Configure Azure VM as a Consul client for HCP Consul Dedicated
HashiCorp Cloud Platform (HCP) Consul is a fully managed Service Mesh as a Service (SMaaS) version of Consul. After you deploy an HCP Consul Dedicated server cluster, you must deploy Consul clients into your network so you can leverage Consul’s full feature set including service mesh and service discovery. HCP Consul Dedicated supports Consul clients running on Azure Virtual Machine (VM) and Azure Kubernetes Service (AKS) resources.
In this tutorial, you will deploy and provision a Consul client running on an Azure VM instance that connects to your HCP Consul Dedicated cluster. In the process, you will review the provisioning script to better understand the steps required to properly configure an Azure VM instance to connect and interact with an HCP Consul Dedicated cluster.
Prerequisites
For this tutorial, you will need:
- The Terraform 0.14+ CLI installed locally.
- The Azure CLI installed locally.
- An HCP account configured for use with Terraform
- An Azure account configured for use with Terraform
Clone example repository
In your terminal, clone the project repository from GitHub. This repository contains Terraform configuration, including configuration for this tutorial.
$ git clone https://github.com/hashicorp/learn-consul-terraform.git
Change into the directory with the newly cloned repository.
$ cd learn-consul-terraform/datacenter-deploy-hcp-azure-vm-client
Fetch the latest tags and check out the v0.0.##
tag of the repository.
$ git fetch && git checkout v0.0.##
Review configuration
The project directory contains two sub-directories:
The
1-virtual-network-hcp
subdirectory contains Terraform configuration to deploy an Azure virtual network and underlying networking resources, an HCP HashiCorp Virtual Network (HVN), and an HCP Consul Dedicated cluster. In addition, these configuration files use thehashicorp/hcp-consul/azurerm
Terraform module to set up all networking rules to allow a Consul client to communicate with the HCP Consul Dedicated servers. This includes setting up the peering connection between the HVN and your Azure virtual network, setting up the HCP routes, and creating Azure network security group ingress rules.The
2-vm-consul-client
subdirectory contains Terraform configuration that creates an SSH key pair and deploys an Azure virtual machine. The virtual machine uses acloud-init
script to automate the Consul client configuration. In the Review Consul client configuration for Azure VM section, you will review the automation scripts in more detail.
This tutorial intentionally separates the Terraform configuration into two discrete steps. This process reflects Terraform best practices. By dividing the HCP Consul Dedicated cluster management from the Consul client management, you can separate the duties and reduce the blast radius.
Deploy Azure and HCP Consul Dedicated resources
In this section, you will use your Terraform configuration files deploy an HCP Consul Dedicated cluster, an Azure virtual network, and the underlying networking resources.
Issue the terraform init
command from your working directory to download the necessary providers and initialize the backend.
$ terraform -chdir=1-virtual-network-hcp/ init Initializing modules...Initializing the backend...Initializing provider plugins...... Terraform has been successfully initialized!...
Then, deploy the resources. Confirm the run by entering yes
.
$ terraform -chdir=1-virtual-network-hcp/ apply ## ...Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes ## ... Apply complete! Resources: 25 added, 0 changed, 0 destroyed. Outputs: azurerm_nsg = "learn-hcp-consul-vm-client-nsg"azurerm_resource_group = "learn-hcp-consul-vm-client-gid"consul_root_token = <sensitive>consul_url = "https://servers-public-consul-ffff5f82.9e6a40c0.z1.hashicorp.cloud"hcp_consul_cluster_id = "learn-hcp-consul-vm-client"prefix = "learn-hcp-consul-vm-client"subnet_id = "/subscriptions/c9ed8610-47a3-4107-a2b2-a322114dfb29/resourceGroups/learn-hcp-consul-vm-client-gid/providers/Microsoft.Network/virtualNetworks/learn-hcp-consul-vm-client-vnet/subnets/subnet1"
Note
The deployment could take up to 10 minutes to complete. Feel free to explore the next sections of this tutorial while waiting for the cluster to complete initialization. Learn more about the Raft protocol at The Secret Lives of Data's raft protocol presentation in a fun, interactive way.
Notice that Terraform displays the outputs created from the apply.
Create terraform.tfvars file for Consul client directory
Since you created the underlying infrastructure with Terraform, you can use the outputs to help you deploy the Azure VM resources in the next section.
Create a terraform.tfvars
file in the 2-vm-consul-client
directory with the Terraform outputs from this project.
$ echo "hcp_consul_cluster_id=\"$(terraform output -raw hcp_consul_cluster_id)\"azurerm_resource_group=\"$(terraform output -raw azurerm_resource_group)\"prefix=\"$(terraform output -raw prefix)\"azurerm_nsg=\"$(terraform output -raw azurerm_nsg)\"subnet_id=$(terraform output -json subnet_id)" > ../2-vm-consul-client/terraform.tfvars
Review Consul client configuration for Azure VM
In this tutorial, you will apply HCP Consul Dedicated's secure-by-default design with Terraform by configuring your Azure VM instances with the gossip encryption key, the Consul CA cert, and a permissive ACL token.
Inspect the datacenter-deploy-hcp-azure-vm-client/2-vm-consul-client/main.tf
file contents in your project directory:
datacenter-deploy-hcp-azure-vm-client/2-vm-consul-client/main.tf
resource "azurerm_linux_virtual_machine" "consul_client" { count = 1 name = "consul-client-${count.index}-${random_string.random.id}" location = data.azurerm_resource_group.selected.location resource_group_name = data.azurerm_resource_group.selected.name network_interface_ids = [azurerm_network_interface.client_nic.id] size = "Standard_DS1_v2" os_disk { name = "myOsDisk" caching = "ReadWrite" storage_account_type = "Premium_LRS" } source_image_reference { publisher = "Canonical" offer = "0001-com-ubuntu-server-focal" sku = "20_04-lts-gen2" version = "latest" } admin_username = "ubuntu" disable_password_authentication = true admin_ssh_key { username = "ubuntu" public_key = file("./consul-client.pub") } user_data = base64encode(templatefile("${path.module}/scripts/user_data.sh", { setup = base64gzip(templatefile("${path.module}/scripts/setup.sh", { consul_ca = data.hcp_consul_cluster.selected.consul_ca_file consul_config = data.hcp_consul_cluster.selected.consul_config_file consul_acl_token = hcp_consul_cluster_root_token.token.secret_id, consul_version = data.hcp_consul_cluster.selected.consul_version, consul_service = base64encode(templatefile("${path.module}/scripts/service", { service_name = "consul", service_cmd = "/usr/bin/consul agent -data-dir /var/consul -config-dir=/etc/consul.d/", })), vpc_cidr = data.hcp_hvn.selected.cidr_block })), })) tags = { Name = "hcp-consul-client-${count.index}" }}
In this example, the secure Consul configuration properties received from your HCP Consul Dedicated cluster will be injected into your Azure VM Consul configuration file. Consul will then be set to run as a service on your Azure VM with this secure configuration.
Deploy Azure VM resources
In this section, you will use Terraform to create an SSH key pair and deploy an Azure virtual machine. The virtual machine uses a cloud-init
script to automate the secure Consul client configuration, which will connect to your HCP Consul Dedicated cluster.
Issue the terraform init
command from your working directory to download the necessary providers and initialize the backend.
$ terraform -chdir=2-vm-consul-client/ init Initializing modules...Initializing the backend...Initializing provider plugins...... Terraform has been successfully initialized!...
Then, deploy the resources. Confirm the run by entering yes
.
$ terraform -chdir=2-vm-consul-client/ apply ## ...Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes ## ... Apply complete! Resources: 11 added, 0 changed, 0 destroyed. Outputs: consul_root_token = <sensitive>consul_url = "https://servers-public-consul-ffff5f82.9e6a40c0.z1.hashicorp.cloud"tls_private_key = <sensitive>vm_client = "20.230.191.76"
Notice that Terraform displays the outputs created from the apply.
Tip
HashiCorp Cloud Platform offers Enterprise features. To interact with these features, you need to install the Enterprise Consul binary for your client agents. Learn more information about Consul Enterprise in the Consul Enterprise documentation.
Explore the Consul UI
In this section you will view your Consul UI to explore your resources.
Retrieve your HCP Consul Dedicated public URL and ACL token from Terraform.
$ terraform -chdir=1-virtual-network-hcp/ output consul_url && \ terraform -chdir=1-virtual-network-hcp/ output consul_root_token
Example output:
"https://servers-public-consul-ffff5f82.9e6a40c0.z1.hashicorp.cloud""5c4e7242-8300-b6de-2e4c-78cdbad15c39"
Copy and paste the Consul public URL into your browser to visit the Consul UI. Since HCP Consul Dedicated is secure by default, copy and paste the ACL token into the Consul authentication prompt to use the Consul UI.
Once authenticated, click the Nodes tab on the left navigation pane to review your nodes that contain active Consul clients.
Notice that your environment contains two Consul nodes: A Consul server agent running in your HCP cluster, and a Consul client agent running on your Azure VM instance.
Next steps
In this tutorial, you connected Consul clients on Azure VM to HCP Consul Dedicated. To keep learning about Consul's features, and for step-by-step examples of how to perform common Consul tasks, feel free to explore one of the following tutorials.
- Explore the Consul UI tutorial
- Register a Service with Consul Service Discovery tutorial
- Secure Applications with Service Sidecar Proxies tutorial
- Create a Consul service mesh on HCP using Envoy as a sidecar proxy tutorial If you encounter any issues, please contact the HCP support team at support.hashicorp.com.