Network Segments Overview

Network segmentation is the practice of dividing a network into multiple segments or subnets that act as independent networks. This topic provides an overview of concepts related to operating Consul in a segmented network.

EnterpriseNetwork Segments Overview - 图1Enterprise

This feature requires Consul Enterprise version 0.9.3 or later. Refer to the enterprise feature matrix for additional information.

Segmented networks

Consul requires full connectivity between all agents in a datacenter within a LAN gossip pool. In some environments, however, business policies enforced through network rules or firewalls prevent full connectivity between all agents. These environments are called segmented networks. Network segments are isolated LAN gossip pools that only require full connectivity between agent members on the same segment.

To use Consul in a segmented network, you must define the segments in your server agent configuration and direct client agents to join one of the segments. The Consul network segment configuration should match the LAN gossip pool boundaries. The following diagram shows how a network may be segmented:

Consul datacenter agent connectivity with network segments

Default network segment

By default, all Consul agents are part of a shared Serf LAN gossip pool, referred to as the <default> network segment. Because all agents are within the same segment, full mesh connectivity within the datacenter is required. The following diagram shows the <default> network segment:

Consul datacenter default agent connectivity: one network segment

Segment membership

Server agents are members of all segments. The datacenter includes the <default> segment, as well as additional segments defined in the segments server agent configuration option. Refer to the segments documentation for additional information.

Each client agent can only be a member of one segment at a time. Client agents are members of the <default> segment unless they are configured to join a different segment. For a client agent to join the Consul datacenter, it must connect to another agent (client or server) within its configured segment.

Read the Network Segments documentation to learn more about network segments.

Info: Network segments enable you to operate a Consul datacenter without full mesh (LAN) connectivity between agents. To federate multiple Consul datacenters without full mesh (WAN) connectivity between all server agents in all datacenters, use Network Areas (Enterprise).

Consul networking models

Network segments are a subset of other Consul networking models. Understanding the broader models will help you segment your network. Refer to Architecture Overview for additional information about the following concepts.

Clusters

You can segment networks within a Consul cluster. A cluster is one or more Consul servers that form a Raft quorum and one or more Consul clients that are members of the same datacenter. The cluster is sometimes called the local cluster. Consul clients discover and make RPC requests to Consul servers in their local cluster through the gossip mechanism. Consul OSS uses LAN gossip for intra-cluster communication between agents.

LAN gossip pool

A set of fully-connected Consul agents is a LAN gossip pool. LAN gossip pools use the Serf protocol to maintain a shared view of the members of the pool for different purposes, such as finding a Consul server in a local cluster or finding servers in a remote cluster. A segmented LAN gossip pool limits a group of agents to only connect with the agents in its segment.

Network segments versus network areas

Network segments enable you to operate a Consul datacenter without full mesh connectivity between agents using a LAN gossip pool. To federate multiple Consul datacenters without full mesh connectivity between all server agents in all datacenters, use network areas. Network areas are a Consul Enterprise capability.