Federate multiple HCP Consul Dedicated clusters
Consul operators can extend their Consul environments by federating datacenters. In a federated environment, multiple HashiCorp Cloud Platform (HCP) Consul clusters are connected within a region, which lowers the operational overhead costs of connecting applications across distinct regions. Federation also enables a more consistent and improved security model. With HCP Consul Dedicated, the server-to-server connectivity is automatically handled by the HCP platform.
In this tutorial, you will create and federate two HashiCorp Cloud Platform (HCP) Consul clusters across two distinct regions. By federating these Consul datacenters, you will create an environment where services in each datacenter can be configured to securely access one another.
Specifically, you will:
- Create a service principal and key in HashiCorp Cloud Platform (HCP)
- Customize the HashiCorp Cloud Platform (HCP) Consul Federation Terraform script
- Deploy two federated HashiCorp Cloud Platform (HCP) Consul clusters in AWS using the Terraform script
- Validate the deployment with the HashiCorp Cloud Platform (HCP) portal UI
- Inspect your environment using the Consul CLI
- Inspect your environment using the Consul UI
- Decommission the HashiCorp Cloud Platform (HCP) Consul Environment
You will have two workflow options for how to complete this tutorial. The Terraform workflow (recommended), or through the HCP console workflow.
Prerequisites
To complete this tutorial you will need the following.
- Basic command line access
- The Terraform CLI v0.14.10+ installed
- Admin access to the HashiCorp Cloud Platform (HCP) Consul portal
- HashiCorp Cloud Platform (HCP) Consul development tier or above
- Please review the HCP Consul Dedicated Federation Requirements
Creating resources
Create service principal and key
Create a Service Principal and key to enable HCP Consul Dedicated deployment with Terraform.
From the left menu select Access Control (IAM) in the Settings section.
In the Access Control (IAM) page, click on the Service Principals tab and click on the Create a service principal link.
Specify a name for the service principal (learn-hcp
in this tutorial). Choose the Contributor
role from the drop-down menu.
Once created, click on the service principal's name to view its details.
From the detail page, click on the create service principal key link. A popup resembling the following will appear:
Note
Remember to copy the Client ID and secret. You will not be able to retrieve the secret later and it is required in the next step.
Create Terraform configuration file
Create a Terraform script for building a complete HashiCorp Cloud Platform (HCP) Consul federated environment in HCP.
Your script will create two HCP Consul Dedicated clusters
and two HashiCorp Virtual Network (HVN) resources. By setting auto_hvn_to_hvn_peering = true
on the secondary cluster, a peering connection is automatically created to link the two HVNs.
Create a file named hcpfed.tf
in your working directory and copy the following configuration into the file.
// Pin the versionterraform { required_providers { hcp = { source = "hashicorp/hcp" version = "~> 0.9.0" } }} provider "hcp" { client_id = "YOUR_CLIENT_ID" client_secret = "YOUR_SECRET"} resource "hcp_hvn" "hvn-us-west" { hvn_id = "hvn-us-west" cloud_provider = "aws" region = "us-west-2" cidr_block = "172.25.16.0/20"} resource "hcp_hvn" "hvn-us-east" { hvn_id = "hvn-us-east" cloud_provider = "aws" region = "us-east-1" cidr_block = "172.26.16.0/20"} resource "hcp_consul_cluster" "primary" { cluster_id = "primary" hvn_id = hcp_hvn.hvn-us-east.hvn_id tier = "development" min_consul_version = "1.10.1" public_endpoint = true} resource "hcp_consul_cluster" "secondary" { cluster_id = "secondary" hvn_id = hcp_hvn.hvn-us-west.hvn_id tier = "development" min_consul_version = "1.10.1" public_endpoint = true primary_link = hcp_consul_cluster.primary.self_link auto_hvn_to_hvn_peering = true}
Replace the client_id
and client_secret
placeholders with the values you created in the previous step and save the file.
To learn more about each of the attributes in the script, see the resource documentation.
Note
By default, this script creates a "development" size tier
. Development tiers
are single-server Consul datacenters recommended for testing or evaluation purposes only.
For production, we recommend using the "standard" or "plus" tier because each Consul
datacenter will have the recommended three server nodes.
Deploy your infrastructure
With your customized Terraform script, you are now ready to deploy your infrastructure.
Issue the terraform init
command from your working directory to download the necessary providers and initialize the backend.
$ terraform init Initializing the backend... Initializing provider plugins...... Terraform has been successfully initialized!...
Once Terraform has been initialized, you can verify the resources that will
be created using the plan
command.
$ terraform plan An execution plan has been generated and is shown below.Resource actions are indicated with the following symbols: + create Terraform will perform the following actions:...
Finally, you can deploy the resources using the apply
command.
$ terraform apply ...Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value:
Remember to confirm the run by entering yes
.
Once you confirm, it will take a few minutes to complete the deploy
. Terraform will print the following output if the deployment is successful.
Apply complete! Resources: 4 added, 0 changed, 0 destroyed.
Note
The deploy
could take up to 10 minutes to complete. Feel free to grab a cup of
coffee while waiting for the cluster to complete initialization or learn more about the Raft protocol in a fun, interactive way.
Explore the HCP Portal UI
Once deployed, you can verify that the resources have been created in the HCP portal. Open https://portal.cloud.hashicorp.com in your browser.
Click the HashiCorp Virtual Network item on the left navigation pane to see your HVNs.
As the screenshot confirms, you will have two HVNs created in two distinct regions.
Click the Consul item on the left navigation pane to see the overview for your newly deployed Consul clusters. By the time of the launch, the UI will have more information regarding the federation.
Notice how the two clusters are located in different HVNs.
Select the primary cluster to review your primary cluster details.
Click the Generate Token button to generate an ACL token for your Consul datacenter and copy it to a local text file.
Note
The Terraform script in this tutorial will create a Consul datacenter that is publicly accessible from the internet for ease of use. For production, we recommend using private endpoints.
Access the Consul UI
Once HCP Consul Dedicated is deployed, you can access the Consul UI by clicking Public from the list of Cluster URLs on the HCP Consul Dedicated cluster overview page.
This will copy the public IP address to your clipboard. You can now paste this IP address into your browser to access the Consul UI.
HCP Consul Dedicated is secure by default, so you will need an ACL token to view any data in the UI. Select the login option in the top right corner of the Consul UI, then paste the ACL token you generated in the previous step. This will authorize you to interact with the Consul UI.
Open the drop-down menu labeled primary in the top left of the screen and select secondary. Use the drop-down menu to switch between your federated Consul datacenters.
You now have two HCP Consul Dedicated datacenters federated across two distinct regions. In a production environment, you can begin configuring your clients for each of your Consul datacenters. Visit the Connect a Consul Client to HCP Consul Dedicated tutorial to learn more how to configure clients to your Consul datacenters.
Destroy resources
Use the terraform destroy
command to clean up the resources you created.
$ terraform destroy ...Do you really want to destroy all resources? Terraform will destroy all your managed infrastructure, as shown above. There is no undo. Only 'yes' will be accepted to confirm. Enter a value:
Remember to confirm by entering yes
.
Once you confirm, it will take a few minutes to complete the removal. Terraform will print the following output if the command is successful.
Destroy complete! Resources: 4 destroyed.
Next steps
In this tutorial you learned how to deploy a federated HCP Consul Dedicated cluster using either Terraform or through the HCP console. With Terraform, you accomplished this task using the Terraform HCP provider. You also learned what resources are made available by the provider.
You can find the full documentation for the HashiCorp Cloud Platform Consul Terraform provider in the Terraform registry documentation
To get hands-on experience with Consul's service discovery and service mesh features, you will need to connect a Consul client deployed in a virtual machine or on Elastic Kubernetes Service (EKS).
If you encounter any issues, please contact the HCP team at support.hashicorp.com.