Network Segments Overview
Network segmentation is the practice of dividing a network into multiple segments or subnets that act as independent networks. This topic provides an overview of concepts related to operating Consul in a segmented network.
This feature requires Consul Enterprise version 0.9.3 or later. Refer to the enterprise feature matrix for additional information.
Segmented networks
Consul requires full connectivity between all agents in a datacenter within a LAN gossip pool. In some environments, however, business policies enforced through network rules or firewalls prevent full connectivity between all agents. These environments are called segmented networks. Network segments are isolated LAN gossip pools that only require full connectivity between agent members on the same segment.
To use Consul in a segmented network, you must define the segments in your server agent configuration and direct client agents to join one of the segments. The Consul network segment configuration should match the LAN gossip pool boundaries. The following diagram shows how a network may be segmented:
Default network segment
By default, all Consul agents are part of a shared Serf LAN gossip pool, referred to as the <default>
network segment. Because all agents are within the same segment, full mesh connectivity within the datacenter is required. The following diagram shows the <default>
network segment:
Segment membership
Server agents are members of all segments. The datacenter includes the <default>
segment, as well as additional segments defined in the segments
server agent configuration option. Refer to the segments
documentation for additional information.
Each client agent can only be a member of one segment at a time. Client agents are members of the <default>
segment unless they are configured to join a different segment.
For a client agent to join the Consul datacenter, it must connect to another agent (client or server) within its configured segment.
Info: Network segments enable you to operate a Consul datacenter without full mesh (LAN) connectivity between agents. To federate multiple Consul datacenters without full mesh (WAN) connectivity between all server agents in all datacenters, use Network Areas (Enterprise).
Consul networking models
Network segments are a subset of other Consul networking models. Understanding the broader models will help you segment your network. Refer to Architecture Overview for additional information about the following concepts.
Clusters
You can segment networks within a Consul cluster. A cluster is one or more Consul servers that form a Raft quorum and one or more Consul clients that are members of the same datacenter. The cluster is sometimes called the local cluster. Consul clients discover and make RPC requests to Consul servers in their local cluster through the gossip mechanism. Consul CE uses LAN gossip for intra-cluster communication between agents.
LAN gossip pool
A set of fully-connected Consul agents is a LAN gossip pool. LAN gossip pools use the Serf protocol to maintain a shared view of the members of the pool for different purposes, such as finding a Consul server in a local cluster or finding servers in a remote cluster. A segmented LAN gossip pool limits a group of agents to only connect with the agents in its segment.
Network segments versus network areas
Network segments enable you to operate a Consul datacenter without full mesh connectivity between agents using a LAN gossip pool. To federate multiple Consul datacenters without full mesh connectivity between all server agents in all datacenters, use network areas. Network areas are a Consul Enterprise capability.