Configure Azure VM as a Consul Client for HCP Consul
HashiCorp Cloud Platform (HCP) Consul is a fully managed Service Mesh as a Service (SMaaS) version of Consul. After you deploy an HCP Consul server cluster, you must deploy Consul clients into your network so you can leverage Consul’s full feature set including service mesh and service discovery. HCP Consul supports Consul clients running on Azure Virtual Machine (VM) and Azure Kubernetes Service (AKS) resources.
In this tutorial, you will deploy and provision a Consul client running on an Azure VM instance that connects to your HCP Consul cluster. In the process, you will review the provisioning script to better understand the steps required to properly configure an Azure VM instance to connect and interact with an HCP Consul cluster.
Prerequisites
For this tutorial, you will need:
- The Terraform 0.14+ CLI installed locally.
- The Azure CLI installed locally.
- An HCP account configured for use with Terraform
- An Azure account configured for use with Terraform
Clone example repository
In your terminal, clone the project repository from GitHub. This repository contains Terraform configuration, including configuration for this tutorial.
Change into the directory with the newly cloned repository.
Fetch the latest tags and check out the v0.0.##
tag of the repository.
Review configuration
The project directory contains two sub-directories:
The
1-virtual-network-hcp
subdirectory contains Terraform configuration to deploy an Azure virtual network and underlying networking resources, an HCP HashiCorp Virtual Network (HVN), and an HCP Consul cluster. In addition, these configuration files use thehashicorp/hcp-consul/azurerm
Terraform module to set up all networking rules to allow a Consul client to communicate with the HCP Consul servers. This includes setting up the peering connection between the HVN and your Azure virtual network, setting up the HCP routes, and creating Azure network security group ingress rules.The
2-vm-consul-client
subdirectory contains Terraform configuration that creates an SSH key pair and deploys an Azure virtual machine. The virtual machine uses acloud-init
script to automate the Consul client configuration. In the Review Consul client configuration for Azure VM section, you will review the automation scripts in more detail.
This tutorial intentionally separates the Terraform configuration into two discrete steps. This process reflects Terraform best practices. By dividing the HCP Consul cluster management from the Consul client management, you can separate the duties and reduce the blast radius.
Deploy Azure and HCP Consul resources
In this section, you will use your Terraform configuration files deploy an HCP Consul cluster, an Azure virtual network, and the underlying networking resources.
Issue the terraform init
command from your working directory to download the necessary providers and initialize the backend.
Then, deploy the resources. Confirm the run by entering yes
.
Note
The deployment could take up to 10 minutes to complete. Feel free to explore the next sections of this tutorial while waiting for the cluster to complete initialization. Learn more about the Raft protocol at The Secret Lives of Data's raft protocol presentation in a fun, interactive way.
Notice that Terraform displays the outputs created from the apply.
Create terraform.tfvars file for Consul client directory
Since you created the underlying infrastructure with Terraform, you can use the outputs to help you deploy the Azure VM resources in the next section.
Create a terraform.tfvars
file in the 2-vm-consul-client
directory with the Terraform outputs from this project.
Review Consul client configuration for Azure VM
In this tutorial, you will apply HCP Consul's secure-by-default design with Terraform by configuring your Azure VM instances with the gossip encryption key, the Consul CA cert, and a permissive ACL token.
Inspect the datacenter-deploy-hcp-azure-vm-client/2-vm-consul-client/main.tf
file contents in your project directory:
In this example, the secure Consul configuration properties received from your HCP Consul cluster will be injected into your Azure VM Consul configuration file. Consul will then be set to run as a service on your Azure VM with this secure configuration.
Deploy Azure VM resources
In this section, you will use Terraform to create an SSH key pair and deploy an Azure virtual machine. The virtual machine uses a cloud-init
script to automate the secure Consul client configuration, which will connect to your HCP Consul cluster.
Issue the terraform init
command from your working directory to download the necessary providers and initialize the backend.
Then, deploy the resources. Confirm the run by entering yes
.
Notice that Terraform displays the outputs created from the apply.
Tip
HashiCorp Cloud Platform offers Enterprise features. To interact with these features, you need to install the Enterprise Consul binary for your client agents. Learn more information about Consul Enterprise in the Consul Enterprise documentation.
Explore the Consul UI
In this section you will view your Consul UI to explore your resources.
Retrieve your HCP Consul public URL and ACL token from Terraform.
Example output:
Copy and paste the Consul public URL into your browser to visit the Consul UI. Since HCP Consul is secure by default, copy and paste the ACL token into the Consul authentication prompt to use the Consul UI.
Once authenticated, click the Nodes tab on the left navigation pane to review your nodes that contain active Consul clients.
Notice that your environment contains two Consul nodes: A Consul server agent running in your HCP cluster, and a Consul client agent running on your Azure VM instance.
Next steps
In this tutorial, you connected Consul clients on Azure VM to HCP Consul. To keep learning about Consul's features, and for step-by-step examples of how to perform common Consul tasks, feel free to explore one of the following tutorials.
- Explore the Consul UI tutorial
- Register a Service with Consul Service Discovery tutorial
- Secure Applications with Service Sidecar Proxies tutorial
- Create a Consul service mesh on HCP using Envoy as a sidecar proxy tutorial If you encounter any issues, please contact the HCP support team at support.hashicorp.com.