Consul resource groups

This topic provides an overview of resource groups in Consul's v2 architecture.

Refer to the consul resource CLI command reference to learn about using the Consul CLI to interact with resources.

Introduction

Consul's v2 architecture manages workloads using resources. Each resource is part of a resource group.

These resource groups structure Consul's ability to target either an individual workload identity or an entire collection of workload endpoints when managing service mesh traffic. There are three resource groups in the v2 API:

• auth group: Resources apply to workload identity
• catalog group: Resources apply to all workloads associated with a service
• mesh group: Resources apply to either workload identities or all workloads

For example, traffic permissions are part of the auth group. Permissions allow or deny traffic according to the other v2 catalog resource in the auth group, the workload identity. Meanwhile, when Consul routes service mesh traffic it applies rules to workloads based on the Service, which is a resource in the catalog group.

One practical impact of resource groups is that the HTTPRoute, GRPCRoute, and TCPRoute CRDs require you to specify a name and type in configuration blocks. The catalog.v2beta1.Service type indicates that the rules defined in these CRDs apply to all workloads registered in the Consul catalog under the given name.

You can also use the consul resource command to return information about Consul resources in each group using a group.groupVersion.kind syntax. Refer to consul resource for more information.

Resource group reference

The following table describes the Consul resources that belong to each resource group and the resource's group.groupVersion.kind syntax.