HashiCorp Cloud Platform (HCP) Consul is secure by default. Every Consul deployment will be configured to communicate securely for all protocols and user interactions.
The data exchanged between Consul agents with the gossip protocol are secured with an encryption key. To learn how to manually configure gossip encryption, review the HashiCorp Learn tutorial.
Consul uses a gossip protocol to manage membership and broadcast messages to the cluster. Membership information allows clients to automatically discover servers, reducing the amount of configuration needed. Distributed failure detection allows the burden of failure detection to be shared by the entire cluster instead of concentrated on a few servers. Lastly, the gossip pool allows for reliable and fast event broadcasts.
TLS encryption secures Consul agent communcation for the consensus protocol and RPC forwarding. The consensus protocol is used for leader election between the Consul servers only. All client agents forward requests to servers through RPC forwarding. To secure these types of agent communications, Consul uses TLS to verify the authenticity of servers and clients. To enable TLS, Consul requires that all servers have certificates that are signed by a single Certificate Authority(CA). Clients should also have certificates that are authenticated with the same CA.
To learn how to manually configure TLS encryption, review the HashiCorp Learn tutorial.
»Access Control Lists (ACLs)
Consul uses ACLs to secure access to the cluster data from the UI, API, and CLI. This includes both user requests and agent requests. At the core, ACLs operate by grouping rules into policies, then associating one or more policies with a token.
Even though HCP Consul has ACLs enabled by defaut and the ability to quickly generate root tokens in the HCP portal, you will still need to create new policies and tokens for fine-grained access management. To learn how to create tokens, review the HashiCorp Learn tutorials for production recommendations and token management best practices.
Since HCP Consul uses the Enterpise binary, the namespace feature is available. Review the HashiCorp Learn tutorial to understand how to use namespaces to delegate access control to specific resources within the datacenter.