Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage Podcasts Mitchell Hashimoto on Consul since 1.2 and its Role as a Modern Service Mesh

Mitchell Hashimoto on Consul since 1.2 and its Role as a Modern Service Mesh

In June of this year, Consul 1.2 was released. The release expanded Consul’s capability around service segmentation (controlling who and how services connect East and West). On this week’s podcast, Wes and Mitchell discuss Consul in detail. The two discuss Consul’s design decisions around focusing on user space networking, layer 4 routing, Go, Windows’ performance characteristics, the roadmap for eBPF on Linux, and an interesting feature that Consul implements called Network Tomography. The show wraps with Mitchell’s discussion on some of the research that Hashicorp is doing around machine learning and security with Consul.

Key Takeaways

  • Consul is first and foremost a centralized service registry that provides discovery. While it has a key-value store, it is Consul’s least important feature.
  • With the June release (1.2), Consul entered more into the space of a service mesh with the focus on service segmentation (controlling how you connect and who can connect).
  • Hashicorp attempts to limit the language fragmentation in the Company and has seen a lot of success leveraging Go across their platforms. Therefore, Consul is written in Go.
  • Because Consul focused on layer 4 first, it is recommended to leverage the recent integration with Envoy for achieving high degrees of observability.
  • All of the network routing with Consul happens in user space at this point; however, kernel space routing with eBPF is planned for the near term. The focus, at this point, is safely cross-compiling to every platform and addressing the most possible use cases. The focuses isn’t on the high performance use cases (yet).
  • For any two servers across the globe in different data centers, instantly Consul can give you 99th percentile round-trip time between with uses a feature called Network Tomography.

Show Notes

  • 01:50 Hashimoto's first successful open source project was Vagrant, but he had several less successful projects.
  • 02:58 Motivation for Vagrant was to double-click an icon and have a development environment ready to go.
  • 03:30 Consul is a keystore, but it's much more. It's first priority is service discovery.
  • 04:21 Problem number two is service configuration
  • 04:55 The third problem is service segmentation. How do I connect to my services, and control who can connect to them. This goes hand-in-hand with the service discovery and configuration problems.
  • 05:45 Consul Connect solves service-to-service authentication and authorization, using TLS. The goal is to make authenticated connections to be the easy case, instead of using unencrypted communication.
  • 07:00 Over a third of the Alexa Top 50 website are heavy Consul users, and most are using it for service registry. Twitch and Stripe have talked publicly about their use of Consul.
  • 08:32 All the technical challenges are solved in the open source version of the product. The enterprise product solves challenges that come from large organizations.
  • 09:49 Consul tries to focus on "east-west" traffic, and not get in the way of "north-south" ingress traffic. Many of the north-south vendors provide Consul integration.
  • 10:30 Consul is trying to push the idea that you don't need load balancers between your east-west traffic. Instead of using load balancers just for a single IP address, Consul is able to update DNS in real-time as services become available, so you can just use DNS to connect to what you need.
  • 11:15 The base setup to get started includes a server cluster, usually running on dedicated machines. You also install an agent on every machine. The agent helps with initial service discovery.
  • 12:44 It's very important when getting started with a service mesh to understand both the data plane and the control plane. Consul is trying to solve the control plane problem. While there is an included proxy, that's only for the getting started experience.
  • 13:40 Consul now supports Envoy as a first-class, recommended data plane and sidecar solution for production.
  • 15:00 Consul Connect launched with only Layer 4 support, and will soon be adding Layer 7 support. This provides the foundation that customers need now to support existing services.
  • 17:55 For most use cases, the difference between user space and kernel routing is not big enough that it matters. This is one reason Consul is the fastest service mesh on Windows.
  • 19:30 EBPF support is on the roadmap
  • 20:50 HashiCorp is a very heavy Go shop, and that is one reason for choosing Go to write Consul.
  • 24:00 The typical deployment is with an agent directly on the machine. The exception is in Kubernetes.
  • 25:35 Because Consul doesn't have many observability features built in, the recommendation is to use Envoy to configure tracing.
  • 27:22 The HashiCorp roadmap includes updates to Terraform and Consul, as well as a new, major version of Vault coming soon. A common theme is enabling Kubernetes across all products.
  • 28:28 One of Hashimoto's personal concerns is that security is up to the user using the security tool correctly. How can HashiCorp as a vendor make the correct security practice the default behavior?
  • 31:10 The research team at HashiCorp has been working on recommendations for better ways to run software securely. Instead of starting from an overly restrictive set of policies, which means nothing works, most people start with an overly permissive set of policies. We're trying to allow that as a starting point, and then use AI and ML to recommend appropriate policies based on usage, but still leave control of implementing those policies to the user.

More about our podcasts

You can keep up-to-date with the podcasts via our RSS Feed, and they are available via SoundCloud, Apple Podcasts, Spotify, Overcast and the Google Podcast. From this page you also have access to our recorded show notes. They all have clickable links that will take you directly to that part of the audio.

Previous podcasts

Rate this Article