What Is Consul Connect?
Consul Connect is HashiCorp's built-in service mesh feature. It adds a layer of automatic mutual TLS (mTLS) encryption and intention-based authorization on top of Consul's service discovery, enabling services to communicate securely without requiring changes to application code.
The model is "zero trust by default": no service can communicate with another unless an explicit intention permits it.
How the Sidecar Proxy Model Works
Consul Connect uses a sidecar proxy pattern. Each service instance gets a companion proxy process (by default, Consul's built-in proxy, or optionally Envoy) that:
- Listens on a local port on behalf of the service
- Intercepts all outbound and inbound traffic
- Establishes mTLS connections to other services' sidecar proxies
- Enforces intention-based access rules before forwarding traffic
Your application connects to localhost:<port> as if the downstream service were local. The proxy handles all the network complexity.
Enabling Connect on a Service
Add the connect block to your service definition:
{
"service": {
"name": "web",
"port": 8080,
"connect": {
"sidecar_service": {
"proxy": {
"upstreams": [
{
"destination_name": "api",
"local_bind_port": 9191
}
]
}
}
}
}
}Now your "web" service can reach the "api" service at localhost:9191, and the proxy handles the mTLS handshake automatically.
Mutual TLS: What It Means and Why It Matters
Standard TLS authenticates the server to the client. Mutual TLS goes further — both sides present certificates, so each service cryptographically proves its identity before any data is exchanged. This means:
- Traffic between services is always encrypted in transit
- A compromised service cannot impersonate another service
- Network-level access controls (firewalls, security groups) can be simplified — Consul handles authZ at the application layer
Consul's built-in Certificate Authority (CA) automatically issues, rotates, and revokes certificates. You can also plug in Vault as an external CA for enterprise-grade PKI.
Intentions: Defining Who Can Talk to Whom
Intentions are Consul Connect's access control mechanism. They define allowed or denied communication paths between services.
Creating an Intention via CLI
# Allow web to talk to api
consul intention create web api
# Deny everything by default (good practice)
consul intention create -deny '*' '*'Intention Precedence
Intentions are matched from most specific to least specific:
- Exact source + exact destination
- Wildcard source + exact destination
- Exact source + wildcard destination
- Wildcard source + wildcard destination (
* → *)
Using Envoy as the Sidecar Proxy
For production workloads, HashiCorp recommends using Envoy instead of the built-in proxy. Envoy gives you advanced features like:
- Layer 7 traffic management (routing, retries, timeouts)
- Observability (metrics, tracing via OpenTelemetry)
- Advanced load balancing algorithms
- Circuit breaking and outlier detection
Start the Envoy sidecar with:
consul connect envoy -sidecar-for webL7 Traffic Management with Config Entries
Consul allows fine-grained traffic policies through config entries. You can define service defaults, service resolvers, service splitters, and service routers to implement patterns like:
- Canary deployments — route 5% of traffic to a new version
- Blue/green deployments — instant traffic cutover between service subsets
- Failover — redirect traffic to a secondary datacenter if the primary is unhealthy
Summary
| Feature | Benefit |
|---|---|
| Automatic mTLS | Encrypted, authenticated service-to-service traffic |
| Intentions | Declarative, auditable access control |
| Envoy integration | Advanced L7 traffic management |
| Built-in CA | Automatic certificate lifecycle management |
Consul Connect removes the burden of manually managing certificates and firewall rules, replacing them with a developer-friendly, policy-driven model that scales with your infrastructure.