non-Kubernetes environments, we recommend configuring the upstream timeout in the connection_timeout field of the service-resolver configuration entry for the upstream destination service. Doing so enables you to leverage L7 features. Configuring the timeout in the service-defaults upstream configuration limits L7 management functionality.

Default: 5000
Data type: Integer

`UpstreamConfig.Defaults.MeshGateway`

Specifies the default mesh gateway mode field for all upstreams. Refer to Service Mesh Proxy Configuration in the mesh gateway documentation for additional information.

You can specify the following string values for the mode field:

None: The service does not make outbound connections through a mesh gateway. Instead, the service makes outbound connections directly to the destination services.
local: The service mesh proxy makes an outbound connection to a gateway running in the same datacenter.
remote: The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter.

`UpstreamConfig.Defaults.BalanceOutboundConnections`

Sets the strategy for allocating outbound connections from upstreams across Envoy proxy threads. The only supported value is exact_balance. By default, no connections are balanced. Refer to the Envoy documentation for details.

Default: None
Data type: String

`UpstreamConfig.Defaults.Limits`

Map that specifies a set of limits to apply to when connecting upstream services. The following table describes limits you can configure:

Limit	Description	Data type	Default
`MaxConnections`	Specifies the maximum number of connections a service instance can establish against the upstream. Define this limit for HTTP/1.1 traffic.	Integer	`0`
`MaxPendingRequests`	Specifies the maximum number of requests that are queued while waiting for a connection to establish. An L7 protocol must be defined in the `protocol` field for this limit to take effect.	Integer	`0`
`MaxConcurrentRequests`	Specifies the maximum number of concurrent requests. Define this limit for HTTP/2 traffic. An L7 protocol must be defined in the `protocol` field for this limit to take effect.	Integer	`0`

`UpstreamConfig.Defaults.PassiveHealthCheck`

Map that specifies a set of rules that enable Consul to remove hosts from the upstream cluster that are unreachable or that return errors. The following table describes the health check parameters you can configure:

Limit	Description	Data type	Default
`Interval`	Specifies the time between checks.	String	`0s`
`MaxFailures`	Specifies the number of consecutive failures allowed per check interval. If exceeded, Consul removes the host from the load balancer.	Integer	`0`
`EnforcingConsecutive5xx`	Specifies a percentage that indicates how many times out of 100 that Consul ejects the host when it detects an outlier status. The outlier status is determined by consecutive errors in the 500-599 response range.	Integer	`100`
`MaxEjectionPercent`	Specifies the maximum percentage of an upstream cluster that Consul ejects when the proxy reports an outlier. Consul ejects at least one host when an outlier is detected regardless of the value.	Integer	`10`
`BaseEjectionTime`	Specifies the minimum amount of time that an ejected host must remain outside the cluster before rejoining. The real time is equal to the value of the `BaseEjectionTime` multiplied by the number of times the host has been ejected.	String	`30s`

`TransparentProxy`

Controls configurations specific to proxies in transparent mode. Refer to Transparent Proxy Mode for additional information.

You can configure the following parameters in the TransparentProxy block:

Parameter	Description	Data type	Default
`OutboundListenerPort`	Specifies the port that the proxy listens on for outbound traffic. This must be the same port number where outbound application traffic is redirected.	Integer	`15001`
`DialedDirectly`	Enables transparent proxies to dial the proxy instance's IP address directly when set to `true`. Transparent proxies commonly dial upstreams at the `"virtual"` tagged address, which load balances across instances. Dialing individual instances can be helpful for stateful services, such as a database cluster with a leader.	Boolean	`false`

`MutualTLSMode`

Controls whether mutual TLS is required for incoming connections to this service. This setting is only supported for services with transparent proxy enabled. We recommend only using permissive mode if necessary while onboarding services to the service mesh.

You can specify the following string values for the MutualTLSMode field:

"": When this field is empty, the value is inherited from the proxy-defaults config entry.
strict: The sidecar proxy requires mutual TLS for incoming traffic.
permissive: The sidecar proxy accepts mutual TLS traffic on the sidecar proxy service port, and accepts any traffic on the destination service's port.

`EnvoyExtensions`

List of extensions to modify Envoy proxy configuration. Refer to Envoy Extensions for additional information.

The following table describes how to configure values in the EnvoyExtensions map:

Parameter	Description	Data type	Default
`Name`	Specifies the name of the extension.	String	None
`Required`	Specify `true` to require the extension to apply successfully. Use this parameter to ensure that extensions required for secure communication are not unintentionally bypassed. When Envoy fails to apply a required extension, Consul logs an error and skips all extensions, leaving xDS resources unchanged.	String	None
`Arguments`	Specifies the arguments to pass to the extension. Refer to the documentation for the extension you want to implement for additional information.	Map	None
`ConsulVersion`	Specifies the Consul version constraint for the extension. Consul validates the version constraint against the runtime version during xDS updates. If a non-matching version is in use, Consul logs and skips the extension. Use this parameter to avoid upgrade issues when a configured extension is not compatible with a new version of Consul.	String	None
`EnvoyVersion`	Specifies the Envoy version constraint for the extension. Consul validates the version constraint against the version of the running Envoy proxy during xDS updates. If a non-matching version is in use, Consul logs and skips the extension. Use this parameter to avoid upgrade issues when a configured extension is not compatible with a new version of Envoy.	String	None

`Destination{}`

Configures the destination for service traffic through terminating gateways. Refer to Terminating Gateway for additional information.

To use the Destination block, proxy services must be in transparent proxy mode. Refer to Enable transparent proxy mode for additional information.

You can configure the following parameters in the Destination block:

Parameter	Description	Data type	Default
`Addresses`	Specifies a list of addresses for the destination. You can configure a list of hostnames and IP addresses. Wildcards are not supported.	List	None
`Port`	Specifies the port number of the destination.	Integer	`0`

`MaxInboundConnections`

Specifies the maximum number of concurrent inbound connections to each service instance.

Default: 0
Data type: Integer

`LocalConnectTimeoutMs`

Specifies the number of milliseconds allowed for establishing connections to the local application instance before timing out.

Default: 5000
Data type: Integer

`LocalRequestTimeoutMs`

Specifies the timeout for HTTP requests to the local application instance. Applies to HTTP-based protocols only. If not specified, inherits the Envoy default for route timeouts.

Default: Inherits 15s from Envoy as the default
Data type: String

`MeshGateway`

Specifies the default mesh gateway mode field for the service. Refer to Service Mesh Proxy Configuration in the mesh gateway documentation for additional information.

You can specify the following string values for the mode field:

none: The service does not make outbound connections through a mesh gateway. Instead, the service makes outbound connections directly to the destination services.
local: The service mesh proxy makes an outbound connection to a gateway running in the same datacenter.
remote: The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter.

`ExternalSNI`

Specifies the TLS server name indication (SNI) when federating with an external system.

Default: None
Data type: String

`Expose`

Specifies default configurations for exposing HTTP paths through Envoy. Exposing paths through Envoy enables services to listen on localhost only. Applications that are not Consul service mesh-enabled can still contact an HTTP endpoint. Refer to Expose Paths Configuration Reference for additional information and example configurations.

Default: None
Data type: Map

`Expose.Checks`

Exposes all HTTP and gRPC checks registered with the agent if set to true. Envoy exposes listeners for the checks and only accepts connections originating from localhost or Consul's advertise_addr. The ports for the listeners are dynamically allocated from the agent's expose_min_port and expose_max_port configurations.

We recommend enabling the Checks configuration when a Consul client cannot reach registered services over localhost, such as when Consul agents run in their own pods in Kubernetes.

Default: false
Data type: Boolean

`Expose.Paths[]`

Specifies a list of configuration maps that define paths to expose through Envoy when Expose.Checks is set to true. You can configure the following parameters for each map in the list:

Parameter	Description	Data type	Default
`Path`	Specifies the HTTP path to expose. You must prepend the path with a forward slash (`/`).	String	None
`LocalPathPort`	Specifies the port where the local service listens for connections to the path.	Integer	`0`
`ListenPort`	Specifies the port where the proxy listens for connections. The port must be available. If the port is unavailable, Envoy does not expose a listener for the path and the proxy registration still succeeds.	Integer	`0`
`Protocol`	Specifies the protocol of the listener. You can configure one of the following values: `http` `http2`: Use with gRPC traffic	Integer	`http`

`apiVersion`

Specifies the version of the Consul API for integrating with Kubernetes. The value must be consul.hashicorp.com/v1alpha1. The apiVersion field is not supported for non-Kubernetes deployments.

Default: None
This field is required.
String value that must be set to consul.hashicorp.com/v1alpha1.

`kind`

Specifies the configuration entry type. Must be ServiceDefaults.

Required: required
String value that must be set to ServiceDefaults.

`metadata`

Map that contains the service name, namespace, and admin partition that the configuration entry applies to.

Values

Default: None
Map containing the following strings:

`metadata.name`

Specifies the name of the service you are setting the defaults for.

Values

Default: None
This field is required
Data type: String

`metadata.namespace` Enterprise

Specifies the Consul namespace that the configuration entry applies to. Refer to Consul Enterprise for information about how Consul namespaces map to Kubernetes Namespaces. Consul Community Edition (Consul CE) ignores the metadata.namespace configuration.

Default: default
Data type: String

`spec`

Map that contains the details about the ServiceDefaults configuration entry. The apiVersion, kind, and metadata fields are siblings of the spec field. All other configurations are children.

`spec.protocol`

Specifies the default protocol for the service. In service service mesh use cases, the protocol configuration is required to enable the following features and components:

You can set the global protocol for proxies in the ProxyDefaults configuration entry, but the protocol specified in the ServiceDefaults configuration entry overrides the ProxyDefaults configuration.

Values

Default: tcp
You can specify one of the following string values:

Refer to Set the default protocol for an example configuration.

`spec.balanceInboundConnections`

Values

Default: None
Data type: String

`spec.mode`

Specifies a mode for how the service directs inbound and outbound traffic.

Values

Default: None
Required: optional
You can specified the following string values:
direct: The proxy's listeners must be dialed directly by the local application and other proxies.
transparent: The service captures inbound and outbound traffic and redirects it through the proxy. The mode does not enable the traffic redirection. It instructs Consul to configure Envoy as if traffic is already being redirected.

`spec.rateLimits` Enterprise

Map containing an instance-level configuration for limiting the service's traffic rate.

Values

Default: None
Data type: Map

`spec.rateLimits{}.instanceLevel`

Map containing a set of request rate limit configurations for instances of the service.

Values

Default: None
Data type: Map

`spec.rateLimits{}.instanceLevel{}.requestsPerSecond`

Specifies the average number of requests per second allowed to the service. If the requestsMaxBurst parameter is set, the number of requests per second to the service can temporarily exceed the limit specified in the requestsPerSecond up to the value specified in requestsMaxBurst. Internally, this is the refill rate of the token bucket used for rate limiting.

Values

Default: None
Data type: Integer

`spec.rateLimits{}.instanceLevel{}.requestsMaxBurst`

Specifies the maximum number of concurrent requests momentarily allowed to the service. When the limit is reached, Consul blocks additional requests. You must specify a value equal to or greater than the requestsPerSecond parameter. If unspecified, this parameter defaults to requestsPerSecond. Internally, this is the maximum size of the token bucket used for rate limiting.

Values

Default: None
Data type: Integer

`spec.rateLimits{}.instanceLevel{}.routes`

Specifies a list of rate limiting configurations to apply to specific routes to the service. Each member of the routes list must configure the requestsPerSecond parameter and one of the following route-matching parameters:

Refer to Examples for example configurations.

Values

Default: None
Data type: Map

The following table describes the parameters you can specify in the routes map:

Parameter	Description	Data type	Default
`pathExact`	Specifies the exact path to match on the request path. When using this field, do not configure `pathPrefix` or `pathRegex` in the same `routes` map.	String	None
`pathPrefix`	Specifies the path prefix to match on the request path. When using this field, do not configure `pathExact` or `pathRegex` in the same `routes` map.	String	None
`pathRegex`	Specifies a regular expression to match on the request path. When using this field, do not configure `pathExact` or `pathPrefix` in the same `routes` map. The syntax is proxy-specific. When using Envoy, refer to the documentation for Envoy v1.11.2 or newer or the documentation for Envoy v1.11.1 or older, depending on the version of Envoy you use.	String	None
`requestsPerSecond`	Specifies the average number of requests per second allowed to the service. Overrides the `requestsPerSecond` parameter specified for the service.	Integer	None
`requestsMaxBurst`	Specifies the maximum number of concurrent requests temporarily allowed to the service. When the limit is reached, Consul blocks additional requests. You must specify a value equal to or greater than the `routes.requestsPerSecond` parameter. Overrides the `requestsMaxBurst` parameter specified for the service.	Integer	None

`spec.upstreamConfig`

Specifies a map that controls default upstream connection settings and custom overrides for individual upstream services. If your network contains federated datacenters, individual upstream configurations apply to all pairs of source and upstream destination services in the network.

Values

Default: None
Map that contains the following configurations:
- UpstreamConfig.Overrides
- UpstreamConfig.Defaults

`spec.upstreamConfig.overrides[]`

Specifies options that override the default upstream configurations for individual upstreams.

Values

Default: None
Data type: List

`spec.upstreamConfig.overrides[].name`

Specifies the name of the upstream service that the configuration applies to. Do not use the * wildcard to prevent the configuration from applying to unintended upstreams.

Values

Default: None
Data type: String

`spec.upstreamConfig.overrides[].namespace` Enterprise

Specifies the namespace containing the upstream service that the configuration applies to. Do not use the * wildcard to prevent the configuration from applying to unintended upstreams.

Values

Default: None
Data type: String

`spec.upstreamConfig.overrides[].peer`

Specifies the peer name of the upstream service that the configuration applies to. The * wildcard is not supported.

Values

Default: None
Data type: String

`spec.upstreamConfig.overrides[].protocol`

Specifies the protocol to use for requests to the upstream listener. We recommend configuring the protocol in the main protocol field of the configuration entry so that you can leverage L7 features. Setting the protocol in an upstream configuration limits L7 management functionality.

Values

Default: inherits the main protocol configuration
Data type: String

`spec.upstreamConfig.overrides[].connectTimeoutMs`

Specifies how long in milliseconds that the service should attempt to establish an upstream connection before timing out.

We recommend configuring the upstream timeout in the connectTimeout field of the ServiceResolver CRD for the upstream destination service. Doing so enables you to leverage L7 features. Configuring the timeout in the ServiceDefaults upstream configuration limits L7 management functionality.

Values

Default: 5000
Data type: Integer

`spec.upstreamConfig.overrides[].meshGateway.mode`

Map that contains the default mesh gateway mode field for the upstream. Refer to Connect Proxy Configuration in the mesh gateway documentation for additional information.

Values

You can specify the following string values for the mode field:

none: The service does not make outbound connections through a mesh gateway. Instead, the service makes outbound connections directly to the destination services.
local: The service mesh proxy makes an outbound connection to a gateway running in the same datacenter.
remote: The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter.

`spec.upstreamConfig.overrides[].balanceInboundConnections`

Sets the strategy for allocating outbound connections from the upstream across Envoy proxy threads. The only supported value is exact_balance. By default, no connections are balanced. Refer to the Envoy documentation for details.

Values

Default: None
Data type: String

`spec.upstreamConfig.overrides[].limits`

Map that specifies a set of limits to apply to when connecting to individual upstream services.

Values

The following table describes limits you can configure:

Limit	Description	Data type	Default
`maxConnections`	Specifies the maximum number of connections a service instance can establish against the upstream. Define this limit for HTTP/1.1 traffic.	Integer	`0`
`maxPendingRequests`	Specifies the maximum number of requests that are queued while waiting for a connection to establish. An L7 protocol must be defined in the `protocol` field for this limit to take effect.	Integer	`0`
`maxConcurrentRequests`	Specifies the maximum number of concurrent requests. Define this limit for HTTP/2 traffic. An L7 protocol must be defined in the `protocol` field for this limit to take effect.	Integer	`0`

`spec.upstreamConfig.overrides[].passiveHealthCheck`

Map that specifies a set of rules that enable Consul to remove hosts from the upstream cluster that are unreachable or that return errors.

Values

The following table describes passive health check parameters you can configure:

Limit	Description	Data type	Default
`interval`	Specifies the time between checks.	String	`0s`
`maxFailures`	Specifies the number of consecutive failures allowed per check interval. If exceeded, Consul removes the host from the load balancer.	Integer	`0`
`enforcingConsecutive5xx`	Specifies a percentage that indicates how many times out of 100 that Consul ejects the host when it detects an outlier status. The outlier status is determined by consecutive errors in the 500-599 response range.	Integer	`100`
`maxEjectionPercent`	The maximum % of an upstream cluster that can be ejected due to outlier detection. Defaults to 10% but will eject at least one host regardless of the value.	Integer	`10`
`baseEjectionTime`	The base time that a host is ejected for. The real time is equal to the base time multiplied by the number of times the host has been ejected and is capped by max_ejection_time (Default 300s). Defaults to 30000ms or 30s.	String	`30s`

`spec.upstreamConfig.defaults`

Map of configurations that set default upstream configurations for the service. For information about overriding the default configurations for in for individual upstreams, refer to spec.upstreamConfig.overrides.

Values

Default: None
Data type: List

`spec.upstreamConfig.defaults.protocol`

Specifies default protocol for upstream listeners. We recommend configuring the protocol in the main Protocol field of the configuration entry so that you can leverage L7 features. Setting the protocol in an upstream configuration limits L7 management functionality.

Values

Default: None
Data type: String

`spec.upstreamConfig.default.connectTimeoutMs`

Specifies how long in milliseconds that all services should continue attempting to establish an upstream connection before timing out.

We recommend configuring the upstream timeout in the connectTimeout field of the ServiceResolver CRD for upstream destination services. Doing so enables you to leverage L7 features. Configuring the timeout in the ServiceDefaults upstream configuration limits L7 management functionality.

Values

Default: 5000
Data type: Integer

`spec.upstreamConfig.defaults.meshGateway.mode`

Specifies the default mesh gateway mode field for all upstreams. Refer to Service Mesh Proxy Configuration in the mesh gateway documentation for additional information.

Values

You can specify the following string values for the mode field:

none: The service does not make outbound connections through a mesh gateway. Instead, the service makes outbound connections directly to the destination services.
local: The service mesh proxy makes an outbound connection to a gateway running in the same datacenter.
remote: The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter.

`spec.upstreamConfig.defaults.balanceInboundConnections`

Values

Default: None
Data type: String

`spec.upstreamConfig.defaults.limits`

Map that specifies a set of limits to apply to when connecting upstream services.

Values

The following table describes limits you can configure:

Limit	Description	Data type	Default
`maxConnections`	Specifies the maximum number of connections a service instance can establish against the upstream. Define this limit for HTTP/1.1 traffic.	Integer	`0`
`maxPendingRequests`	Specifies the maximum number of requests that are queued while waiting for a connection to establish. An L7 protocol must be defined in the `protocol` field for this limit to take effect.	Integer	`0`
`maxConcurrentRequests`	Specifies the maximum number of concurrent requests. Define this limit for HTTP/2 traffic. An L7 protocol must be defined in the `protocol` field for this limit to take effect.	Integer	`0`

`spec.upstreamConfig.defaults.passiveHealthCheck`

Map that specifies a set of rules that enable Consul to remove hosts from the upstream cluster that are unreachable or that return errors.

Values

The following table describes the health check parameters you can configure:

Limit	Description	Data type	Default
`interval`	Specifies the time between checks.	String	`0s`
`maxFailures`	Specifies the number of consecutive failures allowed per check interval. If exceeded, Consul removes the host from the load balancer.	Integer	`0`
`enforcingConsecutive5xx`	Specifies a percentage that indicates how many times out of 100 that Consul ejects the host when it detects an outlier status. The outlier status is determined by consecutive errors in the 500-599 response range.	Integer	`100`
`MaxEjectionPercent`	Specifies the maximum percentage of an upstream cluster that Consul ejects when the proxy reports an outlier. Consul ejects at least one host when an outlier is detected regardless of the value.	Integer	`10`
`BaseEjectionTime`	Specifies the minimum amount of time that an ejected host must remain outside the cluster before rejoining. The real time is equal to the value of the `BaseEjectionTime` multiplied by the number of times the host has been ejected.	String	`30s`

`spec.transparentProxy`

Map of configurations specific to proxies in transparent mode. Refer to Transparent Proxy for additional information.

Values

You can configure the following parameters in the TransparentProxy block:

Parameter	Description	Data type	Default
`outboundListenerPort`	Specifies the port that the proxy listens on for outbound traffic. This must be the same port number where outbound application traffic is redirected.	Integer	`15001`
`dialedDirectly`	Enables transparent proxies to dial the proxy instance's IP address directly when set to `true`. Transparent proxies commonly dial upstreams at the `"virtual"` tagged address, which load balances across instances. Dialing individual instances can be helpful for stateful services, such as a database cluster with a leader.	Boolean	`false`

`spec.mutualTLSMode`

Values

You can specify the following string values for the MutualTLSMode field:

"": When this field is empty, the value is inherited from the proxy-defaults config entry.
strict: The sidecar proxy requires mutual TLS for incoming traffic.
permissive: The sidecar proxy accepts mutual TLS traffic on the sidecar proxy service port, and accepts any traffic on the destination service's port.

`spec.envoyExtensions`

List of extensions to modify Envoy proxy configuration. Refer to Envoy Extensions for additional information.

Values

The following table describes how to configure values in the envoyExtensions map:

Parameter	Description	Data type	Default
`name`	Specifies the name of the extension.	String	None
`required`	Specify `true` to require the extension to apply successfully. Use this parameter to ensure that extensions required for secure communication are not unintentionally bypassed. When Envoy fails to apply a required extension, Consul logs an error and skips all extensions, leaving xDS resources unchanged.	String	None
`arguments`	Specifies the arguments to pass to the extension. Refer to the documentation for the extension for additional information.	Map	None
`consulVersion`	Specifies the Consul version constraint for the extension. Consul validates the version constraint against the runtime version during xDS updates. If a non-matching version is in use, Consul logs and skips the extension. Use this parameter to avoid upgrade issues when a configured extension is not compatible with a new version of Consul.	String	None
`envoyVersion`	Specifies the Envoy version constraint for the extension. Consul validates the version constraint against the version of the running Envoy proxy during xDS updates. If a non-matching version is in use, Consul logs and skips the extension. Use this parameter to avoid upgrade issues when a configured extension is not compatible with a new version of Envoy.	String	None

`spec.destination`

Map of configurations that specify one or more destinations for service traffic routed through terminating gateways. Refer to Terminating Gateway for additional information.

To use the destination block, proxy services must be in transparent proxy mode. Refer to Enable transparent proxy mode for additional information.

Values

You can configure the following parameters in the destination block:

Parameter	Description	Data type	Default
`addresses`	Specifies a list of addresses for the destination. You can configure a list of hostnames and IP addresses. Wildcards are not supported.	List	None
`port`	Specifies the port number of the destination.	Integer	`0`

`spec.maxInboundConnections`

Specifies the maximum number of concurrent inbound connections to each service instance.

Values

Default: 0
Data type: Integer

`spec.localConnectTimeoutMs`

Specifies the number of milliseconds allowed for establishing connections to the local application instance before timing out.

Values

Default: 5000
Data type: Integer

`spec.localRequestTimeoutMs`

Specifies the timeout for HTTP requests to the local application instance. Applies to HTTP-based protocols only. If not specified, inherits the Envoy default for route timeouts.

Values

Default of 15s is inherited from Envoy
Data type: String

`spec.meshGateway.mode`

Specifies the default mesh gateway mode field for the service. Refer to Service Mesh Proxy Configuration in the mesh gateway documentation for additional information.

Values

You can specify the following string values for the mode field:

none: The service does not make outbound connections through a mesh gateway. Instead, the service makes outbound connections directly to the destination services.
local: The service mesh proxy makes an outbound connection to a gateway running in the same datacenter.
remote: The service mesh proxy makes an outbound connection to a gateway running in the destination datacenter.

`spec.externalSNI`

Specifies the TLS server name indication (SNI) when federating with an external system.

Values

Default: None
Data type: String

`spec.expose`

Values

Default: None
Data type: String

`spec.expose.checks`

We recommend enabling the Checks configuration when a Consul client cannot reach registered services over localhost, such as when Consul agents run in their own pods in Kubernetes.

Values

Default: false
Data type: Boolean

`spec.expose.paths[]`

Specifies an list of maps that define paths to expose through Envoy when spec.expose.checks is set to true.

Values

The following table describes the parameters for each map:

Parameter	Description	Data type	Default
`path`	Specifies the HTTP path to expose. You must prepend the path with a forward slash (`/`).	String	None
`localPathPort`	Specifies the port where the local service listens for connections to the path.	Integer	`0`
`listenPort`	Specifies the port where the proxy listens for connections. The port must be available. If the port is unavailable, Envoy does not expose a listener for the path and the proxy registration still succeeds.	Integer	`0`
`protocol`	Specifies the protocol of the listener. You can configure one of the following values: `http` `http2`: Use with gRPC traffic	Integer	`http`

Example configurations

The following examples describe common service-defaults configurations.

Set the default protocol

In the following example, protocol for the web service in the default namespace is set to http:

Kind      = "service-defaults"
Name      = "web"
Namespace = "default"
Protocol  = "http"

You can also set the global default protocol for all proxies in the proxy-defaults configuration entry, but the protocol specified for individual service instances in the service-defaults configuration entry takes precedence over the globally-configured value set in the proxy-defaults.

Upstream configuration

The following example sets default connection limits and mesh gateway mode across all upstreams of the dashboard service. It also overrides the mesh gateway mode used when dialing its counting upstream service.

Kind = "service-defaults"
Name = "dashboard"

UpstreamConfig = {
  Defaults = {
    MeshGateway = {
      Mode = "local"
    }
    Limits = {
      MaxConnections = 512
      MaxPendingRequests = 512
      MaxConcurrentRequests = 512
    }
  }

  Overrides = [
    {
      Name = "counting"
      MeshGateway = {
        Mode = "remote"
      }
    }
  ]
}

The following example configures the default connection limits and mesh gateway mode for all of the counting service's upstreams. It also overrides the mesh gateway mode used when dialing the dashboard service in the frontend namespace.

Kind = "service-defaults"
Name = "dashboard"
Namespace = "product"

UpstreamConfig = {
  Defaults = {
    MeshGateway = {
      Mode = "local"
    }
    Limits = {
      MaxConnections = 512
      MaxPendingRequests = 512
      MaxConcurrentRequests = 512
    }
  }

  Overrides = [
    {
      Name = "counting"
      Namespace = "backend"
      MeshGateway = {
        Mode = "remote"
      }
    }
  ]
}

Terminating gateway destination

The following examples creates a default destination assigned to a terminating gateway. A destination represents a location outside the Consul cluster. Services can dial destinations dialed directly when transparent proxy mode is enabled. Proxy services must be in transparent proxy mode to configure destinations. Refer to Enable transparent proxy mode for additional information.

Kind = "service-defaults"
Name = "test-destination"
Protocol = "tcp"
Destination {
  Addresses = ["test.com","test.org"]
  Port = 443
}

Enable request rate limit for a service on all paths Enterprise

The following example configures the default behavior for a service named billing. This configuration limits each instance of the billing service to an average of 1000 requests per second, but allows the service to accept up to 1500 concurrent requests.

Kind = "service-defaults"
Name = "billing"
Protocol = "http"

RateLimit {
  InstanceLevel {
    RequestsPerSecond = 1000
    RequestsMaxBurst = 1500
  }
}

Enable request rate limit on a prefixed path Enterprise

The following example limits the request rate on all paths to service-foo to an average of 1000 requests per second but allows up to 1500 temporary concurrent requests. Request paths that begin with /admin, however, are limited to 20 requests per second.

Kind = "service-defaults"
Name = "service-foo"
Protocol = "http"

RateLimit {
  InstanceLevel {
    RequestsPerSecond = 1000
    RequestsMaxBurst = 1500

    Routes = [
      {
         PathPrefix = "/admin"
         RequestsPerSecond = 20
      }
    ]
  }
}

Enable request rate limits on multiple paths Enterprise

The following example configures the default behavior for a service named billing. This configuration limits each instance of the billing service depending on the path it received the request on. The service is limited to an average of 500 requests when the request is made on an HTTP path with the /api prefix. When an instance of the billing service receives a request from the /login path, it is limited to an average of 100 requests per second and 500 concurrent connections.

Kind = "service-defaults"
Name = "billing"
Protocol = "http"

RateLimit {
  InstanceLevel {
    Routes = [
      {
         PathPrefix = "/api"
         RequestsPerSecond = 500
      },
      {
         PathPrefix = "/login"
         RequestsPerSecond = 100
         RequestsMaxBurst = 500
      }
    ]
  }
}

Service defaults configuration reference

Configuration model

Complete configuration

Specification

Kind

Values

Name

Values

Namespace EnterpriseEnterprise

Values

Partition EnterpriseEnterprise

Values

Meta

Values

Protocol

Values

BalanceInboundConnections

Values

Mode

RateLimits EnterpriseEnterprise

Values

RateLimits{}.InstanceLevel

Values

RateLimits{}.InstanceLevel{}.RequestsPerSecond

Values

RateLimits{}.InstanceLevel{}.RequestsMaxBurst

Values

RateLimits{}.InstanceLevel{}.Routes

Values

UpstreamConfig

Values

UpstreamConfig.Overrides[]

Values

UpstreamConfig.Overrides[].Name

Values

UpstreamConfig.Overrides[].Namespace EnterpriseEnterprise

Values

UpstreamConfig.Overrides[].Peer

Values

UpstreamConfig.Overrides[].Protocol

Values

UpstreamConfig.Overrides[].ConnectTimeoutMs

Values

UpstreamConfig.Overrides[].MeshGateway

Values

UpstreamConfig.Overrides[].BalanceOutboundConnections

Values

UpstreamConfig.Overrides[].Limits

Values

UpstreamConfig.Overrides[].PassiveHealthCheck

Values

UpstreamConfig.Defaults

Values

UpstreamConfig.Defaults.Protocol

UpstreamConfig.Defaults.ConnectTimeoutMs

UpstreamConfig.Defaults.MeshGateway

UpstreamConfig.Defaults.BalanceOutboundConnections

UpstreamConfig.Defaults.Limits

UpstreamConfig.Defaults.PassiveHealthCheck

TransparentProxy

MutualTLSMode

EnvoyExtensions

Destination{}

MaxInboundConnections

LocalConnectTimeoutMs

LocalRequestTimeoutMs

MeshGateway

ExternalSNI

Expose

Expose.Checks

Expose.Paths[]

`Kind`

`Name`

`Namespace` Enterprise

`Partition` Enterprise

`Meta`

`Protocol`

`BalanceInboundConnections`

`Mode`

`RateLimits` Enterprise

`RateLimits{}.InstanceLevel`

`RateLimits{}.InstanceLevel{}.RequestsPerSecond`

`RateLimits{}.InstanceLevel{}.RequestsMaxBurst`

`RateLimits{}.InstanceLevel{}.Routes`

`UpstreamConfig`

`UpstreamConfig.Overrides[]`

`UpstreamConfig.Overrides[].Name`

`UpstreamConfig.Overrides[].Namespace` Enterprise

`UpstreamConfig.Overrides[].Peer`

`UpstreamConfig.Overrides[].Protocol`

`UpstreamConfig.Overrides[].ConnectTimeoutMs`

`UpstreamConfig.Overrides[].MeshGateway`

`UpstreamConfig.Overrides[].BalanceOutboundConnections`

`UpstreamConfig.Overrides[].Limits`

`UpstreamConfig.Overrides[].PassiveHealthCheck`

`UpstreamConfig.Defaults`

`UpstreamConfig.Defaults.Protocol`

`UpstreamConfig.Defaults.ConnectTimeoutMs`

`UpstreamConfig.Defaults.MeshGateway`

`UpstreamConfig.Defaults.BalanceOutboundConnections`

`UpstreamConfig.Defaults.Limits`

`UpstreamConfig.Defaults.PassiveHealthCheck`

`TransparentProxy`

`MutualTLSMode`

`EnvoyExtensions`

`Destination{}`

`MaxInboundConnections`

`LocalConnectTimeoutMs`

`LocalRequestTimeoutMs`

`MeshGateway`

`ExternalSNI`

`Expose`

`Expose.Checks`

`Expose.Paths[]`