Consul Enterprise
Consul Enterprise features address the organizational complexities of collaboration, operations, scale, and governance. If you have purchased or wish to try out Consul Enterprise, refer to how to access Consul Enterprise.
Enterprise features
The following features are available in several forms of Consul Enterprise.
Multi-Tenancy
- Admin Partitions: Define administrative boundaries between tenants within a single Consul datacenter.
- Namespaces: Define resource boundaries within a single admin partition for further organizational flexibility.
- Sameness Groups: Define partitions and cluster peers as members of a group with identical services.
Resiliency
- Automated Backups: Configure the automatic backup of Consul state.
- Redundancy Zones: Deploy backup voting Consul servers to efficiently improve Consul fault tolerance
- Server request rate limits per source IP: Limit gRPC and RPC traffic to servers for source IP addresses.
- Traffic rate limiting for services: Limit the rate of HTTP requests a service receives per service instance.
- Locality-aware routing: Prioritize upstream services in the same region and zone as the downstream service.
- Fault injection: Explore the resiliency of downstream services in response to problems with an upstream service, such as errors, latency, or response rate limits.
Scalability
- Read Replicas: Deploy non-voting Consul servers to enhance the scalability of read requests.
Operational simplification
- Long Term Support (LTS): Reduce operational overhead and risk by using LTS releases that are maintained for longer than standard releases.
- Automated Upgrades: Ease upgrades by automating the transition from existing to newly deployed Consul servers.
- Consul-Terraform-Sync Enterprise: Leverage the enhanced network infrastructure automation capabilities of the enterprise version of Consul-Terraform-Sync.
Complex network topology support
- Network Areas: Support complex network topologies between federated Consul datacenters with pairwise federation rather than full mesh federation.
- Network Segments: Support complex network topologies within a Consul datacenter by enforcing boundaries in Consul client gossip traffic.
Governance
- OIDC Auth Method: Manage user access to Consul through an OIDC identity provider instead of Consul ACL tokens directly.
- Audit Logging: Understand Consul access and usage patterns by reviewing access to the Consul HTTP API.
- JWT authentication and authorization for API gateway: Prevent unverified traffic at the API gateway using JWTs for authentication and authorization on VMs and on Kubernetes.
Regulatory compliance
FIPS 140-2 Compliance: Leverage FIPS builds of Consul Enterprise to ensure your Consul deployments are secured with BoringCrypto and CNGCrypto, and compliant with FIPS 140-2.
Note
FIPS 140-2 builds of Consul Enterprise support all runtimes (VMs, Kubernetes) except for Lambda and ECS. In addition, HCP does not currently support FIPS builds of Consul Enterprise.
Access Consul Enterprise
The method of accessing Consul Enterprise and its features depends on the whether using HashiCorp Cloud Platform or self-managed Consul.
HCP Consul
No action is required to access Consul Enterprise in a HashiCorp Cloud Platform installation.
You can try out HCP Consul for free. Refer to the HCP Consul product page for more details.
Self-Managed Consul
To access Consul Enterprise in a self-managed installation, apply a purchased license to the Consul Enterprise binary that grants access to the desired features.
Contact your HashiCorp Support contact for a development license.
Consul Enterprise feature availability
The Consul Enterprise features that are available depend on your license and the runtimes you use in your deployment.
Feature availability by license
Available Enterprise features per Consul form and license include:
Feature | HashiCorp Cloud Platform (HCP) Consul | Consul Enterprise | Legacy Consul Enterprise (module-based) |
---|---|---|---|
Consul servers as a managed service | Yes | No (self-managed) | No (self-managed) |
Admin Partitions | All tiers | Yes | With Governance and Policy module |
Audit Logging | Standard tier and above | Yes | With Governance and Policy module |
Automated Server Backups | All tiers | Yes | Yes |
Automated Server Upgrades | All tiers | Yes | Yes |
Consul-Terraform-Sync Enterprise | All tiers | Yes | Yes |
Enhanced Read Scalability | No | Yes | With Global Visibility, Routing, and Scale module |
Fault injection | Yes | Yes | No |
FIPS 140-2 Compliance | No | Yes | No |
JWT verification for API gateways | Yes | Yes | Yes |
Locality-aware routing | Yes | Yes | Yes |
Long Term Support (LTS) | Not applicable | Yes | Not applicable |
Namespaces | All tiers | Yes | With Governance and Policy module |
Network Areas | No | Yes | With Global Visibility, Routing, and Scale module |
Network Segments | No | Yes | With Global Visibility, Routing, and Scale module |
OIDC Auth Method | No | Yes | Yes |
Redundancy Zones | Not applicable | Yes | With Global Visibility, Routing, and Scale module |
Sameness Groups | No | Yes | Not applicable |
Server request rate limits per source IP | All tiers | Yes | With Governance and Policy module |
Traffic rate limiting for services | Yes | Yes | Yes |
Feature availability by runtime
Consul Enterprise feature availability can change depending on your server and client agent runtimes.
Enterprise Feature | VM Client | K8s Client | ECS Client |
---|---|---|---|
Admin Partitions | ✅ | ✅ | ✅ |
Audit Logging | ✅ | ✅ | ✅ |
Automated Server Backups | ✅ | ✅ | ✅ |
Automated Server Upgrades | ✅ | ✅ | ✅ |
Enhanced Read Scalability | ✅ | ✅ | ✅ |
Fault injection | ✅ | ✅ | ✅ |
FIPS 140-2 Compliance | ✅ | ✅ | ✅ |
JWT verification for API gateways | ✅ | ✅ | ❌ |
Locality-aware routing | ✅ | ✅ | ✅ |
Long Term Support (LTS) | ✅ | ✅ | ❌ |
Namespaces | ✅ | ✅ | ✅ |
Network Areas | ✅ | ✅ | ✅ |
Network Segments | ✅ | ✅ | ❌ |
OIDC Auth Method | ✅ | ✅ | ✅ |
Redundancy Zones | ✅ | ✅ | ✅ |
Sameness Groups | ✅ | ✅ | ✅ |
Server request rate limits per source IP | ✅ | ✅ | ✅ |
Traffic rate limiting for services | ✅ | ✅ | ✅ |