Consul Behind AWS ELB

[Ryan Saphiro]

We have multiple datacenters and also aws private cloud for some apps that are connected between DC's and AWS via DirectConnect and VPN. 

I am more interested between datacenters and AWS from Consul stand point of view.

Consul is running in AWS 

Apps in AWS register with Consul fine.

Apps in DC register with AWS consul as well -so an app in DC can talk to other app in AWS via app.service.consul

Question: 

Our current private dns setup is someconsul.somedomain.com points to 6 private Consul Cluster IPs in AWS.

So issue becomes that if we have to taredown one of the clusters or one of the consul servers , we would have to update that DNS record.

I was wondering if it would be ok to place consul clusters behind ELB and then point that private dns to the elb address as an alias? 

Any other suggestions are welcome. 

[David Adams]

Are you not running agents on your app servers? If you're using the agent, then the DNS for the servers is only going to affect them when they first join the datacenter. And an ELB is not going to be able to handle agent traffic anyway.

But if you are just talking to the servers using HTTP across the network, and if updating DNS is difficult to do in your environment, then when you rebuild the Consul servers, you can use the same private IP addresses. But yes if you are treating the servers just like an HTTP API, then an ELB probably works. But you should consider running agents on your app servers if possible.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/consul/issues
IRC: #consul on Freenode
---
You received this message because you are subscribed to the Google Groups "Consul" group.
To unsubscribe from this group and stop receiving emails from it, send an email to consul-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/823d7e04-2220-42b9-83cb-d078baf8fa4d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ryan Saphiro]

We are running consul registrator so DCs and AWS apps are registered atm with the two cluster envs. 

On Thursday, February 8, 2018 at 10:57:21 AM UTC-5, David Adams wrote:

Are you not running agents on your app servers? If you're using the agent, then the DNS for the servers is only going to affect them when they first join the datacenter. And an ELB is not going to be able to handle agent traffic anyway.

But if you are just talking to the servers using HTTP across the network, and if updating DNS is difficult to do in your environment, then when you rebuild the Consul servers, you can use the same private IP addresses. But yes if you are treating the servers just like an HTTP API, then an ELB probably works. But you should consider running agents on your app servers if possible.

On Thu, Feb 8, 2018 at 9:37 AM, Ryan Saphiro <umilja...@gmail.com> wrote:

We have multiple datacenters and also aws private cloud for some apps that are connected between DC's and AWS via DirectConnect and VPN. 

I am more interested between datacenters and AWS from Consul stand point of view.

Consul is running in AWS 

Apps in AWS register with Consul fine.

Apps in DC register with AWS consul as well -so an app in DC can talk to other app in AWS via app.service.consul

Question: 

Our current private dns setup is someconsul.somedomain.com points to 6 private Consul Cluster IPs in AWS.

So issue becomes that if we have to taredown one of the clusters or one of the consul servers , we would have to update that DNS record.

I was wondering if it would be ok to place consul clusters behind ELB and then point that private dns to the elb address as an alias? 

Any other suggestions are welcome. 

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/consul/issues
IRC: #consul on Freenode
---
You received this message because you are subscribed to the Google Groups "Consul" group.

To unsubscribe from this group and stop receiving emails from it, send an email to consul-tool...@googlegroups.com.

[Preetha Appan]

Hi Ryan

It wasn't clear to me from your question whether or not you run Consul agents (Not Consul servers) within those six IPs you mention below. If you do run Consul agents, and the apps that register using registrator can get to them via loopback you don't need the ELB.

Sometimes people use ELBs but that is only for consul servers, so that they can hit HTTP endpoints against a Consul server from outside AWS for monitoring or other one off use cases. Like David points out, going through the ELB for intra cluster communication like apps registering with agents is not recommended.