HCP Consul overview

This topic provides an overview of HCP Consul, the networking software as a service (SaaS) product available through the HashiCorp Cloud Platform (HCP). HCP Consul provides simplified workflows for common Consul tasks, the option to have HashiCorp set up and manage your Consul servers for you, and a central management point for monitoring and accessing your Consul clusters.

Looking for Consul fundamentals?

Read core Consul documentation and tutorials, including self-hosted docs.

Go to Consul

Tutorial: For a step-by-step guide to deploying a HashiCorp-managed cluster with HCP Consul, complete the getting started tutorial.

What is HCP Consul?

HCP Consul is a Consul management offering available exclusively through the HashiCorp Cloud Platform. It uses the same binary as Consul Enterprise and provides additional features that simplify Consul deployment operations.

HCP Consul's unique management features fall into two categories:

HashiCorp-managed clusters: Support service network deployments with Consul servers that we install, configure, and maintain on either AWS or Azure to ensure that your Consul clusters are always ready to connect your services. Refer to cluster management for more information.
Hosted management plane service: We host an additional server that supports centralized global management operations across all Consul clusters in your organization, even when you deploy services in multiple cloud environments and regions. Refer to management plane for more information.

Benefits

Consul is a feature-rich and highly-configurable service networking solution. Configuring, deploying, and maintaining Consul infrastructure can seem daunting, especially for new users. HCP Consul removes the need for Consul-specific expertise by handling the most complex operations.

The benefits to using HCP Consul include the following:

Secure by default: HashiCorp-managed servers are deployed with a secure policy that requires connections to have explicit permission. In addition to providing secure network connectivity for features such as datacenter federation and cluster peering, we proactively patch any Common Vulnerabilities and Exposures (CVE) to ensure your Consul servers are protected.
Fully-managed infrastructure: You can expect production-ready servers with guaranteed service level agreements (SLA) that are monitored and maintained by HashiCorp site reliability engineers (SRE). We also provide backup and restore options, freeing you to focus on using Consul and its capabilities.
Push button deployments: You can use the HCP interface to spin up Consul servers. The interface includes both a guided UI and Terraform automation options for quickly creating new clusters.
Global observability and workflows: The management plane service provides global access to catalog information and server telemetry visualizations. It also supports guided UI workflows for processes such as linking clusters and using cluster peering connections.

HCP Consul architecture

HCP Consul connects components hosted and maintained in HashiCorp-managed cloud environments with components hosted and maintained in user-managed cloud environments. The following diagram describes the architecture for an HCP Consul deployment that contains both a HashiCorp-managed cluster and a self-managed cluster:

Diagram of HCP Consul. The user is at the top. The HashiCorp-managed environment is on the left. The user managed environment is on the right.

The management plane service is at the conceptual center of an HCP Consul deployment. It has access to your clusters, as well as a secure Vault environment that it uses to create and store credentials for accessing and managing clusters. We host and maintain this service, which you can interact with in your web browser through the HCP Portal.
The HashiCorp Virtual Network (HVN) enables secure communication between the Consul servers in a HashiCorp-managed cluster and the Consul clients deployed with services in the user-managed environment. When you create a HashiCorp-managed server, we deploy Consul servers in our AWS or Azure environment and enable access through the HVN you associate with the cluster. You must establish a peering connection between the HVN and the VPC or VNet in your cloud environment where your services are deployed. When using Kubernetes with HCP Consul, the HVN and peering connection is not required. Refer to Deploy dataplanes for more information.
The Cloud configuration stanza enables a secure link between user-managed Consul clusters and the management plane service. After you configure a Consul server agent with secrets accessed through the HCP interface, the management plane can independently interact with your cluster. Servers and services in your cloud environment become accessible to a platform hosted and maintained in our environment.
When you access the HCP interface through the web portal, HCP Consul displays an overview of connected clusters using information collected by the management plane. For both HashiCorp-managed and self-managed clusters, the management plane provides access to each cluster's Consul UI through the HCP interface. As a result, you can control Consul clusters and switch between them while remaining in a single browser window.

Features

Feature availability for multi-region and multi-cloud networks is based on the tier you use for your Consul clusters.

Cluster size and tier have no impact on the availability of Enterprise features. Most Consul Enterprise features are available to HashiCorp-managed clusters as soon as you create them. For more information, including Enterprise license configuration and retrieval, refer to Consul Enterprise in the Consul documentation.

Cluster size and tier

When you create a HashiCorp-managed cluster, you are prompted to select a size and a tier for it. This choice determines the number of service instances the cluster can support and the level of multi-region and multi-cloud connectivity the cluster supports, respectively. You cannot change a cluster's tier after its creation.

Refer to cluster tiers for more information about the cluster sizes and connections each tier supports. For more information about tier compatability across networks, refer to network topologies.

The cost of using HCP Consul is calculated according to the number of clusters your organization deploys, with larger size clusters and higher level tiers incurring higher charges over time. Refer to HCP Consul Pricing for more information.

Consul server features

The following table describes Consul server features and their availability by tier.

Feature	Description	Tier
Access controls	Secure access to your HCP assets without impeding users.	Development Standard Plus Premium
Admin partitions	Define administrative and communication boundaries between services that belong to separate stakeholders or are managed by separate teams.	Development Standard Plus Premium
Automated backups	Run the snapshot agent in your environment to automatically take snapshots, rotate backups, and send backup files to storage sites.	Development Standard Plus Premium
Cluster peering	Connect two or more independent clusters so that services deployed to different partitions or datacenters can communicate.	Development Standard Plus Premium
Federation (single-region)	Connect multiple HCP Consul clusters within a single region to extend your Consul environment.	Development Standard Plus Premium
Federation (multi-region)	Connect multiple HCP Consul clusters across multiple regions to extend your Consul environment.	Development Plus Premium
HashiCorp management	Create HashiCorp-managed clusters. You can use either HCP's interface or Terraform.	Development Standard Plus Premium
Managed upgrades	Update your HCP Consul cluster to the next available major version. You can use either HCP's interface or Terraform.	Development Standard Plus Premium
Namespaces	Separate services, Consul KV data, and other Consul data by team so that different teams in the same organization can share Consul datacenters.	Development (testing only) Standard Plus Premium
Web UI	Access Consul's web UI, which provides information about nodes, services, and other cluster components.	Development Standard Plus Premium

On AWS, cluster peering and federation cannot be used on the same cluster concurrently.

Feature	Description	Tier
Access controls	Secure access to your HCP assets without impeding users.	Development Standard Plus Premium
Admin partitions	Define administrative and communication boundaries between services that belong to separate stakeholders or are managed by separate teams.	Development Standard Plus Premium
Automated backups	Run the snapshot agent in your environment to automatically take snapshots, rotate backups, and send backup files to storage sites.	Development Standard Plus Premium
Cluster peering	Connect two or more independent clusters so that services deployed to different partitions or datacenters can communicate.	Development Standard Plus Premium
Federation (single-region)	Connect multiple HCP Consul clusters within a single region to extend your Consul environment.	Development Standard Plus Premium
Federation (multi-region)	Connect multiple HCP Consul clusters across multiple regions to extend your Consul environment.	Development Plus Premium
HashiCorp management	Create HashiCorp-managed clusters. You can use either HCP's interface or Terraform.	Development Standard Plus Premium
Managed upgrades	Update your HCP Consul cluster to the next available major version. You can use either HCP's interface or Terraform.	Development Standard Plus Premium
Namespaces	Separate services, Consul KV data, and other Consul data by team so that different teams in the same organization can share Consul datacenters.	Development Standard Plus Premium
Web UI	Access Consul's web UI, which provides information about nodes, services, and other cluster components.	Development Standard Plus Premium

Consul client features

The following table describes Consul client features and their availability by the tier the Consul server they are registered to.

Feature	Description	Tier
Broad runtime support	Deploy clients to a range of runtimes.	Development Standard Plus Premium
Consul API Gateway	Consul API Gateway is a special gateway that allows external network clients to access applications and services running in a Consul datacenter.	Development Standard Plus Premium
Gateways	Ingress, terminating, and mesh gateways provide connectivity into, out of, and between Consul service meshes.	Development Standard Plus Premium
Health checks	Define checks to monitor the health of nodes in your network.	Development Standard Plus Premium
Kubernetes CRDs	Use Custom Resource Definitions (CRDs) to manage custom Consul configuration entries on Kubernetes.	Development Standard Plus Premium
Observability integrations	Use L7 observability features in your service mesh.	Development Standard Plus Premium
Service discovery	Register services and make them available to the network.	Development Standard Plus Premium
Service mesh	Provide secure service-to-service communication within and across infrastructure.	Development Standard Plus Premium

Feature	Description	Tier
Broad runtime support	Deploy clients to a range of runtimes.	Development Standard Plus Premium
Consul API Gateway	Consul API Gateway is a special gateway that allows external network clients to access applications and services running in a Consul datacenter.	Development Standard Plus Premium
Gateways	Ingress, terminating, and mesh gateways provide connectivity into, out of, and between Consul service meshes.	Development Standard Plus Premium
Health checks	Define checks to monitor the health of nodes in your network.	Development Standard Plus Premium
Kubernetes CRDs	Use Custom Resource Definitions (CRDs) to manage custom Consul configuration entries on Kubernetes.	Development Standard Plus Premium
Observability integrations	Use L7 observability features in your service mesh.	Development Standard Plus Premium
Service discovery	Register services and make them available to the network.	Development Standard Plus Premium
Service mesh	Provide secure service-to-service communication within and across infrastructure.	Development Standard Plus Premium

Workflows

Using HCP Consul consists of the following phases:

Deploy a HashiCorp-managed cluster. Create a HashiCorp-managed cluster, connect it to services deployed in your environment, and access the cluster through its CLI, API, or Consul UI.
Link a self-managed cluster. Link new and existing self-managed Consul clusters to the management plane to access and manage them through HCP.
Secure your network. Change a HashiCorp-managed cluster's accessibility or create service intentions to secure service mesh traffic.
Extend your network. Create WAN-federated clusters or create cluster peering connections so that services deployed to different regions can communicate. Build multi-cloud deployments with cluster peering.
Monitor your network. Use the management plane to get insights into the overall state of your deployments and access an observability dashboard that provides visualizations of server and proxy telemetry. Access a HashiCorp-managed server's audit logs, platform logs, and server logs.
Upgrade your network. Check the version of Consul currently running on clusters and upgrade them using the HCP interface. Create and manage snapshots to restore clusters in the event of failure.

Constraints and considerations

The following constraints may cause HCP Consul to function inconsistently:

HVN peering connections with a VPC or VNet support RFC1918 IP addresses only.
The Consul monitor command is not supported on HCP Consul.
You cannot use WAN federation and multiple admin partitions at the same time.
You cannot use WAN federation and cluster peering at the same time.
HCP Consul does not support AWS Certificate Manager as a certificate authority for your service mesh.
You may experience issues connecting HCP Consul v1.11.0 clusters to Consul Enterprise clients versions 1.10.0-1.10.6. If you want to connect to HCP Consul v1.11.2 or later, we recommend using Consul Enterprise v1.10.7 for your clients. This issue is only applicable to Consul Enterprise binaries.