Service Mesh / Technology / Tools

HashiCorp’s API Gateway for Consul Helps Ease North-South Traffic Pain

7 Mar 2022 7:32am, by

HashiCorp’s general availability release of its Consul API Gateway is intended to both simplify and tighten control of traffic and services management with HashiCorp Consul service mesh.

The main feature that DevOps teams may welcome helps to solve the problem of being able to manage both north-south and east-west traffic through a single API.

Indeed, previously, the HashiCorp Consul service mesh was effective at managing intra-organizational microservices connections and communications between applications. However, a separate control plane had to be in place to control access from external requests from ingress traffic originating from the Internet.

As Peter McCarron, senior product marketing manager for Consul, told The New Stack, the ingress gateway was better suited for intra-datacenter connections vs. external client traffic. “The question was: how do I control the access point in a way that is scalable and more dynamic than using some of the traditional solutions?” McCarron said. “Now, you have a centralized point to control the traffic in a more intelligent way with the service mesh.”

Dedicated Ingress

In this way, the Consul API Gateway serves as a dedicated ingress for intelligently routing traffic to applications running on the HashiCorp Consul service mesh, Brad Casemore, an analyst for IDC told The New Stack. The gateway is designed to provide a consistent means of handling inbound requests to the service mesh from an external client, “thus eliminating the need to install another dedicated API Gateway/ingress,” Casemore said. By deploying an all-in-one solution and service, DevOps teams aren’t “forced to obtain, deploy, and manage an API Gateway/ingress controller separately from a service mesh, Casemore said.

Service meshes in general are great at automating and securing communication between services in an east-west fashion, while API gateways are better at securing and regulating north-south traffic between internal services and external clients, Casemore said. Consul API Gateway can thus be thought of as an extension of Consul service mesh. “While the two are configured independently, they use the same servers to communicate policies, validate and receive certificates, and retrieve service catalog data,” Casemore said.

API Gateway for Consul helps “to alleviate potential service mesh angst, whereby some customers feel that service infrastructure is overly complex,” Casemore said.

Operations teams especially are always looking for ways to both tighten access control and simplify the complexity of managing applications and traffic through a single console, which, in fact, is one of the main purposes of a service mesh in general. “Organizations are putting a great deal of effort behind maturing their service mesh capabilities but as they do, they are looking to manage access to their service mesh in a consistent and intelligent way,” McCarron said. “They are also forced to deal with added complexity around managing traffic patterns, controlling connections at the point of entry and identifying external client traffic.”

Additional Features

Other features the Consul API Gateway provides that Casemore described include:

  • Traffic routing capabilities that enable users to configure how external clients’ requests are handled and detect client metadata and use it to enforce connection paths/routes.
  • How Consul API gateway is deployed into the same environment and registered as a service with the Consul servers. “Configurations are done directly on the gateway, but Consul service mesh is aware of the policies and connection requirements stipulated by the gateway,” Casemore said.

The Consul Helm chart also supports the installation and configuration of the Consul API Gateway. In order to get started, users need to add the following block to their Helm values file in order to get started:

“With Consul API Gateway, organizations are able to adopt a more consistent and controlled approach for exposing service mesh-based services to external clients, reducing the risk of a potential breach; increasing operational efficiency and reducing complexity by creating a single control plane for managing all traffic,” Casemore said. “It also reduces the risk of unplanned outages by ensuring that requests are evenly distributed across available service instances.”